Malware Analysis Report

2025-04-13 11:32

Sample ID 220624-2vdlzsgcan
Target b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91
SHA256 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91
Tags
cryptbot discovery evasion spyware stealer suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91

Threat Level: Known bad

The file b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery evasion spyware stealer suricata

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks BIOS information in registry

Identifies Wine through registry keys

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-24 22:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-24 22:53

Reported

2022-06-24 23:01

Platform

win7-20220414-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe"

Signatures

CryptBot

spyware stealer cryptbot

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\OemWin2k.inf C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\tap0901.cat C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\countries.tsv C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\vpnpro.PTB.lng C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\vpnpro.RUS.lng C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\ssleay32.dll C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\superb.ovpn C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\test.ovpn C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\ipras.vbs C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\deltapall.bat C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\devcon.exe C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\tap0901.sys C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\vpn850936802.ovpn C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\addtap.bat C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\tapinstall.exe C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\OemVista.inf C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe
PID 1208 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe
PID 1208 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe
PID 1208 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe
PID 1208 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe
PID 1208 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe
PID 1208 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe
PID 1208 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Windows\SysWOW64\CScript.exe
PID 1208 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Windows\SysWOW64\CScript.exe
PID 1208 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Windows\SysWOW64\CScript.exe
PID 1208 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Windows\SysWOW64\CScript.exe
PID 1208 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Windows\SysWOW64\CScript.exe
PID 1208 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Windows\SysWOW64\CScript.exe
PID 1208 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Windows\SysWOW64\CScript.exe
PID 1208 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe
PID 1208 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe
PID 1208 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe
PID 1208 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe
PID 1208 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe
PID 1208 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe
PID 1208 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe

"C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe"

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe

"C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe"

C:\Windows\SysWOW64\CScript.exe

"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ferr\SEDA\SX\bin\ipras.vbs" //e:vbscript //B //NOLOGO

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe

"C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 biss01.info udp

Files

memory/1208-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsoF77B.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe

MD5 b5861c96767caed4fce1473ac338d1bf
SHA1 c9575e657706a01a28aa63943f39018377a5dfe1
SHA256 883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512 388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240

memory/2012-57-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe

MD5 b5861c96767caed4fce1473ac338d1bf
SHA1 c9575e657706a01a28aa63943f39018377a5dfe1
SHA256 883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512 388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240

\Users\Admin\AppData\Local\Temp\nsoF77B.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe

MD5 b5861c96767caed4fce1473ac338d1bf
SHA1 c9575e657706a01a28aa63943f39018377a5dfe1
SHA256 883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512 388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240

\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe

MD5 b5861c96767caed4fce1473ac338d1bf
SHA1 c9575e657706a01a28aa63943f39018377a5dfe1
SHA256 883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512 388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe

MD5 b5861c96767caed4fce1473ac338d1bf
SHA1 c9575e657706a01a28aa63943f39018377a5dfe1
SHA256 883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512 388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240

memory/964-64-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Ferr\SEDA\SX\bin\ipras.vbs

MD5 b802ff9244875f69db2fae0f78e92b10
SHA1 49385a89cd575894a29fbda969b99cc1f5cf8076
SHA256 a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512 609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

memory/1208-67-0x0000000002690000-0x0000000002BDF000-memory.dmp

memory/2012-68-0x0000000000120000-0x000000000066F000-memory.dmp

memory/2012-69-0x0000000001200000-0x000000000174F000-memory.dmp

memory/2012-70-0x00000000737B1000-0x00000000737B3000-memory.dmp

memory/2012-71-0x0000000077000000-0x0000000077180000-memory.dmp

memory/2012-72-0x0000000000120000-0x000000000066F000-memory.dmp

memory/2012-73-0x00000000732A1000-0x00000000732A3000-memory.dmp

memory/2012-79-0x0000000073731000-0x0000000073733000-memory.dmp

memory/2012-80-0x0000000073E11000-0x0000000073E13000-memory.dmp

\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe

MD5 c9638374b6732d9756d9a6ae50061747
SHA1 7952f8225a6cf692ce226bfaf8112260e4ac2b71
SHA256 34d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
SHA512 428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa

memory/988-82-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe

MD5 c9638374b6732d9756d9a6ae50061747
SHA1 7952f8225a6cf692ce226bfaf8112260e4ac2b71
SHA256 34d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
SHA512 428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa

\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe

MD5 c9638374b6732d9756d9a6ae50061747
SHA1 7952f8225a6cf692ce226bfaf8112260e4ac2b71
SHA256 34d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
SHA512 428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe

MD5 c9638374b6732d9756d9a6ae50061747
SHA1 7952f8225a6cf692ce226bfaf8112260e4ac2b71
SHA256 34d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
SHA512 428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa

\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe

MD5 c9638374b6732d9756d9a6ae50061747
SHA1 7952f8225a6cf692ce226bfaf8112260e4ac2b71
SHA256 34d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
SHA512 428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa

memory/1208-89-0x0000000002710000-0x0000000002C3D000-memory.dmp

memory/988-90-0x0000000000400000-0x000000000092D000-memory.dmp

memory/988-91-0x0000000001330000-0x000000000185D000-memory.dmp

memory/988-92-0x0000000001330000-0x000000000185D000-memory.dmp

memory/988-94-0x0000000077000000-0x0000000077180000-memory.dmp

memory/988-95-0x0000000000400000-0x000000000092D000-memory.dmp

memory/2012-96-0x0000000000120000-0x000000000066F000-memory.dmp

memory/2012-97-0x0000000001200000-0x000000000174F000-memory.dmp

memory/2012-98-0x0000000000120000-0x000000000066F000-memory.dmp

memory/988-99-0x0000000000400000-0x000000000092D000-memory.dmp

memory/988-100-0x0000000000400000-0x000000000092D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-24 22:53

Reported

2022-06-24 23:01

Platform

win10v2004-20220414-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe"

Signatures

CryptBot

spyware stealer cryptbot

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Ferr\SEDA\vpnpro.RUS.lng C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\ipras.vbs C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\vpnpro.PTB.lng C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\ssleay32.dll C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\vpn850936802.ovpn C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\deltapall.bat C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\tapinstall.exe C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\OemVista.inf C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\countries.tsv C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\OemWin2k.inf C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\tap0901.cat C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\tap0901.sys C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\devcon.exe C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\test.ovpn C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\addtap.bat C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A
File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\superb.ovpn C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe
PID 1364 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe
PID 1364 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe
PID 1364 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Windows\SysWOW64\CScript.exe
PID 1364 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Windows\SysWOW64\CScript.exe
PID 1364 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Windows\SysWOW64\CScript.exe
PID 1364 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe
PID 1364 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe
PID 1364 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe

"C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe"

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe

"C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe"

C:\Windows\SysWOW64\CScript.exe

"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ferr\SEDA\SX\bin\ipras.vbs" //e:vbscript //B //NOLOGO

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe

"C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
GB 51.104.15.252:443 tcp
US 8.8.8.8:53 biss01.info udp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 biss01.info udp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 biss01.info udp
US 8.8.8.8:53 biss01.info udp

Files

C:\Users\Admin\AppData\Local\Temp\nsb64EA.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

memory/3148-131-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe

MD5 b5861c96767caed4fce1473ac338d1bf
SHA1 c9575e657706a01a28aa63943f39018377a5dfe1
SHA256 883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512 388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe

MD5 b5861c96767caed4fce1473ac338d1bf
SHA1 c9575e657706a01a28aa63943f39018377a5dfe1
SHA256 883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512 388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240

C:\Users\Admin\AppData\Local\Temp\nsb64EA.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

memory/2224-135-0x0000000000000000-mapping.dmp

memory/3148-136-0x0000000000450000-0x000000000099F000-memory.dmp

C:\Program Files (x86)\Ferr\SEDA\SX\bin\ipras.vbs

MD5 b802ff9244875f69db2fae0f78e92b10
SHA1 49385a89cd575894a29fbda969b99cc1f5cf8076
SHA256 a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512 609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

memory/3148-138-0x0000000077800000-0x00000000779A3000-memory.dmp

memory/3148-139-0x0000000000450000-0x000000000099F000-memory.dmp

memory/4928-140-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe

MD5 c9638374b6732d9756d9a6ae50061747
SHA1 7952f8225a6cf692ce226bfaf8112260e4ac2b71
SHA256 34d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
SHA512 428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa

memory/4928-142-0x0000000000400000-0x000000000092D000-memory.dmp

memory/4928-143-0x0000000077800000-0x00000000779A3000-memory.dmp

memory/4928-144-0x0000000000400000-0x000000000092D000-memory.dmp

memory/3148-145-0x0000000077800000-0x00000000779A3000-memory.dmp

memory/3148-146-0x0000000000450000-0x000000000099F000-memory.dmp

memory/4928-147-0x0000000000400000-0x000000000092D000-memory.dmp

memory/4928-148-0x0000000000400000-0x000000000092D000-memory.dmp