Malware Analysis Report

2024-10-19 02:13

Sample ID 231230-cjrxssgfen
Target 0b174fea183b59e9fd82bbbf4d6ca51a
SHA256 7e85e9eea33b5c3576d801f9206cba0132f81e569c31e0f76f0ba9229b50b083
Tags
nullmixer smokeloader vidar 706 pub5 agilenet aspackv2 backdoor dropper stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e85e9eea33b5c3576d801f9206cba0132f81e569c31e0f76f0ba9229b50b083

Threat Level: Known bad

The file 0b174fea183b59e9fd82bbbf4d6ca51a was found to be: Known bad.

Malicious Activity Summary

nullmixer smokeloader vidar 706 pub5 agilenet aspackv2 backdoor dropper stealer trojan upx

SmokeLoader

NullMixer

Vidar

Nirsoft

Vidar Stealer

Obfuscated with Agile.Net obfuscator

UPX packed file

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Looks up external IP address via web service

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 02:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 02:06

Reported

2023-12-30 15:31

Platform

win7-20231215-en

Max time kernel

0s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe"

Signatures

NullMixer

dropper nullmixer

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe
PID 1880 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe
PID 1880 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe
PID 1880 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe
PID 1880 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe
PID 1880 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe
PID 1880 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe
PID 680 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe

"C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_3.exe

metina_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_7.exe

metina_7.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe

C:\Users\Admin\AppData\Local\Temp\is-FLGI5.tmp\metina_5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FLGI5.tmp\metina_5.tmp" /SL5="$2019C,189670,105984,C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_5.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SystemNetworkService

C:\Windows\SysWOW64\rUNdlL32.eXe

"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",init

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 408

C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_4.exe

metina_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_5.exe

metina_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_1.exe

metina_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_2.exe

metina_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_6.exe

metina_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_1.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\system32\taskeng.exe

taskeng.exe {5C9CF218-CB7E-490E-A85A-35DCE85C43CC} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\sjtitag

C:\Users\Admin\AppData\Roaming\sjtitag

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 razino.xyz udp
US 8.8.8.8:53 email.yg9.me udp
US 8.8.8.8:53 cor-tips.com udp
US 8.8.8.8:53 bandakere.tumblr.com udp
US 74.114.154.22:443 bandakere.tumblr.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 195.133.40.148:80 195.133.40.148 tcp
US 8.8.8.8:53 www.facebook.com udp
GB 157.240.221.35:443 www.facebook.com tcp
DE 159.69.20.131:80 159.69.20.131 tcp
US 8.8.8.8:53 dinger-bauunternehmen.de udp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
US 8.8.8.8:53 uehge4g6gh.2ihsfa.com udp
US 13.248.169.48:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 ppcspb.com udp
US 8.8.8.8:53 mebbing.com udp
US 8.8.8.8:53 twcamel.com udp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
US 8.8.8.8:53 howdycash.com udp
CA 23.227.38.32:80 howdycash.com tcp
US 8.8.8.8:53 lahuertasonora.com udp
US 8.8.8.8:53 kpotiques.com udp
US 104.253.227.240:80 kpotiques.com tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
US 8.8.8.8:53 pupdatastar.tech udp
N/A 127.0.0.1:49263 tcp
N/A 127.0.0.1:49265 tcp
DE 159.69.20.131:80 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp
DE 159.69.20.131:443 dinger-bauunternehmen.de tcp

Files

\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe

MD5 af41d6d43df35d8c831695e584169a71
SHA1 bb8d6f081e93d2860ce62fabefbe9cdf80ebf06e
SHA256 cbab323219211a8bb57f5b0ee9bdd97b45724c61da8b842f02174ed87f908141
SHA512 5fce8bb65d14ca38178ac1cf9ba7d012a2e64b7af9ae3c6cf31b6cf7be44708474b9381da50cb9c9eea9a4b0429eb4b2e280afba0424b6f5ef0a26379221af9a

memory/680-42-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/680-58-0x0000000064940000-0x0000000064959000-memory.dmp

memory/680-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/680-74-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2800-123-0x00000000003A0000-0x00000000003A8000-memory.dmp

memory/1728-140-0x0000000000260000-0x000000000036E000-memory.dmp

memory/2540-108-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1728-164-0x00000000710F0000-0x0000000071170000-memory.dmp

memory/880-165-0x0000000000520000-0x000000000056B000-memory.dmp

memory/880-166-0x0000000000DD0000-0x0000000000E41000-memory.dmp

memory/880-168-0x0000000000520000-0x000000000056B000-memory.dmp

memory/2832-169-0x0000000000060000-0x00000000000AB000-memory.dmp

memory/2576-172-0x0000000002620000-0x0000000002721000-memory.dmp

memory/2576-175-0x0000000001F80000-0x0000000001FDC000-memory.dmp

memory/2832-171-0x00000000004F0000-0x0000000000561000-memory.dmp

memory/1728-176-0x0000000000750000-0x0000000000776000-memory.dmp

memory/2552-187-0x0000000000270000-0x0000000000279000-memory.dmp

memory/2552-186-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

memory/2552-188-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/1576-191-0x0000000000400000-0x0000000000C68000-memory.dmp

memory/2540-190-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2832-185-0x00000000004F0000-0x0000000000561000-memory.dmp

memory/1576-184-0x0000000000350000-0x00000000003E7000-memory.dmp

memory/1576-183-0x0000000000D80000-0x0000000000E80000-memory.dmp

memory/880-181-0x0000000000DD0000-0x0000000000E41000-memory.dmp

memory/880-180-0x0000000000520000-0x000000000056B000-memory.dmp

memory/2800-179-0x000000001AE80000-0x000000001AF00000-memory.dmp

memory/2800-178-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

memory/680-75-0x0000000000400000-0x000000000051D000-memory.dmp

memory/680-73-0x0000000000400000-0x000000000051D000-memory.dmp

memory/680-72-0x0000000000400000-0x000000000051D000-memory.dmp

memory/680-71-0x0000000000400000-0x000000000051D000-memory.dmp

memory/680-69-0x0000000000400000-0x000000000051D000-memory.dmp

memory/680-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2632-197-0x0000000002640000-0x000000000269B000-memory.dmp

memory/2632-201-0x0000000002640000-0x000000000269B000-memory.dmp

memory/1780-200-0x0000000000240000-0x000000000029B000-memory.dmp

memory/1780-199-0x0000000000400000-0x000000000045B000-memory.dmp

memory/680-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/680-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/680-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/680-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/680-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/680-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/680-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/680-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/680-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/680-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8577FE96\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/680-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8577FE96\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zS8577FE96\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS8577FE96\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS8577FE96\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/1880-38-0x0000000003450000-0x000000000356D000-memory.dmp

memory/1880-30-0x0000000003450000-0x000000000356D000-memory.dmp

memory/2552-210-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/1220-209-0x00000000024F0000-0x0000000002506000-memory.dmp

memory/680-314-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1576-316-0x0000000000400000-0x0000000000C68000-memory.dmp

memory/680-313-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1912-319-0x0000000000400000-0x00000000004C9000-memory.dmp

memory/680-312-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/680-311-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/680-310-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/680-309-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2540-320-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2800-457-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

memory/1576-467-0x0000000000D80000-0x0000000000E80000-memory.dmp

memory/880-466-0x0000000000520000-0x000000000056B000-memory.dmp

memory/2800-465-0x000000001AE80000-0x000000001AF00000-memory.dmp

memory/2632-475-0x0000000002640000-0x000000000269B000-memory.dmp

memory/2632-476-0x0000000002640000-0x000000000269B000-memory.dmp

memory/3008-509-0x0000000000290000-0x0000000000390000-memory.dmp

memory/3008-511-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/3008-523-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/1728-560-0x00000000058A0000-0x000000000591A000-memory.dmp

memory/2520-575-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1728-561-0x0000000000CA0000-0x0000000000CD8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 02:06

Reported

2023-12-30 15:30

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe"

Signatures

NullMixer

dropper nullmixer

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe

"C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_2.exe

C:\Users\Admin\AppData\Local\Temp\is-JT5M1.tmp\metina_5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JT5M1.tmp\metina_5.tmp" /SL5="$8005E,189670,105984,C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 976 -ip 976

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4016 -ip 4016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 600

C:\Windows\SysWOW64\rUNdlL32.eXe

"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",init

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_3.exe

metina_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_5.exe

metina_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_7.exe

metina_7.exe

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_6.exe

metina_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_2.exe

metina_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_4.exe

metina_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_1.exe

metina_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c metina_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\setup_install.exe"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3816 -ip 3816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1272 -ip 1272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1040

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe"

C:\Users\Admin\AppData\Roaming\urvwhgw

C:\Users\Admin\AppData\Roaming\urvwhgw

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 razino.xyz udp
NL 195.133.40.148:80 195.133.40.148 tcp
US 8.8.8.8:53 cor-tips.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 148.40.133.195.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 www.facebook.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 bandakere.tumblr.com udp
US 74.114.154.18:443 bandakere.tumblr.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
IE 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 uehge4g6gh.2ihsfa.com udp
US 13.248.169.48:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 74.114.154.18:443 bandakere.tumblr.com tcp
US 74.114.154.18:443 bandakere.tumblr.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 ppcspb.com udp
US 8.8.8.8:53 mebbing.com udp
US 8.8.8.8:53 twcamel.com udp
US 8.8.8.8:53 howdycash.com udp
CA 23.227.38.32:80 howdycash.com tcp
US 8.8.8.8:53 lahuertasonora.com udp
US 8.8.8.8:53 kpotiques.com udp
US 104.253.227.240:80 kpotiques.com tcp
US 8.8.8.8:53 32.38.227.23.in-addr.arpa udp
US 8.8.8.8:53 240.227.253.104.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 pupdatastar.tech udp
US 8.8.8.8:53 pupdatastar.tech udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\setup_install.exe

MD5 af41d6d43df35d8c831695e584169a71
SHA1 bb8d6f081e93d2860ce62fabefbe9cdf80ebf06e
SHA256 cbab323219211a8bb57f5b0ee9bdd97b45724c61da8b842f02174ed87f908141
SHA512 5fce8bb65d14ca38178ac1cf9ba7d012a2e64b7af9ae3c6cf31b6cf7be44708474b9381da50cb9c9eea9a4b0429eb4b2e280afba0424b6f5ef0a26379221af9a

memory/976-32-0x0000000000400000-0x000000000051D000-memory.dmp

memory/976-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/976-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/976-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/976-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2840-81-0x0000000000360000-0x0000000000368000-memory.dmp

memory/2840-95-0x0000000000B20000-0x0000000000B30000-memory.dmp

memory/4936-100-0x0000000073690000-0x0000000073E40000-memory.dmp

memory/4936-102-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/4936-114-0x0000000004E70000-0x00000000051C4000-memory.dmp

memory/4936-122-0x0000000005AF0000-0x0000000005B8C000-memory.dmp

memory/4936-130-0x0000000005280000-0x000000000528A000-memory.dmp

memory/4936-134-0x0000000005DA0000-0x0000000005DC6000-memory.dmp

memory/760-142-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4320-131-0x0000000000400000-0x00000000004C9000-memory.dmp

memory/4936-121-0x0000000072110000-0x0000000072199000-memory.dmp

memory/4936-113-0x0000000004DD0000-0x0000000004E62000-memory.dmp

memory/976-145-0x0000000000400000-0x000000000051D000-memory.dmp

memory/976-146-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2952-154-0x0000000000400000-0x000000000045B000-memory.dmp

memory/976-159-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/976-155-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/976-150-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2840-163-0x00007FFC51190000-0x00007FFC51C51000-memory.dmp

memory/976-147-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3816-164-0x0000000000D20000-0x0000000000E20000-memory.dmp

memory/1272-167-0x0000000002900000-0x0000000002997000-memory.dmp

memory/1272-166-0x0000000000E10000-0x0000000000F10000-memory.dmp

memory/3816-165-0x0000000000C90000-0x0000000000C99000-memory.dmp

memory/4936-112-0x00000000052A0000-0x0000000005844000-memory.dmp

memory/4320-111-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4936-101-0x00000000003C0000-0x00000000004CE000-memory.dmp

memory/2840-90-0x00007FFC51190000-0x00007FFC51C51000-memory.dmp

memory/760-80-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1272-173-0x0000000000400000-0x0000000000C68000-memory.dmp

memory/3816-172-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/976-64-0x0000000000400000-0x000000000051D000-memory.dmp

memory/976-63-0x0000000000400000-0x000000000051D000-memory.dmp

memory/976-62-0x0000000000400000-0x000000000051D000-memory.dmp

memory/976-61-0x0000000000400000-0x000000000051D000-memory.dmp

memory/976-60-0x0000000000400000-0x000000000051D000-memory.dmp

memory/976-59-0x0000000000400000-0x000000000051D000-memory.dmp

memory/976-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/976-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/976-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/976-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/976-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/976-51-0x0000000064940000-0x0000000064959000-memory.dmp

memory/976-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/976-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/976-46-0x0000000000760000-0x00000000007EF000-memory.dmp

memory/976-40-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\libwinpthread-1.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\setup_install.exe

MD5 66e4d85d4ca9857cf96683f0a03956a1
SHA1 658d0f967a411314dc5e0f8d8da583c611eca53c
SHA256 f58ea6ce680f31fb59c3b69588e6be86a400e6963782a8466cb62b92e5304d73
SHA512 c20f28cc43720694338fba1f12e2a68ac80ad669b960b337c502a9c4765c184a466a2da474e0181da081c97ea54f9c3aea59cdb66bbe0d6e7d455be62ce5835e

memory/3180-184-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3180-178-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3428-185-0x00000000029F0000-0x0000000002A06000-memory.dmp

memory/3816-189-0x0000000000C90000-0x0000000000C99000-memory.dmp

memory/3816-188-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/4936-192-0x0000000073690000-0x0000000073E40000-memory.dmp

memory/1272-191-0x0000000000400000-0x0000000000C68000-memory.dmp

memory/1272-203-0x0000000002900000-0x0000000002997000-memory.dmp

memory/4936-207-0x0000000006340000-0x00000000063BA000-memory.dmp

memory/4936-208-0x0000000008B40000-0x0000000008B78000-memory.dmp

memory/2680-218-0x0000000005380000-0x00000000053BC000-memory.dmp

memory/2680-219-0x00000000053C0000-0x000000000540C000-memory.dmp

memory/2680-217-0x0000000005320000-0x0000000005332000-memory.dmp

memory/2680-220-0x0000000005610000-0x000000000571A000-memory.dmp

memory/2680-216-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/2680-215-0x0000000073690000-0x0000000073E40000-memory.dmp

memory/2680-214-0x00000000058E0000-0x0000000005EF8000-memory.dmp

memory/4936-213-0x0000000073690000-0x0000000073E40000-memory.dmp

memory/2680-209-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3172-229-0x0000000000E60000-0x0000000000F60000-memory.dmp

memory/3172-230-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/2680-231-0x0000000073690000-0x0000000073E40000-memory.dmp

memory/3428-232-0x0000000002A30000-0x0000000002A46000-memory.dmp

memory/3172-235-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/2680-236-0x00000000052B0000-0x00000000052C0000-memory.dmp