Analysis Overview
SHA256
d57b10e9d526efa1bd489c873ec7df24614816de093610d5f47c843728814053
Threat Level: Known bad
The file !@ŜetUp__64911--Pas̈ᶊW0rd!$!$!.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Amadey
Downloads MZ/PE file
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in Windows directory
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Netsh Helper DLL
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 17:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-09 17:17
Reported
2024-07-09 17:21
Platform
win7-20240705-en
Max time kernel
144s
Max time network
17s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1628 wrote to memory of 2384 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1628 wrote to memory of 2384 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1628 wrote to memory of 2384 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2384 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2384 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2384 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2824 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2824 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2824 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__64911.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__64911.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__64911.rar
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__64911.rar"
Network
Files
memory/2580-30-0x000007FEFAF40000-0x000007FEFAF74000-memory.dmp
memory/2580-29-0x000000013F5E0000-0x000000013F6D8000-memory.dmp
memory/2580-32-0x000007FEFAF20000-0x000007FEFAF38000-memory.dmp
memory/2580-34-0x000007FEFAD50000-0x000007FEFAD61000-memory.dmp
memory/2580-33-0x000007FEFAF00000-0x000007FEFAF17000-memory.dmp
memory/2580-35-0x000007FEFAD30000-0x000007FEFAD47000-memory.dmp
memory/2580-36-0x000007FEFAD10000-0x000007FEFAD21000-memory.dmp
memory/2580-37-0x000007FEFACB0000-0x000007FEFACCD000-memory.dmp
memory/2580-31-0x000007FEF65D0000-0x000007FEF6886000-memory.dmp
memory/2580-38-0x000007FEFAC90000-0x000007FEFACA1000-memory.dmp
memory/2580-43-0x000007FEFA8A0000-0x000007FEFA8B8000-memory.dmp
memory/2580-47-0x000007FEF7590000-0x000007FEF75AB000-memory.dmp
memory/2580-52-0x000007FEF5220000-0x000007FEF529C000-memory.dmp
memory/2580-40-0x000007FEF5310000-0x000007FEF551B000-memory.dmp
memory/2580-41-0x000007FEFA8F0000-0x000007FEFA931000-memory.dmp
memory/2580-58-0x000007FEF5140000-0x000007FEF5163000-memory.dmp
memory/2580-42-0x000007FEFA8C0000-0x000007FEFA8E1000-memory.dmp
memory/2580-46-0x000007FEF75B0000-0x000007FEF75C1000-memory.dmp
memory/2580-50-0x000007FEF6A10000-0x000007FEF6A40000-memory.dmp
memory/2580-55-0x000007FEF69C0000-0x000007FEF69E8000-memory.dmp
memory/2580-64-0x000007FEFB010000-0x000007FEFB020000-memory.dmp
memory/2580-69-0x000007FEF1AC0000-0x000007FEF1B02000-memory.dmp
memory/2580-68-0x000007FEF1B10000-0x000007FEF1BD5000-memory.dmp
memory/2580-67-0x000007FEF1BE0000-0x000007FEF1BF6000-memory.dmp
memory/2580-66-0x000007FEF1C00000-0x000007FEF1C11000-memory.dmp
memory/2580-70-0x000007FEF1A50000-0x000007FEF1AB2000-memory.dmp
memory/2580-65-0x000007FEF1C20000-0x000007FEF1C4F000-memory.dmp
memory/2580-71-0x000007FEF1570000-0x000007FEF15DD000-memory.dmp
memory/2580-63-0x000007FEF1C50000-0x000007FEF1C67000-memory.dmp
memory/2580-62-0x000007FEF1C70000-0x000007FEF1C81000-memory.dmp
memory/2580-61-0x000007FEF1C90000-0x000007FEF1CB1000-memory.dmp
memory/2580-60-0x000007FEF5100000-0x000007FEF5112000-memory.dmp
memory/2580-59-0x000007FEF5120000-0x000007FEF5131000-memory.dmp
memory/2580-72-0x000007FEEF570000-0x000007FEEF6F0000-memory.dmp
memory/2580-57-0x000007FEF5170000-0x000007FEF5188000-memory.dmp
memory/2580-56-0x000007FEF5190000-0x000007FEF51B4000-memory.dmp
memory/2580-54-0x000007FEF51C0000-0x000007FEF5217000-memory.dmp
memory/2580-53-0x000007FEF69F0000-0x000007FEF6A01000-memory.dmp
memory/2580-51-0x000007FEF52A0000-0x000007FEF5307000-memory.dmp
memory/2580-49-0x000007FEF7550000-0x000007FEF7568000-memory.dmp
memory/2580-48-0x000007FEF7570000-0x000007FEF7581000-memory.dmp
memory/2580-45-0x000007FEF75D0000-0x000007FEF75E1000-memory.dmp
memory/2580-44-0x000007FEF75F0000-0x000007FEF7601000-memory.dmp
memory/2580-39-0x000007FEF5520000-0x000007FEF65D0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-09 17:17
Reported
2024-07-09 17:19
Platform
win7-20240705-en
Max time kernel
44s
Max time network
20s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2988 set thread context of 812 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
Files
memory/2988-0-0x00000000001D0000-0x000000000022E000-memory.dmp
memory/2988-1-0x000007FEFF170000-0x000007FEFF347000-memory.dmp
memory/2988-5-0x000007FEFF188000-0x000007FEFF189000-memory.dmp
memory/2988-6-0x000007FEFF170000-0x000007FEFF347000-memory.dmp
memory/2988-10-0x000007FEFF170000-0x000007FEFF347000-memory.dmp
memory/2988-9-0x00000000001D0000-0x000000000022E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a6d9ec20
| MD5 | 5f0dfee0331752fdce995eb113a528be |
| SHA1 | cb1aabb366b35f47c60b36dd3c7e495779bc44e8 |
| SHA256 | 1f36ea13fca11044e9579c85a496ba34aba93822ca292fddd2c10215e23d69d1 |
| SHA512 | 461e8b326fac49978178a0016a0459af53f9c88ee417201f0250d909ebd8aebb078a0425ad612591746be1a46afc02e7a64bcfdfadf4c5e5583d65136f1415a7 |
memory/812-12-0x00000000772D0000-0x0000000077479000-memory.dmp
memory/812-14-0x0000000076BCE000-0x0000000076BD0000-memory.dmp
memory/812-13-0x0000000076BC0000-0x0000000076D5D000-memory.dmp
memory/812-15-0x0000000076BC0000-0x0000000076D5D000-memory.dmp
memory/812-17-0x0000000076BC0000-0x0000000076D5D000-memory.dmp
memory/1712-18-0x00000000772D0000-0x0000000077479000-memory.dmp
memory/1712-19-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1712-21-0x0000000000D5D000-0x0000000000D65000-memory.dmp
memory/1712-20-0x0000000000400000-0x0000000000452000-memory.dmp
memory/812-22-0x0000000076BCE000-0x0000000076BD0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-09 17:17
Reported
2024-07-09 17:21
Platform
win7-20240705-en
Max time kernel
140s
Max time network
124s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\rondure.flv"
Network
Files
memory/3052-1-0x000007FEF71F0000-0x000007FEF7224000-memory.dmp
memory/3052-0-0x000000013F880000-0x000000013F978000-memory.dmp
memory/3052-3-0x000007FEFAF30000-0x000007FEFAF48000-memory.dmp
memory/3052-4-0x000007FEF6970000-0x000007FEF6987000-memory.dmp
memory/3052-5-0x000007FEF6410000-0x000007FEF6421000-memory.dmp
memory/3052-6-0x000007FEF63F0000-0x000007FEF6407000-memory.dmp
memory/3052-2-0x000007FEF6F30000-0x000007FEF71E6000-memory.dmp
memory/3052-7-0x000007FEF63D0000-0x000007FEF63E1000-memory.dmp
memory/3052-8-0x000007FEF63B0000-0x000007FEF63CD000-memory.dmp
memory/3052-9-0x000007FEF5F20000-0x000007FEF5F31000-memory.dmp
memory/3052-10-0x000007FEF55C0000-0x000007FEF57CB000-memory.dmp
memory/3052-12-0x000007FEF5EA0000-0x000007FEF5EE1000-memory.dmp
memory/3052-13-0x000007FEF5CD0000-0x000007FEF5CF1000-memory.dmp
memory/3052-19-0x000007FEF5B90000-0x000007FEF5BA1000-memory.dmp
memory/3052-23-0x000007FEF4420000-0x000007FEF449C000-memory.dmp
memory/3052-22-0x000007FEF44A0000-0x000007FEF4507000-memory.dmp
memory/3052-21-0x000007FEF5B40000-0x000007FEF5B70000-memory.dmp
memory/3052-20-0x000007FEF5B70000-0x000007FEF5B88000-memory.dmp
memory/3052-30-0x000007FEF42D0000-0x000007FEF42E1000-memory.dmp
memory/3052-29-0x000007FEF42F0000-0x000007FEF4313000-memory.dmp
memory/3052-28-0x000007FEF4320000-0x000007FEF4338000-memory.dmp
memory/3052-27-0x000007FEF4340000-0x000007FEF4364000-memory.dmp
memory/3052-31-0x000007FEF42B0000-0x000007FEF42C2000-memory.dmp
memory/3052-26-0x000007FEF4370000-0x000007FEF4398000-memory.dmp
memory/3052-25-0x000007FEF43A0000-0x000007FEF43F7000-memory.dmp
memory/3052-24-0x000007FEF4400000-0x000007FEF4411000-memory.dmp
memory/3052-11-0x000007FEF4510000-0x000007FEF55C0000-memory.dmp
memory/3052-18-0x000007FEF5BB0000-0x000007FEF5BCB000-memory.dmp
memory/3052-17-0x000007FEF5BD0000-0x000007FEF5BE1000-memory.dmp
memory/3052-16-0x000007FEF5BF0000-0x000007FEF5C01000-memory.dmp
memory/3052-15-0x000007FEF5C10000-0x000007FEF5C21000-memory.dmp
memory/3052-14-0x000007FEF5C30000-0x000007FEF5C48000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-09 17:17
Reported
2024-07-09 17:21
Platform
win7-20240704-en
Max time kernel
13s
Max time network
19s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tak_deco_lib.dll,#1
Network
Files
memory/1996-0-0x0000000000100000-0x000000000015E000-memory.dmp
memory/1996-1-0x0000000000100000-0x000000000015E000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-09 17:17
Reported
2024-07-09 17:21
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tak_deco_lib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4040-0-0x0000000000400000-0x000000000045E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 17:17
Reported
2024-07-09 17:19
Platform
win7-20240704-en
Max time kernel
15s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!@ŜetUp__64911--Pas̈ᶊW0rd!$!$!.zip
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 17:17
Reported
2024-07-09 17:20
Platform
win10v2004-20240709-en
Max time kernel
100s
Max time network
102s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!@ŜetUp__64911--Pas̈ᶊW0rd!$!$!.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-09 17:17
Reported
2024-07-09 17:21
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
100s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__64911.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-09 17:17
Reported
2024-07-09 17:21
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Amadey
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1528 set thread context of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4520 set thread context of 3112 | N/A | C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1896 set thread context of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe | C:\Windows\SysWOW64\netsh.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\MH Beacon Helper.job | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\Tasks\ToolUpdate.job | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe
"C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe
"C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bittercoldzzdwu.shop | udp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | 113.134.67.172.in-addr.arpa | udp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | foodupdates.shop | udp |
| US | 104.21.48.83:443 | foodupdates.shop | tcp |
| US | 8.8.8.8:53 | 83.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.steamstatic.com | udp |
| GB | 2.16.170.57:443 | cdn.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 57.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | downloaddining3.com | udp |
| US | 8.8.8.8:53 | downloaddining.com | udp |
| US | 8.8.8.8:53 | downloaddining2.com | udp |
| RU | 45.140.19.240:80 | downloaddining.com | tcp |
| US | 104.21.77.130:80 | downloaddining3.com | tcp |
| US | 104.21.53.53:80 | downloaddining2.com | tcp |
| US | 8.8.8.8:53 | contur2fa.recipeupdates.rest | udp |
| US | 172.67.197.250:443 | contur2fa.recipeupdates.rest | tcp |
| US | 8.8.8.8:53 | 53.53.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.77.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.197.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.19.140.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/1528-0-0x0000000000820000-0x000000000087E000-memory.dmp
memory/1528-1-0x00007FFFCFF90000-0x00007FFFD0402000-memory.dmp
memory/1528-5-0x00007FFFCFFA8000-0x00007FFFCFFA9000-memory.dmp
memory/1528-6-0x00007FFFCFF90000-0x00007FFFD0402000-memory.dmp
memory/1528-7-0x00007FFFCFF90000-0x00007FFFD0402000-memory.dmp
memory/1528-9-0x0000000000820000-0x000000000087E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\df2e7189
| MD5 | f93e936c7eb82d5739a85439b8ea96dc |
| SHA1 | fa4ff832333b5b1e95e2290d7a71c644e58a21c6 |
| SHA256 | 8bc08ec625a022b7c5a4de7c024c0bcd3c8f4ad9a69a0e29ca1cde1e4460e7c5 |
| SHA512 | b5038a0ad4a8ea19105c62310875e99ee1ae3192d78b0d2523f1ed42b0bd4a32ab881093b9bdbccdaec35a19cb2cced04f7ab6fc27637a2890ffa047fbc13227 |
memory/2828-11-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp
memory/2828-13-0x000000007580E000-0x0000000075810000-memory.dmp
memory/2828-12-0x0000000075800000-0x0000000075C3C000-memory.dmp
memory/2828-14-0x0000000075800000-0x0000000075C3C000-memory.dmp
memory/2828-16-0x0000000075800000-0x0000000075C3C000-memory.dmp
memory/4736-17-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp
memory/4736-18-0x0000000000F20000-0x0000000000F72000-memory.dmp
memory/4736-21-0x000000000091B000-0x0000000000922000-memory.dmp
memory/2828-22-0x000000007580E000-0x0000000075810000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe
| MD5 | d8d3eaf3756ec2fd01063f9fd2623c7e |
| SHA1 | 0e63c687984112e96bbfcf985c1fbf602f1c86e4 |
| SHA256 | 0ac72e797e244a733d5357b9fc90a5efaee168b5ab9b751493c080183be58829 |
| SHA512 | d87f33d7b6596719545899be6f54eb0f3b9f4ccf2ab4afea16d2a05386201c77243a6c80890ace81940ae2a09f743329bc3ed38b03499b2f6700da363668fa6c |
memory/1896-27-0x0000000000640000-0x0000000000973000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aaf13407
| MD5 | 0bb8b2b96cd95f9a6fb8192883c94ca7 |
| SHA1 | 16b7b4cfcacef943b4824e21b475c295cb4d9dff |
| SHA256 | 42139a8703db654c15f60607495822317b23a29b7c64b1b083428cc3716c14ec |
| SHA512 | 44d45b97bf76b3194375f2a63314dacf47add2223b37a9e080ddcfe49cb30a844436686ae62842cb08589b1b248c864b5d17ee7ae3e766931722824bd205565b |
memory/1896-33-0x0000000073560000-0x00000000736DB000-memory.dmp
memory/1896-34-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp
memory/4736-35-0x0000000000F20000-0x0000000000F72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe
| MD5 | 753234a5fa72cf7ff8c56fd867478f31 |
| SHA1 | 9d689ec16a5da11eea5e60c800ef2bce6f4212f3 |
| SHA256 | 211646612334caf8f5779788e6b9bd3a47a23c35c9cdcddddca34cba4e12379f |
| SHA512 | f641b30948127a0ee9bd538d4ad3aaae1047720a141eb71f2f82276cbd2bb5393e174a7f5a79778ef248ca43781dd55bdaa1d7cf84ef12a8e99028b5fb0a9e82 |
memory/4736-39-0x0000000000F20000-0x0000000000F72000-memory.dmp
memory/4520-40-0x0000000000DB0000-0x000000000136E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b5fa3146
| MD5 | f74f23c47dbb6ed0a1422be1c86ba44d |
| SHA1 | 585956eab70da3892bd82cf21470be142daec324 |
| SHA256 | aa2cc4edd00008635d8c09a5706b5e5b28886825065895afe733426c794af041 |
| SHA512 | 9db56c720c03f87d332cdab8d61ff22f0b2dd376bb22ef91b6b8a52dbcb6893bdf7a7db0a55dc10e23619ed1099a8a773f1bdacdad70ca04733bc60b440280dd |
memory/4520-47-0x0000000073560000-0x00000000736DB000-memory.dmp
memory/4520-48-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp
memory/4520-49-0x0000000073560000-0x00000000736DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b9c8160e
| MD5 | 4dd3343ff41a04d28619a6e5348f1bcb |
| SHA1 | 2f2f186fea2ab0a18145493656e1604c5cbd3b09 |
| SHA256 | ce4103ab41adacf57880417d16675b7c3c3868411788270b262fb44be1326eb6 |
| SHA512 | 0badb1b5ac0f66de09e36a92f5728e448dbf6d63bf9458515de1e450619779d6c246b49b80b41d9576285079760df1241a38eaf0b444b86d9ea67b8530d8822d |
memory/3112-52-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp
memory/1896-55-0x0000000073560000-0x00000000736DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ad7e3d76
| MD5 | f3a63736867debbed5eb74f1c05e965d |
| SHA1 | efe575e9fbe9bf574118c0e4fb64bfb02b4fd245 |
| SHA256 | f42fbddb039440a114437e575d6231dd6d38897957f4967fa339383fd1b6d3df |
| SHA512 | c8d575144e59f99ffd4aeea47465da8152b9b460a3c2b1219d8f99849b037e581cd181fb49b511a10d9f0ebbd4ebf61bf8c9e4138e5c12c88c6c69aef3112977 |
memory/4668-58-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp
memory/2148-62-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp
memory/2148-63-0x0000000000670000-0x00000000006E1000-memory.dmp
memory/4680-65-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp
memory/4680-66-0x0000000000580000-0x00000000005E7000-memory.dmp
memory/2148-68-0x0000000000670000-0x00000000006E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1
| MD5 | 0fb684cc15d197c0b937e5528359d7c8 |
| SHA1 | 7d963246f52f42012bdcddb31214283c84c954ed |
| SHA256 | e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260 |
| SHA512 | c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c |
memory/4912-82-0x00000000029C0000-0x00000000029F6000-memory.dmp
memory/4912-83-0x0000000005460000-0x0000000005A88000-memory.dmp
memory/4912-84-0x0000000005340000-0x0000000005362000-memory.dmp
memory/4912-85-0x0000000005C00000-0x0000000005C66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obh3uni5.z50.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4912-88-0x0000000005CE0000-0x0000000005D46000-memory.dmp
memory/4912-98-0x0000000005E50000-0x00000000061A4000-memory.dmp
memory/4912-99-0x00000000062B0000-0x00000000062CE000-memory.dmp
memory/4912-100-0x0000000006300000-0x000000000634C000-memory.dmp
memory/4912-102-0x00000000074D0000-0x0000000007502000-memory.dmp
memory/4912-113-0x00000000068B0000-0x00000000068CE000-memory.dmp
memory/4912-103-0x0000000072DD0000-0x0000000072E1C000-memory.dmp
memory/4912-114-0x00000000075A0000-0x0000000007643000-memory.dmp
memory/4912-115-0x0000000007CD0000-0x000000000834A000-memory.dmp
memory/4912-116-0x0000000007650000-0x000000000766A000-memory.dmp
memory/4912-117-0x0000000007680000-0x000000000768A000-memory.dmp
memory/4912-118-0x00000000078B0000-0x0000000007946000-memory.dmp
memory/4912-119-0x0000000007810000-0x0000000007821000-memory.dmp
memory/4912-120-0x0000000007850000-0x000000000785E000-memory.dmp
memory/4912-121-0x0000000007860000-0x0000000007874000-memory.dmp
memory/4912-122-0x0000000007950000-0x000000000796A000-memory.dmp
memory/4912-123-0x0000000007890000-0x0000000007898000-memory.dmp
memory/4680-125-0x0000000000580000-0x00000000005E7000-memory.dmp
memory/2148-126-0x0000000000670000-0x00000000006E1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-09 17:17
Reported
2024-07-09 17:21
Platform
win7-20240705-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\formwork.gz
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\formwork.gz
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\formwork.gz
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\formwork.gz"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 18c3763742e210f4ae4c2017e49a70c5 |
| SHA1 | 60e017b0e3a551034f4836a11c8d6faa87515b43 |
| SHA256 | 57e4c78d1e83f1460b3f489d4056645370b3fec8b0971ca0e7704cc3d64dfd7c |
| SHA512 | 1cb896873fe8722dc0156982a5809a3ab0d923f9cc481fc516f454b049f2719f5d90d63a35ddc0acef339ac7415b99eee1d98cbc277f181acdc22f149117557a |
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-09 17:17
Reported
2024-07-09 17:21
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\formwork.gz
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-09 17:17
Reported
2024-07-09 17:21
Platform
win10v2004-20240709-en
Max time kernel
141s
Max time network
124s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\rondure.flv"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/4240-6-0x00007FFC36CF0000-0x00007FFC36D24000-memory.dmp
memory/4240-5-0x00007FF70B0B0000-0x00007FF70B1A8000-memory.dmp
memory/4240-13-0x00007FFC36B00000-0x00007FFC36B1D000-memory.dmp
memory/4240-14-0x00007FFC36A00000-0x00007FFC36A11000-memory.dmp
memory/4240-12-0x00007FFC36CD0000-0x00007FFC36CE1000-memory.dmp
memory/4240-11-0x00007FFC39DB0000-0x00007FFC39DC7000-memory.dmp
memory/4240-16-0x00007FFC369B0000-0x00007FFC369F1000-memory.dmp
memory/4240-10-0x00007FFC3A2A0000-0x00007FFC3A2B1000-memory.dmp
memory/4240-9-0x00007FFC3B9C0000-0x00007FFC3B9D7000-memory.dmp
memory/4240-7-0x00007FFC26FB0000-0x00007FFC27266000-memory.dmp
memory/4240-8-0x00007FFC3DD60000-0x00007FFC3DD78000-memory.dmp
memory/4240-15-0x00007FFC27480000-0x00007FFC2768B000-memory.dmp
memory/4240-20-0x00007FFC36860000-0x00007FFC36871000-memory.dmp
memory/4240-22-0x00007FFC36820000-0x00007FFC36831000-memory.dmp
memory/4240-23-0x00007FFC25580000-0x00007FFC2568E000-memory.dmp
memory/4240-21-0x00007FFC36840000-0x00007FFC36851000-memory.dmp
memory/4240-19-0x00007FFC36880000-0x00007FFC36898000-memory.dmp
memory/4240-18-0x00007FFC36980000-0x00007FFC369A1000-memory.dmp
memory/4240-17-0x00007FFC25B50000-0x00007FFC26C00000-memory.dmp
memory/4240-36-0x00007FFC25B50000-0x00007FFC26C00000-memory.dmp
memory/4240-55-0x00007FFC25B50000-0x00007FFC26C00000-memory.dmp