Analysis Overview
SHA256
be758d2b22cbf30dc03aac1bd99508099107aec8c697a533ecbcb2c43b4a7aec
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
RedLine
Amadey
Downloads MZ/PE file
Executes dropped EXE
Deletes itself
Loads dropped DLL
Themida packer
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-14 08:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-14 08:20
Reported
2023-09-14 08:22
Platform
win7-20230831-en
Max time kernel
38s
Max time network
127s
Command Line
Signatures
Amadey
RedLine
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BE11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C1F9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C7B4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CE1B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D2ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB28.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2624 set thread context of 1720 | N/A | C:\Users\Admin\AppData\Local\Temp\C7B4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3060 set thread context of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\D2ED.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\BE11.exe
C:\Users\Admin\AppData\Local\Temp\BE11.exe
C:\Users\Admin\AppData\Local\Temp\C1F9.exe
C:\Users\Admin\AppData\Local\Temp\C1F9.exe
C:\Users\Admin\AppData\Local\Temp\C7B4.exe
C:\Users\Admin\AppData\Local\Temp\C7B4.exe
C:\Users\Admin\AppData\Local\Temp\CE1B.exe
C:\Users\Admin\AppData\Local\Temp\CE1B.exe
C:\Users\Admin\AppData\Local\Temp\D2ED.exe
C:\Users\Admin\AppData\Local\Temp\D2ED.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\DB28.exe
C:\Users\Admin\AppData\Local\Temp\DB28.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\EA17.exe
C:\Users\Admin\AppData\Local\Temp\EA17.exe
C:\Users\Admin\AppData\Local\Temp\FE53.exe
C:\Users\Admin\AppData\Local\Temp\FE53.exe
C:\Users\Admin\AppData\Local\Temp\872.exe
C:\Users\Admin\AppData\Local\Temp\872.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=CE1B.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Users\Admin\AppData\Local\Temp\C3A.exe
C:\Users\Admin\AppData\Local\Temp\C3A.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1272.dll
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\1272.dll
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {863E161C-5F5C-42BB-A4D7-3F1830929D7E} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| PE | 190.187.52.42:80 | colisumy.com | tcp |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| PE | 190.187.52.42:80 | colisumy.com | tcp |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
| BG | 193.42.32.101:80 | 193.42.32.101 | tcp |
| US | 8.8.8.8:53 | login-sofi.4dq.com | udp |
| DE | 45.79.249.147:443 | login-sofi.4dq.com | tcp |
| DE | 45.79.249.147:443 | login-sofi.4dq.com | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| GB | 51.38.95.107:42494 | tcp | |
| NL | 194.169.175.232:45450 | tcp | |
| NL | 194.169.175.232:45450 | tcp | |
| US | 38.181.25.43:3325 | tcp | |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.146:80 | apps.identrust.com | tcp |
Files
memory/3020-0-0x0000000000220000-0x0000000000235000-memory.dmp
memory/3020-1-0x0000000000240000-0x0000000000249000-memory.dmp
memory/3020-2-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1220-3-0x00000000029D0000-0x00000000029E6000-memory.dmp
memory/3020-7-0x0000000000240000-0x0000000000249000-memory.dmp
memory/3020-4-0x0000000000400000-0x0000000000480000-memory.dmp
memory/3020-8-0x0000000000220000-0x0000000000235000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BE11.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
C:\Users\Admin\AppData\Local\Temp\BE11.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
C:\Users\Admin\AppData\Local\Temp\C1F9.exe
| MD5 | 1b67e388efc2b48f047e9eeb16edcef2 |
| SHA1 | 2c5ddc2006c38caed1adab80df1e5a370821b47f |
| SHA256 | 46c718a1a788637723d284c0b8da50ff03c39ba214ee735c78b230d4055fa1f1 |
| SHA512 | 21fa1ebbba8a62176813547ee1a61297ab2ea862d36d349b06510819ce6d9d0502a2351ab23949248eb78335482defae86a98bc390e94cb08706219adb017e94 |
memory/1996-22-0x0000000001360000-0x0000000001C02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C7B4.exe
| MD5 | 47bf72d09074bd98b5022c0c384e3a18 |
| SHA1 | dc0e787ea6f91f8de6f342b052131a2a71682f4a |
| SHA256 | e196fc1201671122a3b8db9d285d367f87e6f14302f28b7362386bccbd09cc9b |
| SHA512 | 3c80a1c971f4424c14b540e665492c08f4fbe87b19ecf1c461f7d91ac5ca1eb5f6940b47de9a358f8fd96447c4ceb9141001189cfed55ec7659a4a34222d5dcd |
memory/1996-27-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-28-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-29-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-30-0x00000000760D0000-0x00000000761E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CE1B.exe
| MD5 | 52e2f416fb09cf8da94bf1a88a8bc31b |
| SHA1 | b368ea2376b00d1439e292952d281c577d26049b |
| SHA256 | cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345 |
| SHA512 | a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732 |
C:\Users\Admin\AppData\Local\Temp\CE1B.exe
| MD5 | 52e2f416fb09cf8da94bf1a88a8bc31b |
| SHA1 | b368ea2376b00d1439e292952d281c577d26049b |
| SHA256 | cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345 |
| SHA512 | a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732 |
memory/1996-37-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-39-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-42-0x00000000756E0000-0x0000000075727000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D2ED.exe
| MD5 | 24f97033c62127b816fe4733b9b8a3f0 |
| SHA1 | bd8a47ad195de6fa694a6b8de214a7d06b516824 |
| SHA256 | f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612 |
| SHA512 | c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a |
memory/1996-44-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1720-45-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1720-46-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1720-47-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1720-48-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1720-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1720-50-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1720-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1720-56-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DB28.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\DB28.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2648-63-0x00000000001D0000-0x0000000000200000-memory.dmp
memory/2648-65-0x0000000000400000-0x0000000000445000-memory.dmp
memory/1996-68-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-62-0x0000000001360000-0x0000000001C02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CE1B.exe
| MD5 | 52e2f416fb09cf8da94bf1a88a8bc31b |
| SHA1 | b368ea2376b00d1439e292952d281c577d26049b |
| SHA256 | cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345 |
| SHA512 | a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732 |
memory/1996-70-0x00000000760D0000-0x00000000761E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2800-77-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2800-78-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2800-79-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2800-81-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2800-83-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2800-85-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2800-86-0x0000000000430000-0x0000000000436000-memory.dmp
memory/1720-87-0x0000000000210000-0x0000000000216000-memory.dmp
memory/1720-89-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/1996-96-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/2800-98-0x0000000074780000-0x0000000074E6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA17.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
memory/1996-99-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-100-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-91-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-101-0x00000000756E0000-0x0000000075727000-memory.dmp
memory/1996-102-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-103-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-104-0x00000000756E0000-0x0000000075727000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1996-106-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-107-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-108-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-109-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-110-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-112-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1720-111-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/1996-113-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/2800-114-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/1996-115-0x00000000756E0000-0x0000000075727000-memory.dmp
memory/1996-116-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-117-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-118-0x00000000760D0000-0x00000000761E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FE53.exe
| MD5 | 47bf72d09074bd98b5022c0c384e3a18 |
| SHA1 | dc0e787ea6f91f8de6f342b052131a2a71682f4a |
| SHA256 | e196fc1201671122a3b8db9d285d367f87e6f14302f28b7362386bccbd09cc9b |
| SHA512 | 3c80a1c971f4424c14b540e665492c08f4fbe87b19ecf1c461f7d91ac5ca1eb5f6940b47de9a358f8fd96447c4ceb9141001189cfed55ec7659a4a34222d5dcd |
memory/1996-121-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-122-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-123-0x00000000756E0000-0x0000000075727000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FE53.exe
| MD5 | 47bf72d09074bd98b5022c0c384e3a18 |
| SHA1 | dc0e787ea6f91f8de6f342b052131a2a71682f4a |
| SHA256 | e196fc1201671122a3b8db9d285d367f87e6f14302f28b7362386bccbd09cc9b |
| SHA512 | 3c80a1c971f4424c14b540e665492c08f4fbe87b19ecf1c461f7d91ac5ca1eb5f6940b47de9a358f8fd96447c4ceb9141001189cfed55ec7659a4a34222d5dcd |
memory/1996-128-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-127-0x00000000756E0000-0x0000000075727000-memory.dmp
memory/1996-125-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-129-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-130-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-131-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-132-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-133-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-134-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-135-0x00000000760D0000-0x00000000761E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\872.exe
| MD5 | c82816b9cae5ab07c38a317572f3453f |
| SHA1 | ce1911787bf09e30932a07308e9f1b04dcf7f3dd |
| SHA256 | 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695 |
| SHA512 | 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b |
memory/1996-138-0x00000000756E0000-0x0000000075727000-memory.dmp
memory/1996-139-0x0000000077A90000-0x0000000077A92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\872.exe
| MD5 | c82816b9cae5ab07c38a317572f3453f |
| SHA1 | ce1911787bf09e30932a07308e9f1b04dcf7f3dd |
| SHA256 | 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695 |
| SHA512 | 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b |
C:\Users\Admin\AppData\Local\Temp\872.exe
| MD5 | c82816b9cae5ab07c38a317572f3453f |
| SHA1 | ce1911787bf09e30932a07308e9f1b04dcf7f3dd |
| SHA256 | 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695 |
| SHA512 | 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b |
memory/1996-146-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/1996-147-0x00000000760D0000-0x00000000761E0000-memory.dmp
memory/1996-149-0x0000000001360000-0x0000000001C02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C3A.exe
| MD5 | c2273e3679c0660d8b4cd294ec6f88a7 |
| SHA1 | 1b01c714e54dca1c562ccb77e746a9645eee7cfc |
| SHA256 | d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664 |
| SHA512 | afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d |
C:\Users\Admin\AppData\Local\Temp\C3A.exe
| MD5 | c2273e3679c0660d8b4cd294ec6f88a7 |
| SHA1 | 1b01c714e54dca1c562ccb77e746a9645eee7cfc |
| SHA256 | d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664 |
| SHA512 | afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d |
memory/2092-156-0x00000000000F0000-0x0000000000184000-memory.dmp
memory/2092-157-0x000007FEF5830000-0x000007FEF621C000-memory.dmp
memory/2800-160-0x0000000004AD0000-0x0000000004B10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1272.dll
| MD5 | cd473f96a31e502950837fb6ed2fe819 |
| SHA1 | 87bf2e1161ef159b56db4a6350d4dfe219f30683 |
| SHA256 | b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c |
| SHA512 | 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94 |
memory/1216-172-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
\Users\Admin\AppData\Local\Temp\1272.dll
| MD5 | cd473f96a31e502950837fb6ed2fe819 |
| SHA1 | 87bf2e1161ef159b56db4a6350d4dfe219f30683 |
| SHA256 | b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c |
| SHA512 | 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94 |
memory/1404-181-0x0000000010000000-0x00000000102D3000-memory.dmp
memory/1996-185-0x0000000000310000-0x0000000000325000-memory.dmp
memory/1996-186-0x0000000000310000-0x0000000000325000-memory.dmp
memory/1996-188-0x0000000000310000-0x0000000000325000-memory.dmp
memory/1996-190-0x0000000000310000-0x0000000000325000-memory.dmp
memory/1996-192-0x0000000000310000-0x0000000000325000-memory.dmp
memory/1996-194-0x0000000000310000-0x0000000000325000-memory.dmp
memory/1996-196-0x0000000000310000-0x0000000000325000-memory.dmp
memory/1996-198-0x0000000000310000-0x0000000000325000-memory.dmp
memory/1996-200-0x0000000000310000-0x0000000000325000-memory.dmp
memory/1996-202-0x0000000000310000-0x0000000000325000-memory.dmp
memory/1996-204-0x0000000000310000-0x0000000000325000-memory.dmp
memory/1996-206-0x0000000000310000-0x0000000000325000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabF72D.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarFD86.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 85daa237e6aef0260e783500c5649077 |
| SHA1 | abb7e594c3147951473fe1d3dbd9d14a87bca5a4 |
| SHA256 | aaef0dcf833d26d7114cb9459fdf8ee79721aa1de598ab3ea20438405f05d73c |
| SHA512 | e41100a317ea63bdb86ab54d8fd659c3b84d330243bad664e75462b5520b644c3b01915e639478b61041c21b29cf2760e243abc258d2f82576053af97ffb5e46 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-14 08:20
Reported
2023-09-14 08:22
Platform
win10v2004-20230831-en
Max time kernel
29s
Max time network
83s
Command Line
Signatures
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E927.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3200 wrote to memory of 4788 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E927.exe |
| PID 3200 wrote to memory of 4788 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E927.exe |
| PID 3200 wrote to memory of 4788 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E927.exe |
| PID 3200 wrote to memory of 2604 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ECA3.exe |
| PID 3200 wrote to memory of 2604 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ECA3.exe |
| PID 3200 wrote to memory of 2604 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ECA3.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\E927.exe
C:\Users\Admin\AppData\Local\Temp\E927.exe
C:\Users\Admin\AppData\Local\Temp\ECA3.exe
C:\Users\Admin\AppData\Local\Temp\ECA3.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| BA | 109.175.29.39:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 39.29.175.109.in-addr.arpa | udp |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
Files
memory/4600-0-0x00000000005D0000-0x00000000005E5000-memory.dmp
memory/4600-1-0x00000000005F0000-0x00000000005F9000-memory.dmp
memory/4600-2-0x0000000000400000-0x0000000000480000-memory.dmp
memory/3200-3-0x0000000002DD0000-0x0000000002DE6000-memory.dmp
memory/4600-4-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4600-7-0x00000000005D0000-0x00000000005E5000-memory.dmp
memory/4600-8-0x00000000005F0000-0x00000000005F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E927.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
C:\Users\Admin\AppData\Local\Temp\E927.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
C:\Users\Admin\AppData\Local\Temp\ECA3.exe
| MD5 | b35ff3ab45d2407bd1b34003eb489cea |
| SHA1 | 584f03ab09d0cf915820cc3340a43e8a70b5379f |
| SHA256 | af332a8aec98c972093f3e3a54908c64564672f5bcc80efa5d3b17458649b3e3 |
| SHA512 | 4332f1b768349f0a9247518ccb6359db06c6ceb2d127d264603c12f7c3acb17e2b5bd333933f914df93f21e81da51fa80786c840b1ebcf302df6cef88de1c127 |
C:\Users\Admin\AppData\Local\Temp\ECA3.exe
| MD5 | d181016f1baa4cfee73eb7b5bae5b1c7 |
| SHA1 | 77f0d93e6ea1282fec709f9091d45daa69e0ad17 |
| SHA256 | 57844975b9c801e4c5ec37a8812998655696502604787402c21e1a5ea147ae54 |
| SHA512 | c5f7f6d102ddbfcc34685c7a7167bec255edc436ab68802f10ee31276022dfe6bb629e4b0e00cc66b4677771d079229c44fcfb2fceebab1f8262e453ec03a47a |
memory/2604-20-0x00000000003C0000-0x0000000000C62000-memory.dmp
memory/2604-21-0x0000000075B90000-0x0000000075C80000-memory.dmp
memory/2604-22-0x0000000075B90000-0x0000000075C80000-memory.dmp