Malware Analysis Report

2025-08-06 04:33

Sample ID 240126-f8hbfafah9
Target 16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34
SHA256 16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34

Threat Level: Known bad

The file 16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 05:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 05:32

Reported

2024-01-26 05:35

Platform

win10v2004-20231215-en

Max time kernel

79s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\07e127b3-8619-4db8-af6c-2b4fee2a52ff\\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2396 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2396 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2396 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2396 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2396 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2396 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2396 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2396 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2396 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 3752 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Windows\SysWOW64\icacls.exe
PID 3752 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Windows\SysWOW64\icacls.exe
PID 3752 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Windows\SysWOW64\icacls.exe
PID 3752 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 3752 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 3752 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1476 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1476 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1476 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1476 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1476 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1476 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1476 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1476 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1476 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1476 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe

Processes

C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe

"C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe"

C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe

"C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\07e127b3-8619-4db8-af6c-2b4fee2a52ff" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe

"C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe

"C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4072 -ip 4072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2396-1-0x0000000002270000-0x000000000230A000-memory.dmp

memory/2396-2-0x0000000002340000-0x000000000245B000-memory.dmp

memory/3752-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3752-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3752-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3752-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\07e127b3-8619-4db8-af6c-2b4fee2a52ff\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe

MD5 a29a054b916c7fb3a6b10e18c54cb9ec
SHA1 bf756199ed02aa04bbfacad49ea51333f6a3a999
SHA256 16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34
SHA512 78b3d4425acc21dbf40e9df6015db6bb9a3729506845e6be3e025027fc6142469b3b353a543c85730ccddb136ef93e85fc9209dc03af3ac667b0006c49c6b43d

memory/3752-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1476-18-0x0000000000780000-0x000000000081F000-memory.dmp

memory/4072-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-23-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 05:32

Reported

2024-01-26 05:35

Platform

win7-20231215-en

Max time kernel

157s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\43e7840a-21c9-42fc-bdab-d7b91440f774\\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1164 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1164 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1164 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1164 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1164 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1164 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1164 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1164 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1164 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 1164 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2028 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Windows\SysWOW64\icacls.exe
PID 2028 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Windows\SysWOW64\icacls.exe
PID 2028 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Windows\SysWOW64\icacls.exe
PID 2028 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Windows\SysWOW64\icacls.exe
PID 2028 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2028 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2028 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2028 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2576 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2576 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2576 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2576 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2576 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2576 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2576 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2576 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2576 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2576 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 2576 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe
PID 3020 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 3020 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 3020 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 3020 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 1760 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 1760 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 1760 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 1760 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 1760 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 1760 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 1760 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 1760 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 1760 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 1760 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe
PID 268 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 268 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 268 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 268 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 992 wrote to memory of 2380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 992 wrote to memory of 2380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 992 wrote to memory of 2380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 992 wrote to memory of 2380 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2380 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2380 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2380 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2380 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2380 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2380 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2380 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2380 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2380 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2380 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2456 wrote to memory of 828 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 2456 wrote to memory of 828 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe

"C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe"

C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe

"C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\43e7840a-21c9-42fc-bdab-d7b91440f774" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe

"C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe

"C:\Users\Admin\AppData\Local\Temp\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe

"C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe"

C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe

"C:\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {DFAF3F0A-70AE-44D1-8190-78824EBC5868} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
MX 189.232.10.46:80 habrafa.com tcp
KR 175.120.254.9:80 brusuax.com tcp
MX 189.232.10.46:80 habrafa.com tcp

Files

memory/1164-0-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2028-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1164-1-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/1164-4-0x00000000004D0000-0x00000000005EB000-memory.dmp

memory/2028-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2028-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2028-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\43e7840a-21c9-42fc-bdab-d7b91440f774\16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34.exe

MD5 a29a054b916c7fb3a6b10e18c54cb9ec
SHA1 bf756199ed02aa04bbfacad49ea51333f6a3a999
SHA256 16166b986cd8f0c86be967a2520ea7a6e25a9792d73a5516ad6de37702e87c34
SHA512 78b3d4425acc21dbf40e9df6015db6bb9a3729506845e6be3e025027fc6142469b3b353a543c85730ccddb136ef93e85fc9209dc03af3ac667b0006c49c6b43d

memory/2576-27-0x00000000004D0000-0x0000000000561000-memory.dmp

memory/2028-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2576-29-0x00000000004D0000-0x0000000000561000-memory.dmp

memory/2576-34-0x00000000004D0000-0x0000000000561000-memory.dmp

memory/3020-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3020-36-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 8daed5fecd6b7116eb16ea66eda552e0
SHA1 bb2149a2541f11dc4da8df7f4579dd65c341ce8b
SHA256 076f87f4acbece273de34b83b72bb1a4cf38135f1cf27c49722ce8dfe5c60d71
SHA512 eeb7e9bea6db27a316e09dd4cdaae0ccbb3d895e56dad92f54e59a6bb13e450fb6bfb09972f7a23aadba82960af004a7b72852d477b14b80d9d5a68dd6859fc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 c6a38009c9b224282ddc2f896f9d0128
SHA1 95bf9db1ee918b260832ce61f9dfb2d7506c5529
SHA256 5571e0e321d1ea8937af5069bd7509c2fe4703fefb83934d0f91948072875b2b
SHA512 5da0dac1a6787efc89454d0097dc7df18828262e230cebbb2d7e1846c09a77930fb1fd47e8e03e0456b19d74b229727f9ff497f604cda18da55086b2283cd570

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 b09eccaca7db53ea18c293b507466dd0
SHA1 0f882d04794120f635edf82fba7808ddaa4bfece
SHA256 7f4a65ab69bbb4b063ad33f4335ed32662c938c6fa86e037e033b8fa0ce1b670
SHA512 4a1cea4137f54815baa8c3a9f604cb0f4490814c6a21019fd38184e0243716433ba9b2ad7018a967e3e6a9785e28a15c85ae5353cc569128873ac1e967e6bad1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bad67c99a4769705da432b7488ed1cd1
SHA1 bbaf567810d534bfca34d26a3651e8a314b1ea89
SHA256 8ff4ea4c5d85991d2d3e8cbb22cf9602a3d6c6e6f6968656db5a1cf0f4740342
SHA512 253a1e78c70df7cedd2474218faaf5a8ea17384c419a421882ec1ff3bd875bb35286e79f0366ff72b010ed2b81113bc52814c76f57d7d38d8dbd602efc66d5c7

C:\Users\Admin\AppData\Local\Temp\Cab8823.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/3020-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3020-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3020-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3020-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3020-57-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\2b7ab2ed-88c6-4964-a8a9-06d568197a2d\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/3020-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3020-70-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1760-74-0x0000000000230000-0x0000000000330000-memory.dmp

memory/1760-75-0x00000000003A0000-0x00000000003A4000-memory.dmp

memory/268-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/268-77-0x0000000000400000-0x0000000000406000-memory.dmp

memory/268-80-0x0000000000400000-0x0000000000406000-memory.dmp

memory/268-82-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2380-100-0x0000000000980000-0x0000000000A80000-memory.dmp

memory/2088-120-0x00000000008D0000-0x00000000009D0000-memory.dmp