Malware Analysis Report

2025-06-15 22:31

Sample ID 241102-lldmmascmj
Target f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe
SHA256 f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e
Tags
collection discovery persistence privilege_escalation spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e

Threat Level: Shows suspicious behavior

The file f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery persistence privilege_escalation spyware stealer

Checks computer location settings

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Deletes itself

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Checks installed software on the system

Accesses Microsoft Outlook profiles

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Wi-Fi Discovery

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

outlook_office_path

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 09:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 09:36

Reported

2024-11-02 09:44

Platform

win7-20240903-en

Max time kernel

119s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\System32\cmd.exe
PID 1076 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\System32\cmd.exe
PID 1076 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\System32\cmd.exe
PID 1908 wrote to memory of 2872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1908 wrote to memory of 2872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1908 wrote to memory of 2872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1908 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1908 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1908 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1908 wrote to memory of 2720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1908 wrote to memory of 2720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1908 wrote to memory of 2720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1908 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe
PID 1908 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe
PID 1908 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe
PID 2896 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\system32\cmd.exe
PID 1904 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1904 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1904 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1904 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1904 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1904 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1904 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1904 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1904 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2896 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\system32\cmd.exe
PID 2060 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2060 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2060 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2060 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2060 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2060 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2060 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2060 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2060 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2012 wrote to memory of 1364 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe
PID 2012 wrote to memory of 1364 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe
PID 2012 wrote to memory of 1364 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe

"C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\schtasks.exe

schtasks /create /tn "f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe

"C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Windows\system32\taskeng.exe

taskeng.exe {7EC235A8-FAF7-4EB9-8549-378389A63091} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe

C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:7469 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.161.33.60:8080 104.161.33.60 tcp
N/A 127.0.0.1:7469 tcp
US 104.161.33.60:8080 104.161.33.60 tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp

Files

memory/1076-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

memory/1076-1-0x0000000000F00000-0x0000000000F2C000-memory.dmp

memory/1076-2-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

memory/1076-5-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe

MD5 e13fb88ca7d0aef839c0ca07eb36d28b
SHA1 c020b62797cd6875ba054c40a9b2e416c56c8139
SHA256 f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e
SHA512 1ac33d19dab7103f32bbf14c615a3d61288a42fcd410fc9de5208dc8dd64f90fe212195905ceb027bd7642157926e3bc2ecac2b45e7432c580793f6b60450051

memory/2896-9-0x00000000013C0000-0x00000000013EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabECE1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarEE0D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\zfzs6gcqx8\p.dat

MD5 9cd3598a91516950427c605ae29cff68
SHA1 339012083576ab4752ec23637f1f049fabf1d3f7
SHA256 2cafe232be9a37514d28d81a51f83e1da635e017dc744663bdd28cc7f9803a44
SHA512 df07de1a8404459a789a856d7f3f7842c31c091ef23373b73279efb3722f5e19d7495c1c8d03129b10ce33c2a7a8fd34228e0b3d74deff23f2a80e70babb18b7

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-02 09:36

Reported

2024-11-02 09:44

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\tor-real.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\System32\cmd.exe
PID 1220 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\System32\cmd.exe
PID 1940 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1940 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1940 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1940 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1940 wrote to memory of 3844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1940 wrote to memory of 3844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1940 wrote to memory of 3128 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe
PID 1940 wrote to memory of 3128 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe
PID 3128 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\SYSTEM32\cmd.exe
PID 3128 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\SYSTEM32\cmd.exe
PID 3968 wrote to memory of 3324 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3968 wrote to memory of 3324 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3968 wrote to memory of 5064 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 3968 wrote to memory of 5064 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 3968 wrote to memory of 4640 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 3968 wrote to memory of 4640 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 3128 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\SYSTEM32\cmd.exe
PID 3128 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Windows\SYSTEM32\cmd.exe
PID 4516 wrote to memory of 3156 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4516 wrote to memory of 3156 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4516 wrote to memory of 3192 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4516 wrote to memory of 3192 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4516 wrote to memory of 3948 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4516 wrote to memory of 3948 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4840 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\tor-real.exe
PID 4840 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\tor-real.exe
PID 4840 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\tor-real.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe

"C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\schtasks.exe

schtasks /create /tn "f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe

"C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe

C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\tor-real.exe

"C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\torrc.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
N/A 127.0.0.1:4550 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.161.33.60:8080 104.161.33.60 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 60.33.161.104.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 127.0.0.1:4550 tcp
US 104.161.33.60:8080 104.161.33.60 tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 23.105.163.117:443 tcp
DE 185.220.101.137:10210 tcp
US 8.8.8.8:53 117.163.105.23.in-addr.arpa udp
RU 83.243.68.194:49005 tcp
N/A 127.0.0.1:50518 tcp
AT 37.252.188.180:443 tcp
US 128.31.0.39:9101 tcp
FR 54.38.92.43:9001 tcp
FR 212.47.236.95:443 tcp
CA 199.58.81.140:443 tcp
US 8.8.8.8:53 140.81.58.199.in-addr.arpa udp
GB 51.68.197.220:9001 tcp
DE 185.220.100.255:9000 tcp
US 8.8.8.8:53 220.197.68.51.in-addr.arpa udp
US 8.8.8.8:53 255.100.220.185.in-addr.arpa udp
GB 51.68.197.220:9001 tcp
FI 65.21.98.60:65011 tcp
DE 185.220.100.255:9000 tcp
US 8.8.8.8:53 60.98.21.65.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 94.12.20.2.in-addr.arpa udp

Files

memory/1220-0-0x00007FFA5E943000-0x00007FFA5E945000-memory.dmp

memory/1220-1-0x0000029CA8810000-0x0000029CA883C000-memory.dmp

memory/1220-2-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

memory/1220-6-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe.log

MD5 fc1be6f3f52d5c841af91f8fc3f790cb
SHA1 ac79b4229e0a0ce378ae22fc6104748c5f234511
SHA256 6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910
SHA512 2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

C:\Users\Admin\AppData\Local\Starlabs\f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e.exe

MD5 e13fb88ca7d0aef839c0ca07eb36d28b
SHA1 c020b62797cd6875ba054c40a9b2e416c56c8139
SHA256 f8dc556dc94d54b774d9420814893cf45c6eef5b1f7cf6d894987a8d3ffcfc2e
SHA512 1ac33d19dab7103f32bbf14c615a3d61288a42fcd410fc9de5208dc8dd64f90fe212195905ceb027bd7642157926e3bc2ecac2b45e7432c580793f6b60450051

C:\Users\Admin\AppData\Local\zfzs6gcqx8\p.dat

MD5 62021a18331216014fee6916d6ee9584
SHA1 4e7fd56dd4a60041092a5c1b1966eec2fc948abd
SHA256 5d69d55ace245c9ac57a0dcf38e08c6c60e5068411d65c176d14501644bdc118
SHA512 ffe9b79459b0db485518e434e3cee8f8742c8054ff550b6aaaec31cb6a11008fca3ad24ed3c03bebb1c61fc640b557f2c0822e828dcc5991587d5e50a2feeb10

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\tor-real.exe

MD5 07244a2c002ffdf1986b454429eace0b
SHA1 d7cd121caac2f5989aa68a052f638f82d4566328
SHA256 e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf
SHA512 4a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\libssp-0.dll

MD5 b77328da7cead5f4623748a70727860d
SHA1 13b33722c55cca14025b90060e3227db57bf5327
SHA256 46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7
SHA512 2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\libevent-2-1-7.dll

MD5 a3bf8e33948d94d490d4613441685eee
SHA1 75ed7f6e2855a497f45b15270c3ad4aed6ad02e2
SHA256 91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585
SHA512 c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\libgcc_s_sjlj-1.dll

MD5 bd40ff3d0ce8d338a1fe4501cd8e9a09
SHA1 3aae8c33bf0ec9adf5fbf8a361445969de409b49
SHA256 ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c
SHA512 404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\libwinpthread-1.dll

MD5 19d7cc4377f3c09d97c6da06fbabc7dc
SHA1 3a3ba8f397fb95ed5df22896b2c53a326662fcc9
SHA256 228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d
SHA512 23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\libssl-1_1.dll

MD5 945d225539becc01fbca32e9ff6464f0
SHA1 a614eb470defeab01317a73380f44db669100406
SHA256 c697434857a039bf27238c105be0487a0c6c611dd36cb1587c3c6b3bf582718a
SHA512 409f8f1e6d683a3cbe7954bce37013316dee086cdbd7ecda88acb5d94031cff6166a93b641875116327151823cce747bcf254c0185e0770e2b74b7c5e067bc4a

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\libcrypto-1_1.dll

MD5 6d48d76a4d1c9b0ff49680349c4d28ae
SHA1 1bb3666c16e11eff8f9c3213b20629f02d6a66cb
SHA256 3f08728c7a67e4998fbdc7a7cb556d8158efdcdaf0acf75b7789dccace55662d
SHA512 09a4fd7b37cf52f6a0c3bb0a7517e2d2439f4af8e03130aed3296d7448585ea5e3c0892e1e1202f658ef2d083ce13c436779e202c39620a70a17b026705c65c9

memory/4336-106-0x0000000075200000-0x0000000075226000-memory.dmp

memory/4336-107-0x0000000000990000-0x0000000000DA4000-memory.dmp

memory/4336-105-0x0000000075410000-0x000000007550B000-memory.dmp

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\zlib1.dll

MD5 6f98da9e33cd6f3dd60950413d3638ac
SHA1 e630bdf8cebc165aa81464ff20c1d55272d05675
SHA256 219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773
SHA512 2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\torrc.txt

MD5 bf0f3f1bd39598fc6227753a363fb01d
SHA1 bb81e002a6c6d94f031d216a24cd95c29d6f1328
SHA256 653addaf134fc52b619dbc8af311ccb1e549f977007b3b2e5cb8284ff8e46a1e
SHA512 2a88e2479fc7381f9dfbcbc161208959434f62c1440d6de9e9bd0772580c23c3cea668103e018efc9e2c66496bda7b5f4865ebd8703dadd8257744b80d94db0f

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\host\hostname

MD5 dc1efbdcbef689f52ddd694b80ed26bf
SHA1 34c8e9e98e48e41e38720d09b0c5befbca2dca4e
SHA256 61c14bdc9bb553ae7823da6f8de63e87f728a39c9fb9f480dcbc9c4428ad5cea
SHA512 e46cb4adcdef39daa18e0bdff25065e11bb32f4bba66941a620430f04735670d23f2839fefa3d946399f4288e9d4d111ef79b05ffdabba0dd9f7c059c852a126

memory/4336-123-0x0000000075200000-0x0000000075226000-memory.dmp

memory/4336-119-0x0000000075510000-0x0000000075554000-memory.dmp

memory/4336-124-0x0000000075110000-0x00000000751F6000-memory.dmp

memory/4336-125-0x0000000074E10000-0x0000000075106000-memory.dmp

memory/4336-122-0x0000000075230000-0x00000000752B1000-memory.dmp

memory/4336-121-0x0000000075300000-0x0000000075404000-memory.dmp

memory/4336-120-0x0000000075410000-0x000000007550B000-memory.dmp

memory/4336-118-0x0000000000990000-0x0000000000DA4000-memory.dmp

memory/4336-126-0x0000000000990000-0x0000000000DA4000-memory.dmp

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\data\cached-microdesc-consensus.tmp

MD5 f0fc7a866199731412f77b1d5ccaa647
SHA1 de9056cb0dfbc37e62930c898b9713fa2dc09486
SHA256 51a9ac4e8928ea4f87829bc3702f9f83fcd1bcb9c76458ea86c62355c411ef08
SHA512 1e4c7a15ab9c238ed1bb6a9e33e20ce452507034a46580ee4604a283a029c3f322d20dba84653037bb1a7a712124b31bbf89402ac36b4296586f529a71e1b553

memory/4336-145-0x0000000000990000-0x0000000000DA4000-memory.dmp

C:\Users\Admin\AppData\Local\zfzs6gcqx8\tor\data\cached-microdescs.new

MD5 8332c1455fea9c376c97ebfa1af06610
SHA1 5814f694164c7b42e2d7a936531aae08d29480be
SHA256 e0fbefa51fffad3a5c47221067d02a91667bb734cc225c924400dc5d2b32fd39
SHA512 806f8153033d17229e35bef33d45ac73532d9bfae18b69dddb64dc42b79113eb0068df5ddd2898ec2e18ace50449156d4f477961950bb8e00029f364051d548a

memory/4336-173-0x0000000000990000-0x0000000000DA4000-memory.dmp

memory/4336-181-0x0000000000990000-0x0000000000DA4000-memory.dmp

memory/4336-189-0x0000000000990000-0x0000000000DA4000-memory.dmp

memory/4336-200-0x0000000000990000-0x0000000000DA4000-memory.dmp

memory/4336-208-0x0000000000990000-0x0000000000DA4000-memory.dmp