Malware Analysis Report

2025-01-18 16:32

Sample ID 241201-1lzmesxrhj
Target 4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe
SHA256 4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148f
Tags
rat netwire warzonerat botnet discovery infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148f

Threat Level: Known bad

The file 4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet discovery infostealer stealer

Warzonerat family

NetWire RAT payload

Netwire family

WarzoneRat, AveMaria

Netwire

Warzone RAT payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

AutoIT Executable

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-01 21:44

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-01 21:44

Reported

2024-12-01 21:47

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1268 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1268 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1268 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1268 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe
PID 1268 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe
PID 1268 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe
PID 1268 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe
PID 1268 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe
PID 1268 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1752 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1752 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1752 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1528 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1528 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1528 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1528 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1528 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1528 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1528 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1528 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1528 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1528 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1528 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1528 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1528 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1528 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 544 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 1112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1752 wrote to memory of 1112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1752 wrote to memory of 1112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1752 wrote to memory of 1112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1112 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1112 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1112 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1112 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1112 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1112 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1112 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1112 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1112 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1112 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1792 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe

"C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe

"C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {F27C539B-B3AC-4E63-94D2-BE3AF90822FC} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/1268-0-0x0000000000230000-0x000000000039B000-memory.dmp

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2044-24-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1268-26-0x0000000000460000-0x0000000000461000-memory.dmp

memory/2152-38-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2152-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2152-28-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2152-27-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1268-40-0x0000000000230000-0x000000000039B000-memory.dmp

memory/2908-41-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2908-43-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2012-46-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2012-47-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 aec84ed08f47a839949b9b5b7feba6da
SHA1 818712e5b5c8a30998060d977c553c7501437628
SHA256 6067dc54e44d8f0f95e3032842e5e0bd83ff06c363db0da81c1aaee0512f9360
SHA512 379c772e6ef2d8e028dea4143e56c5fdd28687a2e1d4cc6e65ed97d5b908808e59aea14e625284f576284e428e2f9fd422755d3c64fc30fb9d8587f4242f799a

memory/1528-53-0x0000000000370000-0x00000000004DB000-memory.dmp

memory/544-71-0x0000000000080000-0x000000000009D000-memory.dmp

memory/544-77-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/544-82-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1528-81-0x0000000000370000-0x00000000004DB000-memory.dmp

memory/2180-86-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2752-90-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1112-117-0x0000000000370000-0x00000000004DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-01 21:44

Reported

2024-12-01 21:47

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4248 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4248 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4628 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4628 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4628 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4248 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe
PID 4248 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe
PID 4248 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe
PID 4248 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe
PID 4248 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe
PID 1816 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\cmd.exe
PID 4248 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\schtasks.exe
PID 4248 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\schtasks.exe
PID 4248 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\schtasks.exe
PID 1816 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4876 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4876 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4876 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4876 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4876 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4876 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4876 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4876 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4876 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe

"C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe

"C:\Users\Admin\AppData\Local\Temp\4a59bf1f961c1f3c9aa03e3374563e2a2bb15da20de7f030b8c0585edd45148fN.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp

Files

memory/4248-0-0x0000000000230000-0x000000000039B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/4628-11-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4248-14-0x0000000004180000-0x0000000004181000-memory.dmp

memory/1816-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1816-23-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4248-25-0x0000000000230000-0x000000000039B000-memory.dmp

memory/368-26-0x0000000000E70000-0x0000000000E71000-memory.dmp

memory/3884-28-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 3ae496ce917996b0922c40183ca605aa
SHA1 843263ef2b21a8e371676392fcea86b673df71c4
SHA256 42b4ed612757082477cf7e138e855ba0d4885be1f56b0a3aa1dc8309ccee33a5
SHA512 8d0d642c5cf43ee742270593bb808b1018908588ad36f660c11959e8e1cf57c9b89b48678f9960313dad8ad0d362091c52e250ca262f88bea44e5edf9ebb9a49

memory/4876-35-0x00000000009D0000-0x0000000000B3B000-memory.dmp

memory/3416-51-0x00000000009D0000-0x0000000000B3B000-memory.dmp

memory/4876-53-0x00000000009D0000-0x0000000000B3B000-memory.dmp

memory/3516-55-0x0000000000920000-0x0000000000921000-memory.dmp

memory/3660-58-0x0000000000400000-0x000000000042C000-memory.dmp