Analysis Overview
SHA256
50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4
Threat Level: Known bad
The file 50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Detect Vidar Stealer
Vidar
Djvu Ransomware
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Modifies file permissions
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:51
Reported
2024-01-15 04:56
Platform
win10-20231220-en
Max time kernel
296s
Max time network
300s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6216d487-2582-49fc-b1b3-5f6ee91fa9b6\\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe"
C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6216d487-2582-49fc-b1b3-5f6ee91fa9b6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
"C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe"
C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
"C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1888
C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
"C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe"
C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
"C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 220.17.13.186.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/2156-3-0x0000000002290000-0x00000000023AB000-memory.dmp
memory/796-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/796-2-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2156-1-0x0000000002160000-0x00000000021F3000-memory.dmp
memory/796-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/796-5-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\6216d487-2582-49fc-b1b3-5f6ee91fa9b6\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
| MD5 | af1965358fd3a51b5d0db70bfdadde14 |
| SHA1 | 5b448ea833c54dab0ea8b98ec6054614079458d4 |
| SHA256 | e861bd7f4625bfa39fbe31cff17f545ad44407f391d9044e7c4cb0255622d63a |
| SHA512 | 684b6c4e29742d3198a43554b8007a36f1a9144030ddc0d6faf9c3977b0e271c1e7583188d34e14c3ae27575df174b55f107f0c42ad9e6cdbba4b05ca6458580 |
memory/3044-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3044-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3044-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1780-20-0x00000000020A0000-0x0000000002142000-memory.dmp
memory/796-17-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | c43dd0502bd646cb1c3501c84c7d78cc |
| SHA1 | c96db4da22324de285a7a946f1613fe27ead8ee1 |
| SHA256 | dae88355367286a455ef117028a991c2d3ac3976a73d5cb7bd9d667fca711db3 |
| SHA512 | 0456a94a4375404158ebca2b9ee24aecc287941b613e7b9bfac157aa498d1d4dfa78b2aca6197ffb3059aeb8ae274a6e56dd5fb5107cd52e47b7b6d026a13542 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 33a26e5d466d17b171015ac71fb4fb0e |
| SHA1 | f24a07900f877f21e0db60016d5d9ceb37872f0c |
| SHA256 | 9b36f48f6bbae327f08084a49a3cfc3f75ced04115a14dff51d61638b0a0f816 |
| SHA512 | ee7e385f87798b50d27b82c3e963a76d68fbb7870f4ceef8613a606ad203c6c80efc39ab91e4dc818f372288a1ad40686d1364d0080686821086520ddf3837c1 |
memory/3044-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3044-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3044-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3044-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3044-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3044-38-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
| MD5 | dc5e24f3ba423ced375d94a927b2a42f |
| SHA1 | 1ccc1bb6b77ba0043b1448b54325afffd7ee9994 |
| SHA256 | c4c130a4e1ca30f6e7fbdce150c2c8938ecc398e714c2acaae8b1670dda024ad |
| SHA512 | 15ae540fdd181da3853de714a51141e2fafbbd23674847d959132f6ecd59ff28b8946b62e7b802aa6d9f5227b5fc542c1aec8334c0109ce1dac24f68a0d934ac |
memory/3768-47-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2236-51-0x0000000000810000-0x000000000085B000-memory.dmp
memory/3768-53-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3768-52-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2236-50-0x0000000000610000-0x0000000000710000-memory.dmp
C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
| MD5 | 02c889cdf706032270b6962271fd7386 |
| SHA1 | d8f0ef6295abd4f225bd0898e7ebdf5592c009d8 |
| SHA256 | fdf623f07daa32a8d1cf5237e342cde192f01606ecf04b395945c5b9d0bdfbb4 |
| SHA512 | 043656b25e5e5d6a8fd877cea4832e1cd73951c98727e8843948d9b504de2ef74a234bfd22b31e294738acc91979c7e6490da3d4fc9e095b159c4257f45cd372 |
C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
| MD5 | e2699964967afa8b1dcf272204adfa37 |
| SHA1 | 7ebce94f85306236ad9676df8003e94cfe4e5e26 |
| SHA256 | 6700f017b46053326b388a082e1090725972221d72dad7a4a811c418a8fdfdd7 |
| SHA512 | 13ec99c117695af85edd13f59f204a1e9db79bfb3510178931d549d96dee179fe6f6fb8aa20e5eb2602d03b8db17fbef4d1282738f7240fd522b7d80da7ffa99 |
memory/3044-63-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/3768-66-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2236-69-0x0000000000810000-0x000000000085B000-memory.dmp
memory/4980-71-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1992-72-0x00000000008D0000-0x00000000009D0000-memory.dmp
memory/1992-74-0x0000000002290000-0x0000000002294000-memory.dmp
memory/4980-76-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4980-78-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | c7cdde7b95982122372d55969692d371 |
| SHA1 | 908f29b14ac7445f7824b2ad84568c9e2f475c59 |
| SHA256 | d10e85d0ab29eec15ce35439be43e890f621a6cb472859bef790adcc95a916c3 |
| SHA512 | cd224be05ae7cd3b0445ff031ad51418b0cbefb9cd52dcbdb2f740a5ed46d9cd38a299aa0b436079b34d2d770c25e51109dcae9bd51be68baa4e24c60f8ef05b |
memory/600-96-0x0000000000AB0000-0x0000000000BB0000-memory.dmp
memory/4012-121-0x0000000000B00000-0x0000000000C00000-memory.dmp
memory/4996-145-0x0000000000AF0000-0x0000000000BF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 74ae9689cb04bde426e036319feeb49b |
| SHA1 | b932fd3571f6113cacf1e5eb2b3453a05887963c |
| SHA256 | b59f5c8dc70d0092f4257c3e13745f67e6324edeee709eff32336d3c93bca180 |
| SHA512 | 642d69ab7ef11418b9d97cfa8882ba38ba5c08fcec428a8a758b9de8ee1d576b4d1fe1a2ca93dc4f1f5e6a8eba8c21f7309975c0c43033350d51e5efe7fcafca |
memory/2300-176-0x0000000000B20000-0x0000000000C20000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | b79370edc96b114ffc49aff9b96a00df |
| SHA1 | 65ea2b9ed8e05a8bb6227b91882d1265383f8f97 |
| SHA256 | 09dd739d19c7219d85312bf8657c88322bd8c9b6ca4eb3188c5f8fb72dbfd602 |
| SHA512 | c1e296c0e48f83ba411564e43d6e3752a06f90c97a4c55ec22e60ccd0da3e6e5c393a0431a99b5926bd71f572600bc4d125eb93ecaf114b0e0a71aa8e1616b91 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:51
Reported
2024-01-15 04:56
Platform
win7-20231215-en
Max time kernel
296s
Max time network
154s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b50f4af1-dd35-468c-bcfd-d656faf782b5\\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe"
C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b50f4af1-dd35-468c-bcfd-d656faf782b5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
"C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe"
C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
"C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe"
C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
"C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1480
C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
"C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {BA8381CB-4DE3-45C1-A5DE-64213CE195AB} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/1992-0-0x0000000000230000-0x00000000002C2000-memory.dmp
memory/1992-1-0x0000000000230000-0x00000000002C2000-memory.dmp
memory/1700-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1992-3-0x00000000004C0000-0x00000000005DB000-memory.dmp
memory/1700-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1700-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1700-8-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\b50f4af1-dd35-468c-bcfd-d656faf782b5\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
| MD5 | af0965298074ef2eadb8f3d7d6e03128 |
| SHA1 | 7a5e64c5dde6174f92b3be9dee33f1edddf84e42 |
| SHA256 | 50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4 |
| SHA512 | 5d4d34637cfd131e901f34b6277f184c773d8f7cd2e274e9ea4bd3f20c33620c13f2ddb0e2b6257751311feace67484123b6bfe745eb2c3c3c92e17404ea3e6d |
memory/2820-27-0x0000000000510000-0x00000000005A2000-memory.dmp
memory/1700-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2820-29-0x0000000000510000-0x00000000005A2000-memory.dmp
memory/2780-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2780-35-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 86f9276ce739388ec05647a6f7b087ef |
| SHA1 | 58a166bad9b8665ba32647200457fef04a9c450a |
| SHA256 | 48c658fcdbab1bb78ea446999c7d2c20c7962d514cd30858898c421fe4f7ce7f |
| SHA512 | 3fd469ec04b7c24c32aae6e99ef88f8d7a5b51e57e3fb0b0bbe84c82d6fa136bb2ab6f629d4a2dcc7fbc4425dd19ed9987b4bfa9dc5746fe5958fb87dbad9e97 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 56c691112e35f7f57289a1531c371577 |
| SHA1 | c5b8fc876ba32b115546f9de1f252542cfbbbf32 |
| SHA256 | 1685376d9f7dfd752ac5f188138a3de208104577b9b61b930803ca750ca1986a |
| SHA512 | bad210f9b8e5d569a0ec0169035cbe7bdb174f22ba6d0305db392e892a9cf06c2337818329d1962a979d6a0346693cc2ba97c5d243be9f014a3a03694fea6af9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 39c3a132bd7cea68356649c5d5f1cafb |
| SHA1 | 6e0fc5c9e3f454567982b896b52dcf807f1834f6 |
| SHA256 | 78c1154cd230ad92aed698d2b01f3beb5d36fbc067b9d961e2d46fd2e4b2b5ed |
| SHA512 | 16518e9527cfd8a5dd2be409f284dd5cd80309f8d68f0498108eb02306a207e7f6efc1b3f50e4752509fb2d36d85e828a87b7d62200d357e6c5864ffa6d42762 |
C:\Users\Admin\AppData\Local\Temp\Cab498E.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2780-48-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2780-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2780-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2780-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2780-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2780-57-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/2724-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2932-72-0x0000000000610000-0x0000000000710000-memory.dmp
memory/2724-75-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2932-74-0x0000000000240000-0x000000000028B000-memory.dmp
memory/2724-78-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2724-79-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar620E.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 430a37e2d8bcf21e8c96d159a7123a14 |
| SHA1 | 73b1f9e234f8f280bd4188d980edef32d0a370c1 |
| SHA256 | d1ac160b476bdf201289213de930561aa26005179a0f6fb5e2ee851e8f004581 |
| SHA512 | 855e227973e90f59ed4220074cdeed837e5e0a0b57d44e4d25dc65d93b5012800d51e98014790ef30608087ef80a90cce59f5d1ce81c7481b7ec10bfdb298e1c |
\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2780-201-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2136-216-0x00000000002F0000-0x00000000003F0000-memory.dmp
memory/2136-218-0x00000000001B0000-0x00000000001B4000-memory.dmp
memory/2988-219-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2988-222-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2988-224-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2988-225-0x0000000000410000-0x0000000000591000-memory.dmp
memory/2724-227-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3000-237-0x00000000008E0000-0x00000000009E0000-memory.dmp
memory/436-266-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/2948-295-0x0000000000870000-0x0000000000970000-memory.dmp
memory/2120-325-0x0000000000900000-0x0000000000A00000-memory.dmp
memory/880-329-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2436-352-0x0000000000900000-0x0000000000A00000-memory.dmp