Malware Analysis Report

2024-11-13 13:54

Sample ID 231210-cj7cgsdaf6
Target 6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772
SHA256 6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772
Tags
ducktail persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772

Threat Level: Known bad

The file 6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772 was found to be: Known bad.

Malicious Activity Summary

ducktail persistence spyware stealer

Detect Ducktail Third Stage Payload

Ducktail family

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-10 02:09

Signatures

Detect Ducktail Third Stage Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ducktail family

ducktail

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-10 02:07

Reported

2023-12-10 02:12

Platform

win7-20231020-en

Max time kernel

121s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3060 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3060 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3060 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe

"C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/3060-0-0x00000000067D0000-0x0000000007159000-memory.dmp

memory/3060-3-0x00000000067D0000-0x0000000007159000-memory.dmp

memory/3060-4-0x0000000006460000-0x0000000006507000-memory.dmp

memory/3060-5-0x0000000000260000-0x0000000000A88000-memory.dmp

memory/3060-12-0x0000000000B00000-0x0000000000B1D000-memory.dmp

memory/3060-9-0x0000000000B00000-0x0000000000B1D000-memory.dmp

memory/3060-8-0x0000000006460000-0x0000000006507000-memory.dmp

memory/3060-13-0x0000000000C10000-0x0000000000C38000-memory.dmp

memory/3060-16-0x0000000000C10000-0x0000000000C38000-memory.dmp

memory/3060-17-0x0000000006510000-0x000000000669E000-memory.dmp

memory/3060-20-0x0000000006510000-0x000000000669E000-memory.dmp

memory/3060-24-0x00000000028C0000-0x00000000028F0000-memory.dmp

memory/3060-21-0x00000000028C0000-0x00000000028F0000-memory.dmp

memory/3060-25-0x00000000091B0000-0x0000000009506000-memory.dmp

memory/3060-28-0x00000000091B0000-0x0000000009506000-memory.dmp

memory/3060-36-0x0000000005BC0000-0x0000000005BD5000-memory.dmp

memory/3060-33-0x0000000005BC0000-0x0000000005BD5000-memory.dmp

memory/3060-32-0x0000000006250000-0x00000000062F5000-memory.dmp

memory/3060-41-0x00000000063A0000-0x0000000006436000-memory.dmp

memory/3060-49-0x0000000005C70000-0x0000000005CAC000-memory.dmp

memory/3060-52-0x0000000005C70000-0x0000000005CAC000-memory.dmp

memory/3060-53-0x0000000005C50000-0x0000000005C62000-memory.dmp

memory/3060-60-0x0000000005EF0000-0x0000000005EF6000-memory.dmp

memory/3060-57-0x0000000005EF0000-0x0000000005EF6000-memory.dmp

memory/3060-64-0x0000000005C40000-0x0000000005C4C000-memory.dmp

memory/3060-61-0x0000000005C40000-0x0000000005C4C000-memory.dmp

memory/3060-56-0x0000000005C50000-0x0000000005C62000-memory.dmp

memory/3060-48-0x0000000006300000-0x000000000637A000-memory.dmp

memory/3060-45-0x0000000006300000-0x000000000637A000-memory.dmp

memory/3060-44-0x00000000063A0000-0x0000000006436000-memory.dmp

memory/3060-40-0x00000000061A0000-0x00000000061F4000-memory.dmp

memory/3060-37-0x00000000061A0000-0x00000000061F4000-memory.dmp

memory/3060-29-0x0000000006250000-0x00000000062F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab780F.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar7910.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2efb91b28717d87ad2cff1e4adc90025
SHA1 bc8cc0270ef53e7c5131593e97afc17e6a9b864b
SHA256 81feb0ec70c8a163dfabbe43d162ce1da3c8b1204a36ceaec53d11bb3f5719ec
SHA512 96287389f4c20bb71092fbbff96d85457eb2293ed5a2e3302ef84e95a19791eabe6740d055e990af07c29cfeff703a89cc1d687fb23fc79cb542975e85e39741

memory/2320-202-0x0000000072E30000-0x00000000733DB000-memory.dmp

memory/2320-203-0x0000000072E30000-0x00000000733DB000-memory.dmp

memory/2320-204-0x00000000026E0000-0x0000000002720000-memory.dmp

memory/2320-205-0x00000000026E0000-0x0000000002720000-memory.dmp

memory/2320-206-0x00000000026E0000-0x0000000002720000-memory.dmp

memory/2320-207-0x0000000072E30000-0x00000000733DB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 33b967274e37a7e893d66e5db0731bba
SHA1 6accdb142401dc802d0d9505a316c5ca5aff51bb
SHA256 95a13f78cda4a11ba13c841b379b28667bfd1cee572d948fb67891d75159df7e
SHA512 9f6c3e8c5442778d9cf5f549946f8fac3e436778e1de5522b2bc12b50d176cb6b01476f960756c11f50baf86ea51bfe51d213b9ca1e90ef7d45904214798cf46

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VP8FG7DZOM8M3AWX6FWB.temp

MD5 33b967274e37a7e893d66e5db0731bba
SHA1 6accdb142401dc802d0d9505a316c5ca5aff51bb
SHA256 95a13f78cda4a11ba13c841b379b28667bfd1cee572d948fb67891d75159df7e
SHA512 9f6c3e8c5442778d9cf5f549946f8fac3e436778e1de5522b2bc12b50d176cb6b01476f960756c11f50baf86ea51bfe51d213b9ca1e90ef7d45904214798cf46

memory/2940-214-0x0000000072880000-0x0000000072E2B000-memory.dmp

memory/2940-215-0x0000000002650000-0x0000000002690000-memory.dmp

memory/2940-216-0x0000000072880000-0x0000000072E2B000-memory.dmp

memory/2940-217-0x0000000002650000-0x0000000002690000-memory.dmp

memory/2940-218-0x0000000072880000-0x0000000072E2B000-memory.dmp

memory/3060-264-0x0000000000260000-0x0000000000A88000-memory.dmp

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 ab5a0c4dfd4e40048c92943354afa758
SHA1 aba2064e4349fd38c7178de3a8c453894a6b2ec1
SHA256 4bc57f4a1419ee1539165bfefbf4448c23c0e5b248b1e759f5ce62215b38be87
SHA512 d3030835b48c952319242a7884994f3e91f3578a50d5b9caea9f38f6a3eb1f5d74d21ca4ed79a89d02872888a832a99b71ff1b85ea2a6c4c09b43cf3a93b5402

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 ab5a0c4dfd4e40048c92943354afa758
SHA1 aba2064e4349fd38c7178de3a8c453894a6b2ec1
SHA256 4bc57f4a1419ee1539165bfefbf4448c23c0e5b248b1e759f5ce62215b38be87
SHA512 d3030835b48c952319242a7884994f3e91f3578a50d5b9caea9f38f6a3eb1f5d74d21ca4ed79a89d02872888a832a99b71ff1b85ea2a6c4c09b43cf3a93b5402

\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 ab5a0c4dfd4e40048c92943354afa758
SHA1 aba2064e4349fd38c7178de3a8c453894a6b2ec1
SHA256 4bc57f4a1419ee1539165bfefbf4448c23c0e5b248b1e759f5ce62215b38be87
SHA512 d3030835b48c952319242a7884994f3e91f3578a50d5b9caea9f38f6a3eb1f5d74d21ca4ed79a89d02872888a832a99b71ff1b85ea2a6c4c09b43cf3a93b5402

memory/3060-282-0x0000000000260000-0x0000000000A88000-memory.dmp

memory/928-283-0x0000000001360000-0x0000000001BA3000-memory.dmp

memory/928-284-0x0000000001360000-0x0000000001BA3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-10 02:07

Reported

2023-12-10 02:12

Platform

win10v2004-20231127-en

Max time kernel

127s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3708 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3708 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3708 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe

"C:\Users\Admin\AppData\Local\Temp\6625bd4b26d018dde4f1727ad9cd66112375b01efe51216e002186e543aaf772.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/3708-0-0x0000000006F10000-0x0000000007899000-memory.dmp

memory/3708-3-0x0000000006F10000-0x0000000007899000-memory.dmp

memory/3708-5-0x0000000006980000-0x0000000006A27000-memory.dmp

memory/3708-4-0x00000000002F0000-0x0000000000B18000-memory.dmp

memory/3708-8-0x0000000006980000-0x0000000006A27000-memory.dmp

memory/3708-9-0x00000000068A0000-0x00000000068BD000-memory.dmp

memory/3708-12-0x00000000068A0000-0x00000000068BD000-memory.dmp

memory/3708-13-0x00000000068D0000-0x00000000068F8000-memory.dmp

memory/3708-16-0x00000000068D0000-0x00000000068F8000-memory.dmp

memory/3708-17-0x000000000AE60000-0x000000000AFEE000-memory.dmp

memory/3708-20-0x000000000AE60000-0x000000000AFEE000-memory.dmp

memory/3708-21-0x0000000006E40000-0x0000000006E70000-memory.dmp

memory/3708-24-0x0000000006E40000-0x0000000006E70000-memory.dmp

memory/3708-25-0x000000000B350000-0x000000000B6A6000-memory.dmp

memory/3708-28-0x000000000B350000-0x000000000B6A6000-memory.dmp

memory/3708-29-0x000000000AFF0000-0x000000000B095000-memory.dmp

memory/3708-32-0x000000000AFF0000-0x000000000B095000-memory.dmp

memory/3708-33-0x0000000006EA0000-0x0000000006EB5000-memory.dmp

memory/3708-36-0x0000000006EA0000-0x0000000006EB5000-memory.dmp

memory/3708-37-0x000000000ADF0000-0x000000000AE44000-memory.dmp

memory/3708-40-0x000000000ADF0000-0x000000000AE44000-memory.dmp

memory/3708-41-0x000000000B140000-0x000000000B1D6000-memory.dmp

memory/3708-44-0x000000000B140000-0x000000000B1D6000-memory.dmp

memory/3708-45-0x000000000B1E0000-0x000000000B25A000-memory.dmp

memory/3708-48-0x000000000B1E0000-0x000000000B25A000-memory.dmp

memory/3708-49-0x0000000006ED0000-0x0000000006F0C000-memory.dmp

memory/3708-52-0x0000000006ED0000-0x0000000006F0C000-memory.dmp

memory/3708-53-0x000000000B100000-0x000000000B112000-memory.dmp

memory/3708-56-0x000000000B100000-0x000000000B112000-memory.dmp

memory/3708-57-0x000000000B0F0000-0x000000000B0F6000-memory.dmp

memory/3708-60-0x000000000B0F0000-0x000000000B0F6000-memory.dmp

memory/3708-61-0x000000000B0E0000-0x000000000B0EC000-memory.dmp

memory/3708-64-0x000000000B0E0000-0x000000000B0EC000-memory.dmp

memory/2264-131-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/2264-132-0x0000000004570000-0x0000000004580000-memory.dmp

memory/2264-133-0x0000000002150000-0x0000000002186000-memory.dmp

memory/2264-134-0x0000000004570000-0x0000000004580000-memory.dmp

memory/2264-135-0x0000000004BB0000-0x00000000051D8000-memory.dmp

memory/2264-136-0x0000000004AF0000-0x0000000004B12000-memory.dmp

memory/2264-137-0x00000000053C0000-0x0000000005426000-memory.dmp

memory/2264-138-0x0000000005430000-0x0000000005496000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwumt5bm.55r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2264-144-0x00000000054A0000-0x00000000057F4000-memory.dmp

memory/2264-149-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

memory/2264-150-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

memory/2264-151-0x0000000004570000-0x0000000004580000-memory.dmp

memory/2264-152-0x0000000006CD0000-0x0000000006D66000-memory.dmp

memory/2264-153-0x0000000005F70000-0x0000000005F8A000-memory.dmp

memory/2264-154-0x0000000005FC0000-0x0000000005FE2000-memory.dmp

memory/2264-155-0x0000000007320000-0x00000000078C4000-memory.dmp

memory/2264-158-0x00000000735F0000-0x0000000073DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/2956-169-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/2956-170-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/3708-171-0x00000000002F0000-0x0000000000B18000-memory.dmp

memory/2956-172-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/2956-182-0x0000000005A80000-0x0000000005DD4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0a247b69310d66797c470391043303fb
SHA1 befd83722be3dd1f4c378c82cdf66184b81eaede
SHA256 3b20e09f0c0b50cc00945dd23222d32257d153383ac3ff79f3c6f54dcea7c164
SHA512 588af0996b986e9b70c5b9d8b9a3576a5528f0900a5f86b0022ebc0d255105bf7851437513ae4aff588abe67e6bc2089ff684d16e84643b4a5ad86f978fcecfd

memory/2956-184-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/2956-186-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/4952-188-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/4952-189-0x0000000005590000-0x00000000055A0000-memory.dmp

memory/4952-190-0x0000000005590000-0x00000000055A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 57a39a887201911b93b70f430c51d2e7
SHA1 42e94fd2d6cb9fe4ff95827fc254140c8af6f70a
SHA256 7ed297ea062923153e05712602300060a9f3fb001e15dd165c523e10cdd6b030
SHA512 25a80392e73e2a34691f99cf22b0db41566fdb023fbacfd18e2b98fd176191dacdd45cc3b4ae089b5c262b8be13de217f6e20e32436db3929e5008657c63acff

memory/4952-201-0x0000000005590000-0x00000000055A0000-memory.dmp

memory/4952-203-0x00000000735F0000-0x0000000073DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 ab5a0c4dfd4e40048c92943354afa758
SHA1 aba2064e4349fd38c7178de3a8c453894a6b2ec1
SHA256 4bc57f4a1419ee1539165bfefbf4448c23c0e5b248b1e759f5ce62215b38be87
SHA512 d3030835b48c952319242a7884994f3e91f3578a50d5b9caea9f38f6a3eb1f5d74d21ca4ed79a89d02872888a832a99b71ff1b85ea2a6c4c09b43cf3a93b5402

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 ab5a0c4dfd4e40048c92943354afa758
SHA1 aba2064e4349fd38c7178de3a8c453894a6b2ec1
SHA256 4bc57f4a1419ee1539165bfefbf4448c23c0e5b248b1e759f5ce62215b38be87
SHA512 d3030835b48c952319242a7884994f3e91f3578a50d5b9caea9f38f6a3eb1f5d74d21ca4ed79a89d02872888a832a99b71ff1b85ea2a6c4c09b43cf3a93b5402

memory/3708-279-0x00000000002F0000-0x0000000000B18000-memory.dmp

memory/1668-280-0x0000000000D60000-0x00000000015A3000-memory.dmp

memory/1668-281-0x0000000000D60000-0x00000000015A3000-memory.dmp