Malware Analysis Report

2025-04-03 14:11

Sample ID 241104-yf7dzawfnl
Target 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d
SHA256 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d
Tags
collection discovery persistence privilege_escalation spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d

Threat Level: Shows suspicious behavior

The file 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery persistence privilege_escalation spyware stealer

Executes dropped EXE

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Checks installed software on the system

Accesses Microsoft Outlook profiles

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Browser Information Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 19:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 19:44

Reported

2024-11-04 19:47

Platform

win7-20240903-en

Max time kernel

117s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe"

Signatures

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 576 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 576 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 576 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 576 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 576 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 576 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 576 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 576 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2380 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2828 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2828 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2828 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2828 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2828 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2828 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2828 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2828 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe

"C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

Network

Country Destination Domain Proto
N/A 127.0.0.1:8194 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
DE 41.216.183.9:8080 41.216.183.9 tcp

Files

memory/2380-0-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

memory/2380-1-0x00000000009B0000-0x0000000000A78000-memory.dmp

memory/2380-2-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

memory/2380-3-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9F3.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarA53.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2380-39-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

memory/2380-40-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98c015d3c960c29cabfaaa6ffa41a354
SHA1 a984e2cae25b0897b0b9487d26ed43b01884d87b
SHA256 400ae8686b71a63123265353441b2147a7ae22569b7179211b5a2f5ea371bf7e
SHA512 fe6793ec6db1a1c3256b0458260b407a500b2c3aad867b0c77dd603c5893407b22c0f4bc429d0e23bdb124414abc688167695149ab987e75664e692ee0b48aa2

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 19:44

Reported

2024-11-04 19:47

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe
PID 752 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe
PID 752 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe
PID 752 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Windows\SYSTEM32\cmd.exe
PID 752 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Windows\SYSTEM32\cmd.exe
PID 5044 wrote to memory of 3988 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 5044 wrote to memory of 3988 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 5044 wrote to memory of 840 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 5044 wrote to memory of 840 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 5044 wrote to memory of 692 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 5044 wrote to memory of 692 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 752 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Windows\SYSTEM32\cmd.exe
PID 752 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe C:\Windows\SYSTEM32\cmd.exe
PID 1016 wrote to memory of 3284 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1016 wrote to memory of 3284 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1016 wrote to memory of 404 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1016 wrote to memory of 404 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1016 wrote to memory of 4472 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1016 wrote to memory of 4472 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe

"C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe"

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe

"C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\dp3s81isgn\tor\torrc.txt"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 127.0.0.1:4372 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 116.203.23.183:9001 tcp
DE 185.220.101.7:20007 tcp
US 8.8.8.8:53 ip-api.com udp
N/A 127.0.0.1:60143 tcp
US 208.95.112.1:80 ip-api.com tcp
NL 37.218.242.84:8443 tcp
US 8.8.8.8:53 84.242.218.37.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
DE 41.216.183.9:8080 41.216.183.9 tcp
US 8.8.8.8:53 9.183.216.41.in-addr.arpa udp
US 23.236.143.66:443 tcp
FI 65.109.30.253:28710 tcp
US 8.8.8.8:53 253.30.109.65.in-addr.arpa udp
US 8.8.8.8:53 66.143.236.23.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 23.236.143.66:443 tcp
FI 65.109.30.253:28710 tcp

Files

memory/752-0-0x00007FFD366D3000-0x00007FFD366D5000-memory.dmp

memory/752-1-0x000002014FA90000-0x000002014FB58000-memory.dmp

memory/752-3-0x00007FFD366D0000-0x00007FFD37191000-memory.dmp

memory/752-4-0x00007FFD366D0000-0x00007FFD37191000-memory.dmp

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe

MD5 07244a2c002ffdf1986b454429eace0b
SHA1 d7cd121caac2f5989aa68a052f638f82d4566328
SHA256 e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf
SHA512 4a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\libevent-2-1-7.dll

MD5 a3bf8e33948d94d490d4613441685eee
SHA1 75ed7f6e2855a497f45b15270c3ad4aed6ad02e2
SHA256 91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585
SHA512 c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\libgcc_s_sjlj-1.dll

MD5 bd40ff3d0ce8d338a1fe4501cd8e9a09
SHA1 3aae8c33bf0ec9adf5fbf8a361445969de409b49
SHA256 ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c
SHA512 404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\libssp-0.dll

MD5 b77328da7cead5f4623748a70727860d
SHA1 13b33722c55cca14025b90060e3227db57bf5327
SHA256 46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7
SHA512 2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\zlib1.dll

MD5 6f98da9e33cd6f3dd60950413d3638ac
SHA1 e630bdf8cebc165aa81464ff20c1d55272d05675
SHA256 219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773
SHA512 2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\libssl-1_1.dll

MD5 945d225539becc01fbca32e9ff6464f0
SHA1 a614eb470defeab01317a73380f44db669100406
SHA256 c697434857a039bf27238c105be0487a0c6c611dd36cb1587c3c6b3bf582718a
SHA512 409f8f1e6d683a3cbe7954bce37013316dee086cdbd7ecda88acb5d94031cff6166a93b641875116327151823cce747bcf254c0185e0770e2b74b7c5e067bc4a

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\libcrypto-1_1.dll

MD5 6d48d76a4d1c9b0ff49680349c4d28ae
SHA1 1bb3666c16e11eff8f9c3213b20629f02d6a66cb
SHA256 3f08728c7a67e4998fbdc7a7cb556d8158efdcdaf0acf75b7789dccace55662d
SHA512 09a4fd7b37cf52f6a0c3bb0a7517e2d2439f4af8e03130aed3296d7448585ea5e3c0892e1e1202f658ef2d083ce13c436779e202c39620a70a17b026705c65c9

memory/3928-96-0x0000000075450000-0x000000007554B000-memory.dmp

memory/3928-100-0x0000000075450000-0x000000007554B000-memory.dmp

memory/3928-98-0x0000000000FF0000-0x0000000001404000-memory.dmp

memory/3928-99-0x0000000075451000-0x000000007549F000-memory.dmp

memory/3928-97-0x00000000751F0000-0x0000000075216000-memory.dmp

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\torrc.txt

MD5 950c6dd3845ac4c8dee7f408e3aaa0bc
SHA1 82838d154c73b8a6dd63d9ef137bda00c70ec68b
SHA256 0e71bed02033967e5b4a0f623a1764ebd8aff8f56bb7f1f86e0aabd6d2dac229
SHA512 58a1842b83d973f3b7b6aae8e864c0e49f34eefbcc42dc53193df75e0dc5c854f8c4201f6afd8a4eeea350b9b737264d5290679ca12143b1c17096c5517021ed

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\libwinpthread-1.dll

MD5 19d7cc4377f3c09d97c6da06fbabc7dc
SHA1 3a3ba8f397fb95ed5df22896b2c53a326662fcc9
SHA256 228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d
SHA512 23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\host\hostname

MD5 e54ec1ae28b37b650384d7a43f9fcd4f
SHA1 2298cf9c400a3621a898083744cfd1193e1a8c54
SHA256 f3509118b2d370ded110eab66462e400c509f5fd79f0e4c18be84d6a2150324b
SHA512 37bb1b259af926aea8593fa8f4b7ff6d8e9b99db59176644e9b20a5ba370d74e64c9a252feb5d9979a890c27b1e50f58b24e7af2fa2221327b1044aadd5508c5

memory/752-111-0x00007FFD366D3000-0x00007FFD366D5000-memory.dmp

memory/752-112-0x00007FFD366D0000-0x00007FFD37191000-memory.dmp

memory/752-113-0x00007FFD366D0000-0x00007FFD37191000-memory.dmp

memory/3928-116-0x0000000075450000-0x000000007554B000-memory.dmp

memory/3928-123-0x0000000075100000-0x00000000751E6000-memory.dmp

memory/3928-124-0x0000000074E00000-0x00000000750F6000-memory.dmp

memory/3928-120-0x00000000752F0000-0x00000000753F4000-memory.dmp

memory/3928-117-0x0000000000FF0000-0x0000000001404000-memory.dmp

memory/3928-121-0x0000000075220000-0x00000000752A1000-memory.dmp

memory/3928-122-0x00000000751F0000-0x0000000075216000-memory.dmp

memory/3928-119-0x0000000075400000-0x0000000075444000-memory.dmp

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\data\cached-microdesc-consensus.tmp

MD5 dac4c15a1e66c0588ccfeb3cb4f21725
SHA1 cfa28f79b0e1cbb0f23925d68610628cd33e5ea0
SHA256 9521221a71778d25fec446584d3093ac9bc0851cfab0d9e7b3b7facaf0b3a148
SHA512 3d8935230f63ba9eaf3608c1c62f4bf3978180352080dcdc13c75622294ed9f86933dedf7c2cd9b91419f99e9f86eccac98d8fef961bc85b7bc77fc04c6e8bbb

memory/3928-134-0x0000000000FF0000-0x0000000001404000-memory.dmp

memory/3928-143-0x0000000000FF0000-0x0000000001404000-memory.dmp

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\data\cached-microdescs.new

MD5 a45aaf7a1d1006ac3a02da4b50c12194
SHA1 68cba3e318d9ecc4cb996c920e391acc3aa59fea
SHA256 7612b2a5e7798a7d17f0d130ad5b08e87650af20a7d88c1d6d2ba71f7d4a0581
SHA512 5e3070667369a1018ccaa7cffa2a673f43ea6fdddd8ae292bd10a85bb4d1f797bc8896c70d2fa86ecddec93ec51b57cc6ddee43ad8462be035986cdbef5ae70a

memory/3928-157-0x0000000000FF0000-0x0000000001404000-memory.dmp

memory/3928-168-0x0000000000FF0000-0x0000000001404000-memory.dmp

memory/3928-176-0x0000000000FF0000-0x0000000001404000-memory.dmp

memory/3928-184-0x0000000000FF0000-0x0000000001404000-memory.dmp

memory/3928-192-0x0000000000FF0000-0x0000000001404000-memory.dmp