Malware Analysis Report

2025-03-15 01:44

Sample ID 230910-kd5wgafh25
Target 23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d
SHA256 23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d

Threat Level: Known bad

The file 23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

RedLine

SmokeLoader

Healer

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 08:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 08:30

Reported

2023-09-10 08:32

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

154s

Command Line

C:\Windows\System32\svchost.exe -k netsvcs -p

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3301469.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D1B2A931-39C4-4DFB-A215-8A5CDFD6D543}.catalogItem C:\Windows\System32\svchost.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3612 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3612 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3612 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3612 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3612 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3612 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3612 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3612 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3612 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3612 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4864 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3301469.exe
PID 4864 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3301469.exe
PID 4864 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3301469.exe
PID 1492 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3301469.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe
PID 1492 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3301469.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe
PID 1492 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3301469.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe
PID 1192 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe
PID 1192 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe
PID 1192 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe
PID 4496 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe
PID 4496 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe
PID 4496 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe
PID 3892 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe
PID 3892 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe
PID 3892 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe
PID 3964 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3964 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3964 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3964 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3964 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3964 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3964 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3964 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3892 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe
PID 3892 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe
PID 3892 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe
PID 2780 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2780 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2780 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2780 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2780 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2780 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2780 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2780 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2780 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2780 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4496 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe
PID 4496 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe
PID 4496 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe
PID 4044 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1192 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6011343.exe
PID 1192 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6011343.exe
PID 1192 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6011343.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Local\Temp\23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d.exe

"C:\Users\Admin\AppData\Local\Temp\23b77ec0633b2c7b87d91d3fbaddfb77cfa092bc49eaa9df40d34e54944b503d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3612 -ip 3612

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3301469.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3301469.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 240

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3964 -ip 3964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2780 -ip 2780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1092 -ip 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 544

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6011343.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6011343.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

memory/4864-7-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4864-8-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4864-9-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4864-10-0x0000000000400000-0x0000000000526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3301469.exe

MD5 c91e881595b1a9128d2ea60474e7a8c1
SHA1 9ff9c5a66ae1c5e38aa01984ef410a6942d41e93
SHA256 8fc4945d59fe22a88b73f525c41c25d802e35e65e0f2ccce6700a3c62ede02d6
SHA512 badfe658f2f11c81ae0aba8450e8bf1ac5fe9ebc3b4f22e5b8a0dbcd7c3cc49ce7e31efe48e57114c83e2de8e04b71bd6a4bd65b7c15b3652032715e0940ae89

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3301469.exe

MD5 c91e881595b1a9128d2ea60474e7a8c1
SHA1 9ff9c5a66ae1c5e38aa01984ef410a6942d41e93
SHA256 8fc4945d59fe22a88b73f525c41c25d802e35e65e0f2ccce6700a3c62ede02d6
SHA512 badfe658f2f11c81ae0aba8450e8bf1ac5fe9ebc3b4f22e5b8a0dbcd7c3cc49ce7e31efe48e57114c83e2de8e04b71bd6a4bd65b7c15b3652032715e0940ae89

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe

MD5 8c589d9b7d17eab1267f1d1e20f8aa1b
SHA1 f822cde75b6882511b82c3c9c99275db94fadb1d
SHA256 cf52600023c8123e0615f8e47fb3419f3dd90000f820b42dfc25cfb4ac1a493e
SHA512 611b01e4f854d3656a738fd9c08ac6bf719d6d2ca401704074992b45f8f787b426cabfa94cee2f015db540912b97d88998bc4a3c33870a110809e467f1062974

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3297493.exe

MD5 8c589d9b7d17eab1267f1d1e20f8aa1b
SHA1 f822cde75b6882511b82c3c9c99275db94fadb1d
SHA256 cf52600023c8123e0615f8e47fb3419f3dd90000f820b42dfc25cfb4ac1a493e
SHA512 611b01e4f854d3656a738fd9c08ac6bf719d6d2ca401704074992b45f8f787b426cabfa94cee2f015db540912b97d88998bc4a3c33870a110809e467f1062974

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe

MD5 6b78c685f0e46044b0a2eae9d035818a
SHA1 0d578d53c9566b31b314481a6bcbb3f87362e828
SHA256 be7d6e976bbc42657e4cd69db2086fa8bb903ec75fe1fa120c5aa992e31b6b5b
SHA512 9926a9decb1b9997420653837642ae67d11f374278ec2cb48aa824f9893f2b835db80dc0271dd13f50a3970e8810dd2804d62293ac13e526a176659b2edb3a22

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4881284.exe

MD5 6b78c685f0e46044b0a2eae9d035818a
SHA1 0d578d53c9566b31b314481a6bcbb3f87362e828
SHA256 be7d6e976bbc42657e4cd69db2086fa8bb903ec75fe1fa120c5aa992e31b6b5b
SHA512 9926a9decb1b9997420653837642ae67d11f374278ec2cb48aa824f9893f2b835db80dc0271dd13f50a3970e8810dd2804d62293ac13e526a176659b2edb3a22

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe

MD5 f3747dc2a639a32ff73fbb063f2fbf06
SHA1 1c4fa63a4663140059bcb5f917259439280f527c
SHA256 c80d2e151a5b7cf48c7d5bd96d307380801a0a2b39134d48e166b123f01b0555
SHA512 c3a922b857b52a445cf76883fc6c86571c948933005d82637f87cd32a8a3ea4cb01afd427158427c3933527c60e262644652ebe32d2ab88bf7720f41624fe90f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3815222.exe

MD5 f3747dc2a639a32ff73fbb063f2fbf06
SHA1 1c4fa63a4663140059bcb5f917259439280f527c
SHA256 c80d2e151a5b7cf48c7d5bd96d307380801a0a2b39134d48e166b123f01b0555
SHA512 c3a922b857b52a445cf76883fc6c86571c948933005d82637f87cd32a8a3ea4cb01afd427158427c3933527c60e262644652ebe32d2ab88bf7720f41624fe90f

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe

MD5 a389641629f09dcc3481225050a4f97e
SHA1 8a362221255a497770d8e6e2eb6dd99dda4603c0
SHA256 af0666782654041ba087b6bd06d54cdf1a054fb8a9023bfd268a9300e3424dad
SHA512 747017ad690ad4fc24a374f1d988310c58657c0b17f23d0f57fe7706d467e4f255414b7fe281f96217f0cb17f59875fb2b132b63fbe2bf0bec03fe5f153ed623

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1430182.exe

MD5 a389641629f09dcc3481225050a4f97e
SHA1 8a362221255a497770d8e6e2eb6dd99dda4603c0
SHA256 af0666782654041ba087b6bd06d54cdf1a054fb8a9023bfd268a9300e3424dad
SHA512 747017ad690ad4fc24a374f1d988310c58657c0b17f23d0f57fe7706d467e4f255414b7fe281f96217f0cb17f59875fb2b132b63fbe2bf0bec03fe5f153ed623

memory/5016-46-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe

MD5 1d2b0e5dade60b867f0c56b95135beff
SHA1 1e7323bc705c0a504507c455301c557fe01b6585
SHA256 f56b8de26c2f2ce44ec596b926c4d974af4573d6256b07fc76c00857a1ca0357
SHA512 348761078ded61c9858423e9abcf2f24cdc7dfe3a18d091cf8181a3e671c2e6a7adf3bf90aeed7b963da5fba1e1aa5b5fd89f730befb91818428a8fd9805e9fc

memory/5016-50-0x0000000073D80000-0x0000000074530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3837570.exe

MD5 1d2b0e5dade60b867f0c56b95135beff
SHA1 1e7323bc705c0a504507c455301c557fe01b6585
SHA256 f56b8de26c2f2ce44ec596b926c4d974af4573d6256b07fc76c00857a1ca0357
SHA512 348761078ded61c9858423e9abcf2f24cdc7dfe3a18d091cf8181a3e671c2e6a7adf3bf90aeed7b963da5fba1e1aa5b5fd89f730befb91818428a8fd9805e9fc

memory/1092-51-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1092-52-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1092-53-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1092-55-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe

MD5 9c4e1f55434ac866704ce04682da811d
SHA1 14bd9d5d690f934c17f2f7010f9054b84b8cb331
SHA256 6e2af2bb7b6f1f5cae1cf28e1116360828aa13e588e037b590a8d80e1e341bfa
SHA512 27cf7b5e44d139ba2c1a746faf967a94689c3070ddc2910067a9f1cb7c99890edd434cbc4cbd4f5a55c71d55a3d8f86478bef9a0764bf5514c0d882be89b130f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1518918.exe

MD5 9c4e1f55434ac866704ce04682da811d
SHA1 14bd9d5d690f934c17f2f7010f9054b84b8cb331
SHA256 6e2af2bb7b6f1f5cae1cf28e1116360828aa13e588e037b590a8d80e1e341bfa
SHA512 27cf7b5e44d139ba2c1a746faf967a94689c3070ddc2910067a9f1cb7c99890edd434cbc4cbd4f5a55c71d55a3d8f86478bef9a0764bf5514c0d882be89b130f

memory/4896-59-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4896-60-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6011343.exe

MD5 8093bd5924bcb00fc79dbf3149754a0c
SHA1 0eadde3c6b88baea2ae7270c55c9398cd1129d6f
SHA256 5cc6c6f768d0b1584e29a4249cce7923a33ddd41b9a744d0a08b2b83019d2eb6
SHA512 0e543e311380d887d21b93c03cbac2a305e0c04185b6346c498a6ea9464caf3ee0af99a76fbd8f07019b49a6c05497e09605fd9071b6751f3e0eb50ea5cab2c6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6011343.exe

MD5 8093bd5924bcb00fc79dbf3149754a0c
SHA1 0eadde3c6b88baea2ae7270c55c9398cd1129d6f
SHA256 5cc6c6f768d0b1584e29a4249cce7923a33ddd41b9a744d0a08b2b83019d2eb6
SHA512 0e543e311380d887d21b93c03cbac2a305e0c04185b6346c498a6ea9464caf3ee0af99a76fbd8f07019b49a6c05497e09605fd9071b6751f3e0eb50ea5cab2c6

memory/2076-64-0x0000000000B80000-0x0000000000BB0000-memory.dmp

memory/2076-65-0x0000000073D80000-0x0000000074530000-memory.dmp

memory/2076-66-0x0000000005AD0000-0x00000000060E8000-memory.dmp

memory/2076-67-0x00000000055D0000-0x00000000056DA000-memory.dmp

memory/2076-68-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/2076-69-0x0000000005510000-0x0000000005522000-memory.dmp

memory/2076-70-0x0000000005570000-0x00000000055AC000-memory.dmp

memory/4864-71-0x0000000000400000-0x0000000000526000-memory.dmp

memory/3264-72-0x0000000000740000-0x0000000000756000-memory.dmp

memory/4896-74-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5016-76-0x0000000073D80000-0x0000000074530000-memory.dmp

memory/3264-77-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-79-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-78-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-80-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/2076-81-0x0000000073D80000-0x0000000074530000-memory.dmp

memory/3264-82-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-85-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/2076-84-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/3264-83-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-87-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-88-0x0000000000580000-0x0000000000590000-memory.dmp

memory/3264-90-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-89-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-91-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-96-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-99-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/5016-98-0x0000000073D80000-0x0000000074530000-memory.dmp

memory/3264-93-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-92-0x0000000000580000-0x0000000000590000-memory.dmp

memory/3264-101-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-102-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-103-0x0000000000580000-0x0000000000590000-memory.dmp

memory/3264-104-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-106-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-105-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-107-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-108-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-109-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-110-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-111-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-115-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-116-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-118-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-119-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-117-0x0000000000760000-0x0000000000770000-memory.dmp

memory/3264-120-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-121-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-122-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-124-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-126-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-127-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-128-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/3264-129-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-130-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-134-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-132-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-138-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-135-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-140-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-136-0x0000000000760000-0x0000000000770000-memory.dmp

memory/3264-131-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/3264-141-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-142-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/3264-145-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-144-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-143-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-146-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-148-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-149-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-150-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-147-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-151-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-152-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-153-0x0000000000790000-0x00000000007A0000-memory.dmp

memory/3264-154-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-155-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-156-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-157-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-158-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-160-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-162-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-163-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-164-0x0000000000790000-0x00000000007A0000-memory.dmp

memory/3264-165-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-166-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-167-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-169-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-171-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-170-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-173-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-175-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-177-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-179-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3264-181-0x00000000007A0000-0x00000000007B0000-memory.dmp