Malware Analysis Report

2024-10-18 23:12

Sample ID 231211-2lhvcaaefk
Target 141fab15a9ee48b8caadd462553dbff3.bin
SHA256 498664cb5f374b3185b39c05b7c0024b52f74815693da3a56a483fd3982ec295
Tags
eternity
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

498664cb5f374b3185b39c05b7c0024b52f74815693da3a56a483fd3982ec295

Threat Level: Known bad

The file 141fab15a9ee48b8caadd462553dbff3.bin was found to be: Known bad.

Malicious Activity Summary

eternity

Eternity

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 22:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 22:40

Reported

2023-12-11 22:42

Platform

win7-20231201-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe"

Signatures

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2516 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SRLHjykjP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E6C.tmp"

C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"{path}"

Network

N/A

Files

memory/2516-1-0x0000000074CF0000-0x00000000753DE000-memory.dmp

memory/2516-0-0x0000000000260000-0x0000000000478000-memory.dmp

memory/2516-2-0x0000000004DF0000-0x0000000004E30000-memory.dmp

memory/2516-3-0x0000000000480000-0x0000000000494000-memory.dmp

memory/2516-4-0x0000000074CF0000-0x00000000753DE000-memory.dmp

memory/2516-5-0x0000000004DF0000-0x0000000004E30000-memory.dmp

memory/2516-6-0x0000000005910000-0x0000000005AC8000-memory.dmp

memory/2516-7-0x000000000AED0000-0x000000000B036000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6E6C.tmp

MD5 0b52dba0ee6fa2594e8072459c42061f
SHA1 e32832c3405c23e4f413f702685bc6995625f1bb
SHA256 be317588c4995239f0e119cf2fccbe50101f59fafc43d8634be0aae151384cf5
SHA512 4b516ebee4550cbbe9179c37af4fbf9f860ca03f5f2860578c76e7a9fc2ab9bbae475300956fa4cf63a8b7f77e0eb5ee911d057ce80a4b188a8136995328f1ed

memory/2516-11-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 22:40

Reported

2023-12-11 22:42

Platform

win10v2004-20231130-en

Max time kernel

133s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe"

Signatures

Eternity

eternity

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4516 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 4516 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 4516 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 4516 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4516 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4516 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4516 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4516 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4516 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4516 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4516 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4516 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4516 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4516 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 2396 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4028 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4028 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4028 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4028 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4028 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4028 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4028 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4028 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4028 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4028 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4028 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4132 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 4132 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 4132 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 4132 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4132 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4132 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4132 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4132 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4132 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4132 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 4132 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 5100 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 5100 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 5100 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 5100 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 5100 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 5100 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 5100 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 5100 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 5100 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 5100 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 5100 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 5100 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 5100 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 5100 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 1020 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 1020 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 1020 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Windows\SysWOW64\schtasks.exe
PID 1020 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 1020 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 1020 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 1020 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 1020 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 1020 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe
PID 1020 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SRLHjykjP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA7C9.tmp"

C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe"

C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SRLHjykjP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D76.tmp"

C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SRLHjykjP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp601C.tmp"

C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"{path}"

C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"{path}"

C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SRLHjykjP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4666.tmp"

C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp

Files

memory/4516-1-0x0000000000DC0000-0x0000000000FD8000-memory.dmp

memory/4516-0-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/4516-2-0x0000000005800000-0x000000000589C000-memory.dmp

memory/4516-3-0x0000000005EC0000-0x0000000006464000-memory.dmp

memory/4516-4-0x00000000059B0000-0x0000000005A42000-memory.dmp

memory/4516-5-0x0000000005C30000-0x0000000005C40000-memory.dmp

memory/4516-7-0x0000000005B80000-0x0000000005BD6000-memory.dmp

memory/4516-6-0x0000000005920000-0x000000000592A000-memory.dmp

memory/4516-8-0x0000000005B60000-0x0000000005B74000-memory.dmp

memory/4516-9-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/4516-10-0x0000000005C30000-0x0000000005C40000-memory.dmp

memory/4516-11-0x0000000006C70000-0x0000000006E28000-memory.dmp

memory/4516-12-0x000000000AAF0000-0x000000000AC56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA7C9.tmp

MD5 555597628815343ae5db200d8ee55a2f
SHA1 0d7f0a6cd605ed53f8dde28632bc2ba2d4739742
SHA256 242fdd63899ae33602ce9f6d4990693399b0199969ebd9ff529486038cd8b2f0
SHA512 4492aff296661bdf273eed49fa3c9dde420c674d9af7a92d4fc7f74b311b6d601e3991fcd173efb1398b3805d8dd90e085c36751de6710b73c1626d4cc449895

memory/2396-16-0x0000000000400000-0x0000000000552000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/4516-19-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/2396-22-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/2396-23-0x0000000074C20000-0x00000000753D0000-memory.dmp

C:\Users\Admin\AppData\Local\ServiceHub\e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454.exe

MD5 141fab15a9ee48b8caadd462553dbff3
SHA1 36797395bb85f08ac5cf7eacb81c8d9ce78b3701
SHA256 e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454
SHA512 67ff417f350ba875ea4af66088e7bd9f91ee39c52ff4ad27b34526a506efbeb1a14258cca39762d87d8f98f0c6b8427ecc784fc9df4fade95d0f2b3bf86be6ca

memory/4132-27-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/4132-28-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/4132-29-0x00000000057D0000-0x00000000057E4000-memory.dmp

memory/5100-31-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/4132-32-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/5100-33-0x00000000059C0000-0x00000000059D0000-memory.dmp

memory/4132-34-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/4132-39-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/672-41-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/672-40-0x00000000054D0000-0x000000000554A000-memory.dmp

memory/672-42-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/5100-43-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/5100-44-0x00000000059C0000-0x00000000059D0000-memory.dmp

memory/4888-50-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/4888-51-0x0000000002A40000-0x0000000002A50000-memory.dmp

memory/4888-53-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/5100-52-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/672-54-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/1020-56-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/1020-57-0x0000000005980000-0x0000000005990000-memory.dmp

memory/1020-58-0x0000000005D50000-0x0000000005D64000-memory.dmp

memory/1020-59-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/1020-60-0x0000000005980000-0x0000000005990000-memory.dmp

memory/4716-65-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4716-66-0x0000000005500000-0x0000000005510000-memory.dmp

memory/1020-67-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4716-68-0x0000000074CC0000-0x0000000075470000-memory.dmp