Malware Analysis Report

2025-08-05 21:25

Sample ID 231222-hmdggabbgl
Target 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1
SHA256 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1
Tags
vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1

Threat Level: Likely malicious

The file 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1 was found to be: Likely malicious.

Malicious Activity Summary

vmprotect

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Deletes itself

VMProtect packed file

Checks computer location settings

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 06:50

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 06:50

Reported

2023-12-22 06:53

Platform

win7-20231215-en

Max time kernel

141s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe"

Signatures

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\listp\latic.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{AFD5ED06-B722-4d34-A979-7A8757C80E34}.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\R: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\T: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\X: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Y: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\J: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\K: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\M: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\W: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\G: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\N: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\S: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\I: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Q: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\L: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\P: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\U: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\V: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Z: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\B: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\E: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\H: C:\windows\Runn\Yloux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\Runn\sqlite3.dll C:\listp\latic.exe N/A
File created C:\windows\Runn\Yloux.exe C:\listp\latic.exe N/A
File created C:\windows\Runn\1.bin C:\listp\latic.exe N/A
File created C:\windows\Runn\WindowsTask.exe C:\listp\latic.exe N/A
File created C:\windows\Runn\DuiLib_u.dll C:\listp\latic.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1703227921" C:\Users\Admin\AppData\Local\Temp\{AFD5ED06-B722-4d34-A979-7A8757C80E34}.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe N/A
N/A N/A C:\listp\latic.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\listp\latic.exe
PID 368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\listp\latic.exe
PID 368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\listp\latic.exe
PID 368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\listp\latic.exe
PID 368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\listp\latic.exe
PID 368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\listp\latic.exe
PID 368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\listp\latic.exe
PID 368 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2412 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2412 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2412 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 2928 N/A C:\listp\latic.exe C:\windows\Runn\Yloux.exe
PID 2688 wrote to memory of 2928 N/A C:\listp\latic.exe C:\windows\Runn\Yloux.exe
PID 2688 wrote to memory of 2928 N/A C:\listp\latic.exe C:\windows\Runn\Yloux.exe
PID 2688 wrote to memory of 2928 N/A C:\listp\latic.exe C:\windows\Runn\Yloux.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe

"C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe"

C:\listp\latic.exe

C:\listp\latic.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ping 127.0.0.1 -n 5 &del "C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\windows\Runn\Yloux.exe

"C:\windows\Runn\Yloux.exe"

C:\Users\Admin\AppData\Local\Temp\{AFD5ED06-B722-4d34-A979-7A8757C80E34}.exe

"C:\Users\Admin\AppData\Local\Temp\{AFD5ED06-B722-4d34-A979-7A8757C80E34}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{6526ACB4-C485-456a-8003-2A0C1848A355}"

Network

Country Destination Domain Proto
US 38.54.25.23:80 tcp
US 38.60.204.65:53261 38.60.204.65 tcp
HK 45.112.206.130:18496 tcp
HK 45.112.206.130:18496 tcp
N/A 192.168.1.2:6341 udp
N/A 192.168.1.2:6341 udp

Files

memory/368-0-0x0000000000240000-0x0000000000241000-memory.dmp

memory/368-2-0x0000000000240000-0x0000000000241000-memory.dmp

memory/368-5-0x0000000000400000-0x00000000017E8000-memory.dmp

memory/368-6-0x0000000000260000-0x0000000000261000-memory.dmp

memory/368-8-0x0000000000260000-0x0000000000261000-memory.dmp

memory/368-10-0x0000000000260000-0x0000000000261000-memory.dmp

memory/368-4-0x0000000000240000-0x0000000000241000-memory.dmp

memory/368-13-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/368-15-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/368-18-0x0000000000300000-0x0000000000301000-memory.dmp

memory/368-20-0x0000000000300000-0x0000000000301000-memory.dmp

memory/368-23-0x0000000000310000-0x0000000000311000-memory.dmp

memory/368-30-0x0000000000320000-0x0000000000321000-memory.dmp

memory/368-28-0x0000000000320000-0x0000000000321000-memory.dmp

memory/368-25-0x0000000000310000-0x0000000000311000-memory.dmp

memory/368-31-0x0000000000330000-0x0000000000331000-memory.dmp

memory/368-35-0x0000000000330000-0x0000000000331000-memory.dmp

memory/368-33-0x0000000000330000-0x0000000000331000-memory.dmp

memory/368-37-0x0000000077320000-0x0000000077321000-memory.dmp

\listp\latic.exe

MD5 e62fe53b8403c3cabfb18c3acfc6cbbd
SHA1 771ff781d963f09bc22b0bb6a8eed7c01a5a7777
SHA256 0020ff7d1a004dd5ed0bbf30d89b81752003ee52d32e9280a3f090830415c6b2
SHA512 80c118b3c3db3b0412cd52e4ab60d2dd81af70fbacdafd89970f11d67f06ba8463574f0b0a5999d614c763ff3e430ab2c5adf0db107026ee86bf48589c7bbcbf

C:\listp\latic.exe

MD5 2d6e14218fcc33b40b3e0ca83d790a9d
SHA1 6a6d4958297aab132f666a86ac43c1777ec23b4c
SHA256 96d1317b1b9e2b052baaf311676838346d27f14b95181e5ba0537af52f6ea3cb
SHA512 eee4263a992c75c010f8b167ad79d12e31c0973ec9c4cc951463b151c10f7e9f03195742a878b7d8be7289be7337738e484f0a37f95bce7ae4be02fc68eca4e2

C:\listp\latic.exe

MD5 139c7ec735af163e84d876f911ccb19e
SHA1 e63cd40b66ad7111f0ad2986ebb80047a2990704
SHA256 a7457c9126110b5ea0189e83478baf60ec2e460afc1ebeb2453cda68bcbc010d
SHA512 529b5483b6fd0947df1592fd519a2b01fce86cd65e2922f2d0c303812b5c74a3e13c06bf4062edfcfa49cf129b59b888a9f8d99827b3a9aacf07729ed3c03824

memory/2688-48-0x0000000000E30000-0x00000000016BF000-memory.dmp

memory/2688-51-0x0000000000E30000-0x00000000016BF000-memory.dmp

memory/2688-53-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2688-49-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2688-55-0x0000000077320000-0x0000000077321000-memory.dmp

memory/368-57-0x0000000000400000-0x00000000017E8000-memory.dmp

memory/2688-58-0x0000000000E30000-0x00000000016BF000-memory.dmp

memory/2688-59-0x0000000002EB0000-0x00000000034B2000-memory.dmp

memory/2688-60-0x0000000010000000-0x0000000010607000-memory.dmp

\Windows\Runn\Yloux.exe

MD5 a71c7a04ed002703ce14609ee90725c1
SHA1 150c8ca5c473517fc4373ca2a735179219e80383
SHA256 788d4163d4df705a1e0e1efd1b82ed33ae4787227e4a648244809818cafbe4ed
SHA512 05c89a40b2ded6ba9a0a079c7283aad4243fd63baa5d59e3befc0a8b001b0afb2dcb429712fbb9860b947ec505b82483d985f057c673a5d5f5d75242689f2f45

C:\Windows\Runn\Yloux.exe

MD5 c862e6797d42f456523ab432699d6cec
SHA1 2373ba1370778f7723966553a2387d13f403f933
SHA256 780c656223bd92f774a23e1d0925fb3f71b3f18c430f4c5faf379de90a4c7add
SHA512 baf064f542bb4a1ca778e08e7d95dd86eff41e22d3d3b7eb4113a1d2d959e57f2db8ffec134d752dd1623f95e7c8b59ee7e7f3a1cb772fe07d4fd27638786b11

C:\windows\Runn\1.bin

MD5 55d9bdc529ec8876fda28bc5c697ca1f
SHA1 eb3db138a5f5842479af1a7991cf043dc4b52895
SHA256 0e70a3a503edbdc2c436912871615de8cc9161f0866260b47c1d179779b40acc
SHA512 a551347fc48fa2f3adf2c039a53cb430df9138c7b47ccabf2aa6d0df63b3be94ceecb9abf889446e117802d601c20ff8f067ec653e91e036b5e86328f0bcc23a

memory/2928-76-0x00000000003D0000-0x00000000003FD000-memory.dmp

\Users\Admin\AppData\Local\Temp\{AFD5ED06-B722-4d34-A979-7A8757C80E34}.exe

MD5 217dc98e219a340cb09915244c992a52
SHA1 a04f101ca7180955d62e4a1aaeccdcca489209da
SHA256 27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512 dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

memory/2928-82-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2928-88-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2928-89-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2928-90-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2928-92-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2928-91-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2928-93-0x0000000001F40000-0x0000000001F7E000-memory.dmp

memory/2928-94-0x0000000000400000-0x0000000000590000-memory.dmp

memory/2928-95-0x0000000001F80000-0x0000000001FC4000-memory.dmp

memory/2928-96-0x0000000001F80000-0x0000000001FC4000-memory.dmp

memory/2928-97-0x0000000001F80000-0x0000000001FC4000-memory.dmp

C:\windows\Runn\Yloux.exe

MD5 1665b4a939b42df6d47009e0d68bd073
SHA1 14489c975e9ccd7269326a45b2bd49e15f2b2cc7
SHA256 4ef0c90d13f4de1166d12b57e5a37d9338ded10969c4b4be2d159e4168818dfd
SHA512 13d2e7d95d9f521d05a10b562016d20afc3366341ebf45583c1358ae210e81e9348b650eb2872085404c579d6977c7aeb8617b8347b1f6797f26015e5d3ccb52

C:\Users\Admin\AppData\Local\Temp\{6526ACB4-C485-456a-8003-2A0C1848A355}

MD5 cd66458fe84ee95c5f1912812464d34e
SHA1 be99271da6255b452a392fb565e7d6a0a55810be
SHA256 dd60cfdcc5b26ebc04094ccc52669b0a585c0669c45d9c577dafb3ddbb9f207a
SHA512 c0b7c29b8b5855f2effe20589900c80b72bdc10fee1af8d0fb1c7ca17e73b2517ac16801af888458cb74f239b4951dd182215a9f3f2dd323b3fe6879d06b3eaa

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 4048e3532f62a36e75af9260e56a4448
SHA1 7ed45a8a1709268866b60b34153baf702d503caf
SHA256 ebcc732b5bae155cbd7f4ae6dfc8a5dd7f6866d41062f17dbcd04fa3d493b37d
SHA512 91ad26ac0b287dd9c47961a1b460d67dc5a7cee44adbbf93e722dd2e499e72811663d47434b23f5aeb8c0951af5b610eb0dab977529d77861e97b6996c05f2a0

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 357de1740b6de5e7272b69681a033e0c
SHA1 d68cd6473409d738e759e6af7a5b244076e241e9
SHA256 839030e02ca2e4422e0be20a8517ca9a944ce325ef028d2d8439e271b9f3981f
SHA512 5e535a5b8be486720e18f2e64e0143de7883924c11556e8657d6e950f1b5b1f40c5a90113442efd9a90fd872175d0f983d0bc6e58f19849a15f96f5805573306

memory/2928-243-0x0000000001F80000-0x0000000001FC4000-memory.dmp

memory/2688-247-0x0000000000E30000-0x00000000016BF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 06:50

Reported

2023-12-22 06:54

Platform

win10v2004-20231215-en

Max time kernel

160s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\listp\latic.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\listp\latic.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{54BB98AB-51B5-4e3e-A1BC-7B112C698417}.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Z: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\E: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\L: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\P: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\R: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\W: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\X: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Y: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\G: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\K: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\J: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\S: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\T: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\U: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\V: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\H: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\I: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\O: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Q: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\B: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\M: C:\windows\Runn\Yloux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\Runn\WindowsTask.exe C:\listp\latic.exe N/A
File created C:\windows\Runn\DuiLib_u.dll C:\listp\latic.exe N/A
File created C:\windows\Runn\sqlite3.dll C:\listp\latic.exe N/A
File created C:\windows\Runn\Yloux.exe C:\listp\latic.exe N/A
File created C:\windows\Runn\1.bin C:\listp\latic.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings C:\listp\latic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1703227932" C:\Users\Admin\AppData\Local\Temp\{54BB98AB-51B5-4e3e-A1BC-7B112C698417}.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe N/A
N/A N/A C:\listp\latic.exe N/A
N/A N/A C:\listp\latic.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\listp\latic.exe
PID 2580 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\listp\latic.exe
PID 2580 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\listp\latic.exe
PID 2580 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4652 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4652 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3172 wrote to memory of 1000 N/A C:\listp\latic.exe C:\windows\Runn\Yloux.exe
PID 3172 wrote to memory of 1000 N/A C:\listp\latic.exe C:\windows\Runn\Yloux.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe

"C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe"

C:\listp\latic.exe

C:\listp\latic.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ping 127.0.0.1 -n 5 &del "C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\windows\Runn\Yloux.exe

"C:\windows\Runn\Yloux.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\{54BB98AB-51B5-4e3e-A1BC-7B112C698417}.exe

"C:\Users\Admin\AppData\Local\Temp\{54BB98AB-51B5-4e3e-A1BC-7B112C698417}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{712767FD-0811-4a38-8ED4-71F2E1D8C9ED}"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 38.54.25.23:80 tcp
US 8.8.8.8:53 23.25.54.38.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
N/A 20.3.187.198:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
N/A 92.123.241.137:80 tcp
N/A 92.123.241.137:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 38.60.204.65:53261 tcp
HK 45.112.206.130:18496 tcp
US 8.8.8.8:53 130.206.112.45.in-addr.arpa udp
HK 45.112.206.130:18496 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
N/A 192.168.1.2:6341 udp
US 8.8.8.8:53 2.1.168.192.in-addr.arpa udp
N/A 192.168.1.2:6341 udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
N/A 192.168.1.2:6341 udp
GB 96.16.110.114:80 tcp

Files

memory/2580-0-0x0000000000400000-0x00000000017E8000-memory.dmp

memory/2580-1-0x0000000003540000-0x0000000003541000-memory.dmp

memory/2580-2-0x0000000003560000-0x0000000003561000-memory.dmp

memory/2580-3-0x0000000003590000-0x0000000003591000-memory.dmp

memory/2580-4-0x00000000035A0000-0x00000000035A1000-memory.dmp

memory/2580-5-0x00000000035B0000-0x00000000035B1000-memory.dmp

memory/2580-6-0x00000000035C0000-0x00000000035C1000-memory.dmp

memory/2580-7-0x00000000035D0000-0x00000000035D1000-memory.dmp

memory/2580-8-0x0000000000400000-0x00000000017E8000-memory.dmp

C:\listp\latic.exe

MD5 63a1ab345691aef1d3dca66855997e53
SHA1 6d69151a51ca095fdf0cdca2876512de52028012
SHA256 8349963c9d4179fb5eb7bfa9f9c13496072273be8ac06435bdcab1335916bc2d
SHA512 5b725289c2e24410ac556b26e3204230532ce22ca46c9e61c4ea3b0d103ce4abe80f7dbec16f54857b92c049de69bdcf31b42c39d3c36d67c6ef53f2f0345c74

C:\listp\latic.exe

MD5 e2cfe6e6edbbca41b82cadb5e4bcafce
SHA1 74665766fb2c6ac1b51a442e411c64b13cd5fc99
SHA256 4f7c3a858b79d9730e3e5917bc6300c71a784869550e11b3364f7872efdd8aea
SHA512 d0a0fe2bd13d5f98c4638c294def949c07846c2865a625bbc353ccc47eb2209aa6106d88b303bb2dbb5015cdafaeae1f1e08f5bd0933a491e62504a80180fee6

memory/3172-15-0x00000000013B0000-0x00000000013B1000-memory.dmp

memory/3172-16-0x00000000002C0000-0x0000000000B4F000-memory.dmp

memory/3172-17-0x00000000002C0000-0x0000000000B4F000-memory.dmp

memory/2580-19-0x0000000000400000-0x00000000017E8000-memory.dmp

memory/3172-20-0x00000000035E0000-0x0000000003BE2000-memory.dmp

memory/3172-21-0x0000000010000000-0x0000000010607000-memory.dmp

C:\Windows\Runn\Yloux.exe

MD5 1a9bc481c4b2fa2a7ef887f55eb549a3
SHA1 7ab4c248adb705a7e8e62ef645b8a26ecc14e58c
SHA256 4ee16fb8e29811f0955fe185860f59d4a2bd45c3f9ab6f8773a2dceded5b29e8
SHA512 93a25f7695e86f4b7effcbd09208adfd7b47bd28bccf542eec82ad9574fe4ff682e81865709a76e4fc18d5af5e981f1b1a4ce75fcb2b5f468059054089e9943b

C:\Windows\Runn\Yloux.exe

MD5 3ca5e8b2889e11f3a02e4c8982be48e7
SHA1 8e493bba591661cb0ab0f29d3daf4515b12282e6
SHA256 650e4ac7eb7a5bff24db4edf1dd6c0cbc4801df5398a9177714d567c493749a2
SHA512 6852ff1f150a223de137f92467a54aa1277be2ba8f1aed7b38249d2e86bfeb00765bc24ec7f610086a179801a162a3f1a8937a480488c6ee0f892240acff4bd3

C:\windows\Runn\1.bin

MD5 6d0d174a888e6471aef3e6d6f9304685
SHA1 d320bdca2dba4c7f59c10718b4ccb1b295243a7b
SHA256 4f7b4680d2f6db1b8d03c176e2c35f0607ebce11806558dc5b23b32a1421bd97
SHA512 02eaf0754602d28c2b4939afd6d0a0065747543ac1ca98808e3b851a5720417cfdddad9f766fd2ec9a392eb857a529d2fb21ac8b26890322956df14b322cc4c5

memory/1000-39-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/3172-40-0x00000000002C0000-0x0000000000B4F000-memory.dmp

memory/1000-45-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1000-52-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1000-51-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1000-53-0x0000000180000000-0x0000000180033000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{54BB98AB-51B5-4e3e-A1BC-7B112C698417}.exe

MD5 906cdd158611c06d2e0d330ddb1f1aca
SHA1 8bda6bd466afac91dcc4c4592502ea45f0513875
SHA256 f16de02eec942498a5efa1fa8a2e755070608ee7cec67e6baf53b5c2a5da8f77
SHA512 dee16a80c092f98c474befeb11438ee8301d5e43b8ba9515d5177e8c5dd2ae701283146751d7280e6027bb828b81e85d8ea4857a3babcc8a1e4b4ad3af532a2f

C:\Users\Admin\AppData\Local\Temp\{54BB98AB-51B5-4e3e-A1BC-7B112C698417}.exe

MD5 6e32862e23d548a113d58c8045818559
SHA1 876baf8532019e9652a06655c63d34bf0ed750b6
SHA256 361164f9a9319ef2042db3191611e96c6631dd2bcdd8fe53bcd5f272615fb053
SHA512 03e68ea8a8bdde49b4c11a8a8c21058c9431d7edf32cac1f2831165f0f96367c01892a0f37fdedf6854ec344770b06909667eb1ee54715e8417939a3aa48d767

C:\Users\Admin\AppData\Local\Temp\{712767FD-0811-4a38-8ED4-71F2E1D8C9ED}

MD5 588361ad87e6062ef6329335c871ede0
SHA1 c76f531810a2f9a8af02fe5867a0eb83d96ed855
SHA256 5417e01229d6aaa25b3b37a429192aec7e5540fc816f4058d8c38c3f71f5c048
SHA512 b00be9a2097eda51765a14b6097ad084c901479b270f3008aeffc9e11c1bd80fa260ca36793f05fed5d86d4e0c7f5de4906a081aec9c3b523c0a7244d98478b3

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 65e8e358762f01a169d7ebc4fa2ed27e
SHA1 3b9ae3018ebf841387c5deb7080d41282757a467
SHA256 c5ad5565eb0c370eec69f7d5b97c50dab810ab75a47425c52936412babcebd94
SHA512 ae5c71fcccdc5e7f64ef12f3f8915537fe1495f76be3aaec886cbe51a309ad3b67a378847e37acb0f2d406b725fde6515cf28715d8509c13516450173f050e82

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 b321dc6175c7198179cbf23065e29b02
SHA1 3228e95f9751de67e9365505538bc3bd74ae2779
SHA256 960a51f07f1f67314fb115bb45a2e3a1743317f57b1615ddf50567fdb447777b
SHA512 00a14dcac54a33d99eb563f2c22928bf72e5e6ab251da5353276d7704268b9636f9928d1d8de3763485f6b7d9c55d6667c3a3e3409f92441cfe8703219c8e564

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 ff0c7c2667dff4f3ed588f40d047c642
SHA1 1162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA256 02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512 539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 8676f46e52e4e52cb6df6856d75b624d
SHA1 069f7676e8f1cf091cfb3fb80e650585b28aa261
SHA256 e29715870a207865715b075e73b1650d9a59b2453a4c69387e5f4d6e9be3c858
SHA512 f2daa20e820f75e47f7912e925c9cc59b344166b695638f79dd6f6642ec6e3e6d370f013ab0e526037608f824793838fe1be60701fa7e28d9535292b6fba1033

memory/1000-198-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1000-199-0x0000000002BA0000-0x0000000002BDE000-memory.dmp

memory/1000-200-0x0000000002BE0000-0x0000000002C24000-memory.dmp

memory/1000-202-0x0000000002BE0000-0x0000000002C24000-memory.dmp

memory/1000-197-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1000-203-0x0000000002BE0000-0x0000000002C24000-memory.dmp

memory/1000-204-0x0000000002BE0000-0x0000000002C24000-memory.dmp

memory/1000-205-0x0000000000400000-0x0000000000590000-memory.dmp

memory/3172-207-0x00000000002C0000-0x0000000000B4F000-memory.dmp

C:\windows\Runn\Yloux.exe

MD5 cb15eca41ddce0ff94a024c44e2e0cb6
SHA1 ccd1d1f4655b0609b00174c2c76c9ae3b7cf68c9
SHA256 a877ae8854c1d2612f1c681706253a8a4f9341db99a920973d747b2e1db1086d
SHA512 a1cb0ce61466a7b7e69795c0648cb6c87885fed1772a7fac1e0fd150eb56818d939add5a4bbe6733c7b57b2ea840d860a965900abab10dc2c90f527e46aa03ab

memory/1000-211-0x0000000002BE0000-0x0000000002C24000-memory.dmp

memory/1000-214-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1000-215-0x0000000002BE0000-0x0000000002C24000-memory.dmp

memory/1000-216-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1000-218-0x0000000002BE0000-0x0000000002C24000-memory.dmp

memory/1000-224-0x0000000002BE0000-0x0000000002C24000-memory.dmp

memory/1000-226-0x0000000002BE0000-0x0000000002C24000-memory.dmp