Malware Analysis Report

2025-04-13 12:36

Sample ID 240803-azgqnaxanm
Target injectorStarter.exe
SHA256 cf0514fa706a4cbb3ddc7e23665fe1eafa24dd1f97fa609c80c5d0dee246d71c
Tags
discovery asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf0514fa706a4cbb3ddc7e23665fe1eafa24dd1f97fa609c80c5d0dee246d71c

Threat Level: Known bad

The file injectorStarter.exe was found to be: Known bad.

Malicious Activity Summary

discovery asyncrat default rat

AsyncRat

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates processes with tasklist

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 00:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 00:38

Reported

2024-08-03 00:39

Platform

win7-20240729-en

Max time kernel

12s

Max time network

7s

Command Line

"C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\OutdoorsBg C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A
File opened for modification C:\Windows\BrotherOfficial C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A
File opened for modification C:\Windows\ThinksGoods C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A
File opened for modification C:\Windows\ExaminingBryant C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A
File opened for modification C:\Windows\MakesAdolescent C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A
File opened for modification C:\Windows\RelyModeling C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2000 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2000 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2000 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2000 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2000 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2000 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2000 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2000 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2000 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2000 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2000 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2000 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2000 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2000 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2000 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2000 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2000 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2000 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2000 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2000 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif
PID 2000 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif
PID 2000 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif
PID 2000 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif
PID 2000 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2000 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2000 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2000 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2024 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\schtasks.exe
PID 2024 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\schtasks.exe
PID 2024 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\schtasks.exe
PID 2024 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe

"C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Respondent Respondent.cmd & Respondent.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 39531

C:\Windows\SysWOW64\findstr.exe

findstr /V "resultsadapterdeniedclosed" Lotus

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Oman + Grid + Facing + Hewlett 39531\n

C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif

Mounted.pif n

C:\Windows\SysWOW64\choice.exe

choice /d y /t 15

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Social" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\PrometheusFlow.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "PrometheusFlow" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\PrometheusFlow.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Social" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\PrometheusFlow.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 RarchmrXhvP.RarchmrXhvP udp

Files

C:\Users\Admin\AppData\Local\Temp\Respondent

MD5 2c80cd8d1a211878311e15c988e43e43
SHA1 0f6075906be644ce00158f2f9bbc2c1d841055c4
SHA256 bef483b04221118610f9a86a5acbf29468c72ce05c949d371f20af05127caef4
SHA512 dd4b0f7643d27bd35c5009442d0a58cf026eaff9dbc60bd23bbc5726fdf7b5826d57830b0106e974b773db16a516651b710e56a0af9bc56390345b65abd11cfa

C:\Users\Admin\AppData\Local\Temp\Lotus

MD5 c3650f3b9c198544848ad56b0a516b34
SHA1 af9eadeeab33d9f9f1d34cc9fed37ffd79fe8fef
SHA256 4e0413381da3a43e566e5564125b1d6c7807ec394855bb78b992e8c120c875df
SHA512 d42395fa7b2333965a004bc62e3d4c093e2a349199ba7699987a3acbe8eb0a5a04d7712279f0e80f6569f8f1f14a89e55e86e5e54f0132b5d5c2fd2cb0fb89ee

C:\Users\Admin\AppData\Local\Temp\Smart

MD5 cdd5950e7a5ff576a909f2cc0a724fa9
SHA1 8ee1f4278a943d2619f85afb8efdc59649d79a4e
SHA256 4c92fc69142b46c15880c534f01f17393859a9ebe0d2e9e8ef22d2089116fa80
SHA512 293e2134967a09bb0eed77369f96f9ea4156ff6e8cab16d5e964d4c2a2c7622412f3e42c7a2a4d1bd97384e8495e8566de9c0ae6789269580e3be6674a1f9d4b

C:\Users\Admin\AppData\Local\Temp\Via

MD5 1b2a11d81c131d8a7201d7273e729f4d
SHA1 bc946d54f492c2c4720744491198c0d4726a867a
SHA256 be2ae9d92507a8e5ca3af69308578912265bb0c2b7a187ba76993472840309d0
SHA512 12df734187c66ccd3f38766d2f81abb728b6ca645ce3ec1884c7441e631216033bfabc74771d702f59f8f3a6834f4dc8c823c6e8495e5fef7a252ad68db360fa

C:\Users\Admin\AppData\Local\Temp\Types

MD5 3132f4c3b0ebb637f372a5f25bda7e2c
SHA1 975cb8ad8686adc7d0b94a2e1e607838b7a4f324
SHA256 be400ddd579787c75484667c49064a39b6f140f165019f8db7b469a455d5c68c
SHA512 237e48e69d59f16b4585fe0ce4ec4e02ea1dee80f69e4e7e46691108e6b9dbf8ff72637b4c9fb7cd705ed0accb7a560b6ae440dc1bf1160a6a233282a7568b09

C:\Users\Admin\AppData\Local\Temp\Karl

MD5 4afec75b2b84c69bb310bd981b0900f5
SHA1 b59f58965d9051c8fb44af88fd3f583ac3a7276a
SHA256 965ea78ab73ea3d947fc7f0b991c640057743cdea8488a0185d2a9aa4a0dc9cf
SHA512 453d2e55bc1130cc8c6dee120c34e7559ca8eda4d35059a8633b62093eaca648e6406955c6d4b8b8f8d0c37e665d13e8ebc51c85378651f357b671c2f2791fbb

C:\Users\Admin\AppData\Local\Temp\Breathing

MD5 add15a329a97bb45ddc59b0bd8bc7ab6
SHA1 8e0e1a91deabce91d237d4dac1d932ce5ced3241
SHA256 ec1b15e76193eee6b374895c9703f4f35a15118ecd6f340e053a39ae9dc5f248
SHA512 91fe85c2b9460c979b1aa69dcf9f6c6256494c62613d50e957af68e8190c309932949e8ad6379dc49ac43d554e17d89cd36ded3d20b79b3d9ead8f7041fb0f87

C:\Users\Admin\AppData\Local\Temp\Series

MD5 dcf5d2bfb0b7b0852db5f86c0bbf0b2f
SHA1 83c3b09a9e02169c7ef7ba58b5a41c9e34f0e43b
SHA256 e62e4786985495bb27d215f28755407acbca3fe585a7b63edfa52a843052f4ee
SHA512 d018e24707f7547a761517490705bbb80847e124085b74ef690f0604e3db52cfe8e6856fdb5b77fc86ceb7931a6ac430ac1e68cee736868c06bc0cdd9f8c8053

C:\Users\Admin\AppData\Local\Temp\Wants

MD5 6a0f6ec58eede01727ff20a5b8f47558
SHA1 c3a54950eccf619376d549e09fa4700eae8180b1
SHA256 ee4dc5c5602b3fd1dc27ac56a3adcfe046af5de28667124fe571b4c74d4b92b5
SHA512 1e24469165f50abfefb296159566d04a5aa1b33ba808276de706f0a50fed3825f58a218885e411406dba1e304b4a3738b25ffd66a0b175d9fd6684267fe163f9

C:\Users\Admin\AppData\Local\Temp\Values

MD5 76bc6e5bb48542fede8de3faa38331f8
SHA1 c7dba32f16625913b17b2209dba00686d7d0130f
SHA256 a05dd13e06a53adf314d636c8af8f014c854c436269b8fc7e5801e0d37ba9bd3
SHA512 490c03ee4cf34aa6148e9af606fe40963ef45657e03bcee9e3c4f42ff39015fa45d61c20ef1818cddcab790034cc9d56a5d35aa4de7dba2be8d72f884004394d

C:\Users\Admin\AppData\Local\Temp\Constitution

MD5 7a30dcabdbd7d6a7dd22682da147fd3b
SHA1 14693b68d90ecd9c25928ca158e9cbbaa4f56307
SHA256 57d3ae6a0b54998e99c87684bd89c82bfaa6acbd7b3969e02b9efe05c1930f4f
SHA512 346ead6d9090b46d7970f3d0646460e007fdffe8dfc8ec5b9abb6d95f99c13a986e9f279f2e9a99dd3f7d43f82fe31bc6b891b03149e90af5caeccab8cf2ba96

C:\Users\Admin\AppData\Local\Temp\Launch

MD5 48b295340d4b32f42b7e590b1d330d12
SHA1 8e2d5edcc051e9abd98e71028c7a734fcb569f9f
SHA256 c80134aab565f678d754f9cd0840191a94715380ac29fd102519b477c12a6fcb
SHA512 a383136253e31a482c2187a3a21466197b45a3ad82471d9930f9f1e75329dbd8e5f4f993b7ee9e83906b7d4e606dd143f79bfd8b832d5bd35d055930fe846b7e

C:\Users\Admin\AppData\Local\Temp\Sao

MD5 4cd67bcf6017f51289248773c0dc0fb6
SHA1 79119827a9ba3a524ec778267829ec12ccf99cf3
SHA256 e7487b34ea922bac8ed971d89ebea715fe62df57ebddb2a1901954d9d71aa382
SHA512 a9bb95455c61c128b53efd1e4e0b95a90968f99e1d80af704cad636be36f80eb64097ed9f681c8240cd70dfe33cfee7b1e969ff9820594825a0223ed33088f4c

C:\Users\Admin\AppData\Local\Temp\Guns

MD5 9f9eaa160cf23b013344902ce312621d
SHA1 20b7fa68267a4e74ab6b845ddf070b5c2160ab72
SHA256 4ddf0f4d2f51c1b3d71b9bdfc7e581cbac7d6d694a871247246a160c0359eca1
SHA512 ebcb5c5b1b94ea9b21f34878eb3b94e3edfe53812f0d67b2a882dd171ff80acbcf71c6e373f24bd10618f8ddd70963e7e8f3c6c975e09dd711351a738b954130

C:\Users\Admin\AppData\Local\Temp\Participating

MD5 52d6cf77c494c1d8f80d5031ddab6e41
SHA1 69aa5f75d0c91e47007e3814d1a538fb5d3eec0d
SHA256 742b4ced3cbb092fffa9dde834b2b81347b0bd3e34394a2fc07166bec85f0130
SHA512 a236e0baeed1a0641afb2b0a5e96b71477ecdb1ec30a30c81f36a49389263046db257601c3ac83db87a7ab1759f96b5ab4887a7877f5914c7c92cbe5fb6059a8

C:\Users\Admin\AppData\Local\Temp\Catalogs

MD5 5473f0153ae2e1b88169449c68718c2e
SHA1 6a6832bbe15ae5bf83996e6d7acc264665984883
SHA256 93a5fdd31fbb2abd8f7737403a8430c8b242c52563cd85f4e7e7a7b435fad00a
SHA512 0ee1ebc68be84498451eaf8b2ba089f9365e8b0d9db0c410cf3dd5b5e6b3aa6e21bb519517e480cb1f86a7dd9e36d2ad475e4b77fc395941395d8496ff3c1206

C:\Users\Admin\AppData\Local\Temp\Develops

MD5 14fb801822980aeca55aca8993ae113a
SHA1 dab682e548dca8b02ea3f053a62b3ffeb6a0d97e
SHA256 97e182ef6bf3954a913129fcec0f2e4c5cae3bf7ba1089c8b8556907ad5d98a4
SHA512 68c0f83dd560d5fb04388aad102c34883326689564c5c7a83581f3a6110c6ae7a4ea2fc1c8fa46c7b872b2cce17290744597f0801001a0df8b07f4d5f644ce92

C:\Users\Admin\AppData\Local\Temp\Ob

MD5 7c84a6a96f3719a0f18b9bff7d2c5197
SHA1 800dc114e68653111bccf8fd5d706956fec0a526
SHA256 2d2807f5e782a99c93a14fef5f4d43d1716af2ea7e8c2663d66ad0fac82602ae
SHA512 6e3aeaf4cdbcf4aff2f78c19eee99363a743761a67dee725a265849bafa51f80a7db97f3100bb97e2dd0018b020d6e3790f0b2e172a5ea67f0f6305dc42da9e5

C:\Users\Admin\AppData\Local\Temp\Fred

MD5 bbb5c1960fdba9dd5f61cd94b5fca640
SHA1 6018f4d79aea8458f59458289993909dea469f08
SHA256 3446f5773f5ca7898cec283a270c0f231eae1b0f9e98c1a1a5c2ab35a73e101e
SHA512 ac6d12a70ecd78ca971d1872453d6431f0001f099b1b1e4d1d4b320f5ec316e8c5dc6bb02005010a31ec4cc02559df4dd111969e81cfadf027e6846d1ae3aa12

C:\Users\Admin\AppData\Local\Temp\Costumes

MD5 a4e5af724126b49cc8473bec7774ae26
SHA1 c531a7e5ac488261c666022eedf2379c44d2a95d
SHA256 2ee8296d8948e97dd47921dccf2a60877665c9c22f67083e873c2566dfb6f016
SHA512 e4c34e23ab1c69cf19297b0e2d464d8e40b886acc2b04f083a1789eee4cd80c16acfa1687ce8817ac39f92d61a657c973f7da61504d0046936aa273525fc1847

C:\Users\Admin\AppData\Local\Temp\Harold

MD5 64e96b57b47065a8abed50c0feffbc5c
SHA1 e40b3382324cbc7296066e9ef8bc160590df3eef
SHA256 4ca95b19c2055f6630a6eafb72ff6f9f30d91fea214ba901d262cfa07a310900
SHA512 cd3ab472da6851f55ce16d8334639f08cea4122afab1d56bb921c99c4edc196afce38afc074763b877b758b9a1bcf2fef9542a341cc192d704a7d4c7e7ba4a83

C:\Users\Admin\AppData\Local\Temp\Engage

MD5 06456cf00be795d09c0e2c789056c19b
SHA1 8af8f879351059e40817c5e43e20df2000bc9fa3
SHA256 87b8a446c99dda954089465099079e987fb6e7f22af4d6dc71a92f17ab062cfd
SHA512 6afd9c6c8e2eca402772e3e9e3b370691d94216409041ecf03d6c1d85c17ba05ecdbff8f45eb29b7d46fd2403c76f5b58ff0e6d8f58dca9446d684ff117e4121

C:\Users\Admin\AppData\Local\Temp\Receiver

MD5 cf8fd55080b5670a3c9ec9679dffd157
SHA1 ad6a5d41e3495495297868e3f1b50f869fd7e487
SHA256 a6c278716d7191dede9d83125adedd86c287c56f7460700f0930e9084e5dbb86
SHA512 b754c2a0ecd4094b548e23906633b3c1d42a4ced95c4227a85b35426e0e8946af9b7685a3d03521ac96c54511ec37b4d77417fabb9e61c1f340f4d8083654149

C:\Users\Admin\AppData\Local\Temp\Fault

MD5 1de9ee507b65fb052c38a4a7b9df220c
SHA1 b358c7880c6828989d1ec592027f507e26c3fe7b
SHA256 8747c8cb8fdedab546903c8d2c22c4fdb04162bb32485b27e3afc51e77e76f4e
SHA512 30d450e038c82b9323221778fb4ad8a3caef0b2d80bccc8de4e6dae36a41995dc833cfe93ea56cd7a40362389e1107a5ed7001f055c20e03184dfec14320d763

C:\Users\Admin\AppData\Local\Temp\Partition

MD5 e3726c254ce4d8e2d4a93e0ce5fcd60b
SHA1 7221c64d893efa94c610b069c056a60d4f6215cd
SHA256 f67b4774266c77ec31e532a6743dabbae160b3d18de51717c67e03fac91c0fb7
SHA512 1fe731b4ef00393747dc884cc3e5c347fd232b7992078c71ac7e8258285ac8f0fe1ef9f4a44fe88b004805304b78e6803b338cea749564c62b85de033ed765ac

C:\Users\Admin\AppData\Local\Temp\Hewlett

MD5 dc204114b9b298bd64e46041e140257d
SHA1 8fd0145e6b5b0c1a121d662e2448a464d943c20a
SHA256 4d1257e320e6962dd672b18a707192a83685ee2b5de6ae3e6f05468d25c0625d
SHA512 9835e7b229db47bb5f31e2b193ae17ebf53e70204149a2a531c0836705379ebb39dc768bfdba653d28f6c114abd53a23af27ec9b77221c6229460a240162e633

C:\Users\Admin\AppData\Local\Temp\Facing

MD5 d3afa5ec45ff2a1a285f1daad449f87f
SHA1 675b1e378253862f221acbb5767616a05dc07cdb
SHA256 850c3184f927ef6faf1bdcccad1c87392615fb743985a5b6b0116ad3621d9a3a
SHA512 2aad39c8cf0c7a88848f3467e90464f3e45d102471805f9071666dd333385b582133d844e5ba15318f54022ae9fa7b5eabe3c75387e9ebaed64a4070809548a7

C:\Users\Admin\AppData\Local\Temp\Grid

MD5 f8fee031f1236ef6c2a406074b2c8059
SHA1 84bddb7e6a049e6d6cf4e95afac870d5d705dda0
SHA256 904e5690bc4b0681c6d5e1dcbdbd997f5fe8419a485ec00eb98f82cbb813e210
SHA512 7f48033318174a9ce33458d94a6f76d64f5b9e648a98153e51bd57b3cb8ae134136b907e6c8c5d7e060726defef345b3db91419eb3b76382da6dc262e2f8be5f

C:\Users\Admin\AppData\Local\Temp\Oman

MD5 490305555507e8c180bd8a219505269d
SHA1 9bc3c61660905b6fb0935e0bbf45cc07c01afcb3
SHA256 3a87bc9307307ddd5979a7143bbe0adb7d4a67670429a1562a9ebd3dfa47dfcc
SHA512 bd60befcfcddc749841a4a145a5201a22ae0b7edf71fa5043f8a2c15cb42cb701cc04c428d96852037d321929141c8d55e6288382604e8cd713dd6f17b1a69e7

\Users\Admin\AppData\Local\Temp\39531\Mounted.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

C:\Users\Admin\AppData\Local\Temp\39531\n

MD5 20b3cb856fe8da2735f8a7f0edeff510
SHA1 aa696d41c4204e86d1b1d65cb261fade38cfade6
SHA256 9e31830e6a456df267063eb12ac5586d19f391611ca35393581ea3a481da807c
SHA512 d5af4d5f86de792015c28eda91b04969077d0fe2ef4b4820e029cc15ae8cdcc76af2e9cffb1be3731d661d021c2158001d8dcb5b10523ed193e65eaec042e442

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 00:38

Reported

2024-08-03 00:41

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe"

Signatures

AsyncRat

rat asyncrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\OutdoorsBg C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A
File opened for modification C:\Windows\BrotherOfficial C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A
File opened for modification C:\Windows\ThinksGoods C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A
File opened for modification C:\Windows\ExaminingBryant C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A
File opened for modification C:\Windows\MakesAdolescent C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A
File opened for modification C:\Windows\RelyModeling C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3984 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2700 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2700 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2700 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2700 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2700 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2700 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif
PID 2700 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif
PID 2700 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif
PID 2700 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2700 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2700 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3756 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\schtasks.exe
PID 3756 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\schtasks.exe
PID 3756 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Windows\SysWOW64\schtasks.exe
PID 3452 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3452 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3452 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3756 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe
PID 3756 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe
PID 3756 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe
PID 3756 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe
PID 3756 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe

"C:\Users\Admin\AppData\Local\Temp\injectorStarter.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Respondent Respondent.cmd & Respondent.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 39531

C:\Windows\SysWOW64\findstr.exe

findstr /V "resultsadapterdeniedclosed" Lotus

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Oman + Grid + Facing + Hewlett 39531\n

C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif

Mounted.pif n

C:\Windows\SysWOW64\choice.exe

choice /d y /t 15

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Social" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\PrometheusFlow.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "PrometheusFlow" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\PrometheusFlow.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Social" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\PrometheusFlow.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 RarchmrXhvP.RarchmrXhvP udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp
DE 41.216.183.109:4449 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Respondent

MD5 2c80cd8d1a211878311e15c988e43e43
SHA1 0f6075906be644ce00158f2f9bbc2c1d841055c4
SHA256 bef483b04221118610f9a86a5acbf29468c72ce05c949d371f20af05127caef4
SHA512 dd4b0f7643d27bd35c5009442d0a58cf026eaff9dbc60bd23bbc5726fdf7b5826d57830b0106e974b773db16a516651b710e56a0af9bc56390345b65abd11cfa

C:\Users\Admin\AppData\Local\Temp\Lotus

MD5 c3650f3b9c198544848ad56b0a516b34
SHA1 af9eadeeab33d9f9f1d34cc9fed37ffd79fe8fef
SHA256 4e0413381da3a43e566e5564125b1d6c7807ec394855bb78b992e8c120c875df
SHA512 d42395fa7b2333965a004bc62e3d4c093e2a349199ba7699987a3acbe8eb0a5a04d7712279f0e80f6569f8f1f14a89e55e86e5e54f0132b5d5c2fd2cb0fb89ee

C:\Users\Admin\AppData\Local\Temp\Smart

MD5 cdd5950e7a5ff576a909f2cc0a724fa9
SHA1 8ee1f4278a943d2619f85afb8efdc59649d79a4e
SHA256 4c92fc69142b46c15880c534f01f17393859a9ebe0d2e9e8ef22d2089116fa80
SHA512 293e2134967a09bb0eed77369f96f9ea4156ff6e8cab16d5e964d4c2a2c7622412f3e42c7a2a4d1bd97384e8495e8566de9c0ae6789269580e3be6674a1f9d4b

C:\Users\Admin\AppData\Local\Temp\Via

MD5 1b2a11d81c131d8a7201d7273e729f4d
SHA1 bc946d54f492c2c4720744491198c0d4726a867a
SHA256 be2ae9d92507a8e5ca3af69308578912265bb0c2b7a187ba76993472840309d0
SHA512 12df734187c66ccd3f38766d2f81abb728b6ca645ce3ec1884c7441e631216033bfabc74771d702f59f8f3a6834f4dc8c823c6e8495e5fef7a252ad68db360fa

C:\Users\Admin\AppData\Local\Temp\Types

MD5 3132f4c3b0ebb637f372a5f25bda7e2c
SHA1 975cb8ad8686adc7d0b94a2e1e607838b7a4f324
SHA256 be400ddd579787c75484667c49064a39b6f140f165019f8db7b469a455d5c68c
SHA512 237e48e69d59f16b4585fe0ce4ec4e02ea1dee80f69e4e7e46691108e6b9dbf8ff72637b4c9fb7cd705ed0accb7a560b6ae440dc1bf1160a6a233282a7568b09

C:\Users\Admin\AppData\Local\Temp\Karl

MD5 4afec75b2b84c69bb310bd981b0900f5
SHA1 b59f58965d9051c8fb44af88fd3f583ac3a7276a
SHA256 965ea78ab73ea3d947fc7f0b991c640057743cdea8488a0185d2a9aa4a0dc9cf
SHA512 453d2e55bc1130cc8c6dee120c34e7559ca8eda4d35059a8633b62093eaca648e6406955c6d4b8b8f8d0c37e665d13e8ebc51c85378651f357b671c2f2791fbb

C:\Users\Admin\AppData\Local\Temp\Breathing

MD5 add15a329a97bb45ddc59b0bd8bc7ab6
SHA1 8e0e1a91deabce91d237d4dac1d932ce5ced3241
SHA256 ec1b15e76193eee6b374895c9703f4f35a15118ecd6f340e053a39ae9dc5f248
SHA512 91fe85c2b9460c979b1aa69dcf9f6c6256494c62613d50e957af68e8190c309932949e8ad6379dc49ac43d554e17d89cd36ded3d20b79b3d9ead8f7041fb0f87

C:\Users\Admin\AppData\Local\Temp\Series

MD5 dcf5d2bfb0b7b0852db5f86c0bbf0b2f
SHA1 83c3b09a9e02169c7ef7ba58b5a41c9e34f0e43b
SHA256 e62e4786985495bb27d215f28755407acbca3fe585a7b63edfa52a843052f4ee
SHA512 d018e24707f7547a761517490705bbb80847e124085b74ef690f0604e3db52cfe8e6856fdb5b77fc86ceb7931a6ac430ac1e68cee736868c06bc0cdd9f8c8053

C:\Users\Admin\AppData\Local\Temp\Wants

MD5 6a0f6ec58eede01727ff20a5b8f47558
SHA1 c3a54950eccf619376d549e09fa4700eae8180b1
SHA256 ee4dc5c5602b3fd1dc27ac56a3adcfe046af5de28667124fe571b4c74d4b92b5
SHA512 1e24469165f50abfefb296159566d04a5aa1b33ba808276de706f0a50fed3825f58a218885e411406dba1e304b4a3738b25ffd66a0b175d9fd6684267fe163f9

C:\Users\Admin\AppData\Local\Temp\Values

MD5 76bc6e5bb48542fede8de3faa38331f8
SHA1 c7dba32f16625913b17b2209dba00686d7d0130f
SHA256 a05dd13e06a53adf314d636c8af8f014c854c436269b8fc7e5801e0d37ba9bd3
SHA512 490c03ee4cf34aa6148e9af606fe40963ef45657e03bcee9e3c4f42ff39015fa45d61c20ef1818cddcab790034cc9d56a5d35aa4de7dba2be8d72f884004394d

C:\Users\Admin\AppData\Local\Temp\Constitution

MD5 7a30dcabdbd7d6a7dd22682da147fd3b
SHA1 14693b68d90ecd9c25928ca158e9cbbaa4f56307
SHA256 57d3ae6a0b54998e99c87684bd89c82bfaa6acbd7b3969e02b9efe05c1930f4f
SHA512 346ead6d9090b46d7970f3d0646460e007fdffe8dfc8ec5b9abb6d95f99c13a986e9f279f2e9a99dd3f7d43f82fe31bc6b891b03149e90af5caeccab8cf2ba96

C:\Users\Admin\AppData\Local\Temp\Launch

MD5 48b295340d4b32f42b7e590b1d330d12
SHA1 8e2d5edcc051e9abd98e71028c7a734fcb569f9f
SHA256 c80134aab565f678d754f9cd0840191a94715380ac29fd102519b477c12a6fcb
SHA512 a383136253e31a482c2187a3a21466197b45a3ad82471d9930f9f1e75329dbd8e5f4f993b7ee9e83906b7d4e606dd143f79bfd8b832d5bd35d055930fe846b7e

C:\Users\Admin\AppData\Local\Temp\Sao

MD5 4cd67bcf6017f51289248773c0dc0fb6
SHA1 79119827a9ba3a524ec778267829ec12ccf99cf3
SHA256 e7487b34ea922bac8ed971d89ebea715fe62df57ebddb2a1901954d9d71aa382
SHA512 a9bb95455c61c128b53efd1e4e0b95a90968f99e1d80af704cad636be36f80eb64097ed9f681c8240cd70dfe33cfee7b1e969ff9820594825a0223ed33088f4c

C:\Users\Admin\AppData\Local\Temp\Participating

MD5 52d6cf77c494c1d8f80d5031ddab6e41
SHA1 69aa5f75d0c91e47007e3814d1a538fb5d3eec0d
SHA256 742b4ced3cbb092fffa9dde834b2b81347b0bd3e34394a2fc07166bec85f0130
SHA512 a236e0baeed1a0641afb2b0a5e96b71477ecdb1ec30a30c81f36a49389263046db257601c3ac83db87a7ab1759f96b5ab4887a7877f5914c7c92cbe5fb6059a8

C:\Users\Admin\AppData\Local\Temp\Guns

MD5 9f9eaa160cf23b013344902ce312621d
SHA1 20b7fa68267a4e74ab6b845ddf070b5c2160ab72
SHA256 4ddf0f4d2f51c1b3d71b9bdfc7e581cbac7d6d694a871247246a160c0359eca1
SHA512 ebcb5c5b1b94ea9b21f34878eb3b94e3edfe53812f0d67b2a882dd171ff80acbcf71c6e373f24bd10618f8ddd70963e7e8f3c6c975e09dd711351a738b954130

C:\Users\Admin\AppData\Local\Temp\Catalogs

MD5 5473f0153ae2e1b88169449c68718c2e
SHA1 6a6832bbe15ae5bf83996e6d7acc264665984883
SHA256 93a5fdd31fbb2abd8f7737403a8430c8b242c52563cd85f4e7e7a7b435fad00a
SHA512 0ee1ebc68be84498451eaf8b2ba089f9365e8b0d9db0c410cf3dd5b5e6b3aa6e21bb519517e480cb1f86a7dd9e36d2ad475e4b77fc395941395d8496ff3c1206

C:\Users\Admin\AppData\Local\Temp\Ob

MD5 7c84a6a96f3719a0f18b9bff7d2c5197
SHA1 800dc114e68653111bccf8fd5d706956fec0a526
SHA256 2d2807f5e782a99c93a14fef5f4d43d1716af2ea7e8c2663d66ad0fac82602ae
SHA512 6e3aeaf4cdbcf4aff2f78c19eee99363a743761a67dee725a265849bafa51f80a7db97f3100bb97e2dd0018b020d6e3790f0b2e172a5ea67f0f6305dc42da9e5

C:\Users\Admin\AppData\Local\Temp\Costumes

MD5 a4e5af724126b49cc8473bec7774ae26
SHA1 c531a7e5ac488261c666022eedf2379c44d2a95d
SHA256 2ee8296d8948e97dd47921dccf2a60877665c9c22f67083e873c2566dfb6f016
SHA512 e4c34e23ab1c69cf19297b0e2d464d8e40b886acc2b04f083a1789eee4cd80c16acfa1687ce8817ac39f92d61a657c973f7da61504d0046936aa273525fc1847

C:\Users\Admin\AppData\Local\Temp\Fault

MD5 1de9ee507b65fb052c38a4a7b9df220c
SHA1 b358c7880c6828989d1ec592027f507e26c3fe7b
SHA256 8747c8cb8fdedab546903c8d2c22c4fdb04162bb32485b27e3afc51e77e76f4e
SHA512 30d450e038c82b9323221778fb4ad8a3caef0b2d80bccc8de4e6dae36a41995dc833cfe93ea56cd7a40362389e1107a5ed7001f055c20e03184dfec14320d763

C:\Users\Admin\AppData\Local\Temp\Receiver

MD5 cf8fd55080b5670a3c9ec9679dffd157
SHA1 ad6a5d41e3495495297868e3f1b50f869fd7e487
SHA256 a6c278716d7191dede9d83125adedd86c287c56f7460700f0930e9084e5dbb86
SHA512 b754c2a0ecd4094b548e23906633b3c1d42a4ced95c4227a85b35426e0e8946af9b7685a3d03521ac96c54511ec37b4d77417fabb9e61c1f340f4d8083654149

C:\Users\Admin\AppData\Local\Temp\Engage

MD5 06456cf00be795d09c0e2c789056c19b
SHA1 8af8f879351059e40817c5e43e20df2000bc9fa3
SHA256 87b8a446c99dda954089465099079e987fb6e7f22af4d6dc71a92f17ab062cfd
SHA512 6afd9c6c8e2eca402772e3e9e3b370691d94216409041ecf03d6c1d85c17ba05ecdbff8f45eb29b7d46fd2403c76f5b58ff0e6d8f58dca9446d684ff117e4121

C:\Users\Admin\AppData\Local\Temp\Harold

MD5 64e96b57b47065a8abed50c0feffbc5c
SHA1 e40b3382324cbc7296066e9ef8bc160590df3eef
SHA256 4ca95b19c2055f6630a6eafb72ff6f9f30d91fea214ba901d262cfa07a310900
SHA512 cd3ab472da6851f55ce16d8334639f08cea4122afab1d56bb921c99c4edc196afce38afc074763b877b758b9a1bcf2fef9542a341cc192d704a7d4c7e7ba4a83

C:\Users\Admin\AppData\Local\Temp\Fred

MD5 bbb5c1960fdba9dd5f61cd94b5fca640
SHA1 6018f4d79aea8458f59458289993909dea469f08
SHA256 3446f5773f5ca7898cec283a270c0f231eae1b0f9e98c1a1a5c2ab35a73e101e
SHA512 ac6d12a70ecd78ca971d1872453d6431f0001f099b1b1e4d1d4b320f5ec316e8c5dc6bb02005010a31ec4cc02559df4dd111969e81cfadf027e6846d1ae3aa12

C:\Users\Admin\AppData\Local\Temp\Develops

MD5 14fb801822980aeca55aca8993ae113a
SHA1 dab682e548dca8b02ea3f053a62b3ffeb6a0d97e
SHA256 97e182ef6bf3954a913129fcec0f2e4c5cae3bf7ba1089c8b8556907ad5d98a4
SHA512 68c0f83dd560d5fb04388aad102c34883326689564c5c7a83581f3a6110c6ae7a4ea2fc1c8fa46c7b872b2cce17290744597f0801001a0df8b07f4d5f644ce92

C:\Users\Admin\AppData\Local\Temp\Partition

MD5 e3726c254ce4d8e2d4a93e0ce5fcd60b
SHA1 7221c64d893efa94c610b069c056a60d4f6215cd
SHA256 f67b4774266c77ec31e532a6743dabbae160b3d18de51717c67e03fac91c0fb7
SHA512 1fe731b4ef00393747dc884cc3e5c347fd232b7992078c71ac7e8258285ac8f0fe1ef9f4a44fe88b004805304b78e6803b338cea749564c62b85de033ed765ac

C:\Users\Admin\AppData\Local\Temp\Oman

MD5 490305555507e8c180bd8a219505269d
SHA1 9bc3c61660905b6fb0935e0bbf45cc07c01afcb3
SHA256 3a87bc9307307ddd5979a7143bbe0adb7d4a67670429a1562a9ebd3dfa47dfcc
SHA512 bd60befcfcddc749841a4a145a5201a22ae0b7edf71fa5043f8a2c15cb42cb701cc04c428d96852037d321929141c8d55e6288382604e8cd713dd6f17b1a69e7

C:\Users\Admin\AppData\Local\Temp\Grid

MD5 f8fee031f1236ef6c2a406074b2c8059
SHA1 84bddb7e6a049e6d6cf4e95afac870d5d705dda0
SHA256 904e5690bc4b0681c6d5e1dcbdbd997f5fe8419a485ec00eb98f82cbb813e210
SHA512 7f48033318174a9ce33458d94a6f76d64f5b9e648a98153e51bd57b3cb8ae134136b907e6c8c5d7e060726defef345b3db91419eb3b76382da6dc262e2f8be5f

C:\Users\Admin\AppData\Local\Temp\Facing

MD5 d3afa5ec45ff2a1a285f1daad449f87f
SHA1 675b1e378253862f221acbb5767616a05dc07cdb
SHA256 850c3184f927ef6faf1bdcccad1c87392615fb743985a5b6b0116ad3621d9a3a
SHA512 2aad39c8cf0c7a88848f3467e90464f3e45d102471805f9071666dd333385b582133d844e5ba15318f54022ae9fa7b5eabe3c75387e9ebaed64a4070809548a7

C:\Users\Admin\AppData\Local\Temp\Hewlett

MD5 dc204114b9b298bd64e46041e140257d
SHA1 8fd0145e6b5b0c1a121d662e2448a464d943c20a
SHA256 4d1257e320e6962dd672b18a707192a83685ee2b5de6ae3e6f05468d25c0625d
SHA512 9835e7b229db47bb5f31e2b193ae17ebf53e70204149a2a531c0836705379ebb39dc768bfdba653d28f6c114abd53a23af27ec9b77221c6229460a240162e633

C:\Users\Admin\AppData\Local\Temp\39531\Mounted.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

C:\Users\Admin\AppData\Local\Temp\39531\n

MD5 20b3cb856fe8da2735f8a7f0edeff510
SHA1 aa696d41c4204e86d1b1d65cb261fade38cfade6
SHA256 9e31830e6a456df267063eb12ac5586d19f391611ca35393581ea3a481da807c
SHA512 d5af4d5f86de792015c28eda91b04969077d0fe2ef4b4820e029cc15ae8cdcc76af2e9cffb1be3731d661d021c2158001d8dcb5b10523ed193e65eaec042e442

memory/3776-71-0x0000000001110000-0x0000000001128000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\39531\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/3776-74-0x0000000005F00000-0x00000000064A4000-memory.dmp

memory/3776-76-0x0000000005BF0000-0x0000000005C82000-memory.dmp

memory/3776-77-0x00000000058F0000-0x00000000058FA000-memory.dmp