Analysis Overview
SHA256
0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225
Threat Level: Known bad
The file 0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225 was found to be: Known bad.
Malicious Activity Summary
Netwire
NetWire RAT payload
Netwire family
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Gathers network information
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-15 19:34
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-15 19:34
Reported
2024-12-15 19:36
Platform
win7-20240903-en
Max time kernel
56s
Max time network
120s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I78G8V27-88UF-2L1T-8064-2S8723OVASE8}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\FirstRow.pif\"" | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I78G8V27-88UF-2L1T-8064-2S8723OVASE8} | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateAliAim = "C:\\Users\\Admin\\AppData\\Roaming\\FirstRow.pif" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\FirstRowAli = "C:\\Users\\Admin\\AppData\\Roaming\\FirstRow.pif" | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2308 set thread context of 2424 | N/A | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe |
| PID 2308 set thread context of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe |
| PID 2828 set thread context of 2984 | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | C:\Users\Admin\AppData\Roaming\FirstRow.pif |
| PID 2828 set thread context of 1936 | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | C:\Users\Admin\AppData\Roaming\FirstRow.pif |
| PID 2828 set thread context of 2500 | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | C:\Users\Admin\AppData\Roaming\FirstRow.pif |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
"C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
"C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe"
C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
"C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Users\Admin\AppData\Roaming\FirstRow.pif
"C:\Users\Admin\AppData\Roaming\FirstRow.pif"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
C:\Users\Admin\AppData\Roaming\FirstRow.pif
"C:\Users\Admin\AppData\Roaming\FirstRow.pif"
C:\Users\Admin\AppData\Roaming\FirstRow.pif
"C:\Users\Admin\AppData\Roaming\FirstRow.pif"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUQTX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdateAliAim" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FirstRow.pif" /f
C:\Users\Admin\AppData\Roaming\FirstRow.pif
"C:\Users\Admin\AppData\Roaming\FirstRow.pif"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
Files
memory/2308-0-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2308-3-0x000000000044C000-0x000000000044D000-memory.dmp
memory/2308-5-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2308-4-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2308-7-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2424-8-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2308-10-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2120-18-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2120-16-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2424-14-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2308-13-0x00000000030A0000-0x000000000311C000-memory.dmp
memory/2424-11-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2120-19-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2308-25-0x0000000000400000-0x000000000047C000-memory.dmp
\Users\Admin\AppData\Roaming\FirstRow.pif
| MD5 | 62b17b9cdbbd6711dbfce8e2ddbd3b25 |
| SHA1 | 7cd2d136beee0629eec2ec88aeab0eeb862a228e |
| SHA256 | 6e31069208365f3adafc6e17bd4c2e0b7b26c3d9d6d583da2880442a375c58e0 |
| SHA512 | fe286afc62074384b45dd9ab193995ce0df2d3e4a502e63f243655428790b19dd0614986eb7d8be094eda637c493195bbbcdd9ce80a074e3ce51de24ba2c842b |
memory/2120-46-0x0000000003AB0000-0x0000000003B2C000-memory.dmp
memory/2120-45-0x0000000003AB0000-0x0000000003B2C000-memory.dmp
memory/2120-44-0x0000000003AB0000-0x0000000003B2C000-memory.dmp
memory/2120-35-0x0000000003AB0000-0x0000000003B2C000-memory.dmp
memory/2828-50-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2120-49-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2424-53-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2424-54-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2828-56-0x0000000000400000-0x000000000047C000-memory.dmp
memory/1696-75-0x0000000000080000-0x0000000000081000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HUQTX.bat
| MD5 | f36ef4e2bfb399e9159d71c0806dc34f |
| SHA1 | 9ce20868ec14cabf37d77a1995b1399ebf40681d |
| SHA256 | 99a012606942fe84a0ed1b09c60ef765cef48e4ba317b3a71595b300ae531cc2 |
| SHA512 | ad7cd152f2b8f04aeee6838ccb2cc10675f289f0e4fd0e6175dace10a062655df1ec2a8d5e80ba65e5d6d0237311c91b0fce54c16e7576dc38b3399abc304b0b |
memory/2424-80-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2500-86-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2828-85-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2500-84-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2500-83-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2500-81-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1936-89-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2984-88-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2500-94-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2424-97-0x0000000000400000-0x0000000000416000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-15 19:34
Reported
2024-12-15 19:36
Platform
win10v2004-20241007-en
Max time kernel
106s
Max time network
153s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I78G8V27-88UF-2L1T-8064-2S8723OVASE8} | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I78G8V27-88UF-2L1T-8064-2S8723OVASE8}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\FirstRow.pif\"" | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FirstRowAli = "C:\\Users\\Admin\\AppData\\Roaming\\FirstRow.pif" | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1368 set thread context of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe |
| PID 1368 set thread context of 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe |
| PID 2312 set thread context of 3364 | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | C:\Users\Admin\AppData\Roaming\FirstRow.pif |
| PID 2312 set thread context of 2680 | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | C:\Users\Admin\AppData\Roaming\FirstRow.pif |
| PID 2312 set thread context of 4280 | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | C:\Users\Admin\AppData\Roaming\FirstRow.pif |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FirstRow.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
"C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
"C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe"
C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
"C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Users\Admin\AppData\Roaming\FirstRow.pif
"C:\Users\Admin\AppData\Roaming\FirstRow.pif"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
C:\Users\Admin\AppData\Roaming\FirstRow.pif
"C:\Users\Admin\AppData\Roaming\FirstRow.pif"
C:\Users\Admin\AppData\Roaming\FirstRow.pif
"C:\Users\Admin\AppData\Roaming\FirstRow.pif"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2984 -ip 2984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Users\Admin\AppData\Roaming\FirstRow.pif
"C:\Users\Admin\AppData\Roaming\FirstRow.pif"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4428 -ip 4428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4620 -ip 4620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2108 -ip 2108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4544 -ip 4544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3492 -ip 3492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3328 -ip 3328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2708 -ip 2708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 720 -ip 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1624 -ip 1624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2276 -ip 2276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 628 -ip 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 340
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4336 -ip 4336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3976 -ip 3976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4128 -ip 4128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2788 -ip 2788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 340
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3580 -ip 3580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3992 -ip 3992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3892 -ip 3892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4768 -ip 4768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1052 -ip 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 340
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 952 -ip 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 340
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2176 -ip 2176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3528 -ip 3528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4692 -ip 4692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2184 -ip 2184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4996 -ip 4996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1056 -ip 1056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 344
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1660 -ip 1660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1744 -ip 1744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 340
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4852 -ip 4852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 340
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3840 -ip 3840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 340
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3356 -ip 3356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3480 -ip 3480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 336
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4456 -ip 4456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 336
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
| US | 8.8.8.8:53 | imemerit.servehttp.com | udp |
Files
memory/1368-0-0x0000000000400000-0x000000000047C000-memory.dmp
memory/1368-6-0x0000000002100000-0x0000000002101000-memory.dmp
memory/1368-5-0x0000000002180000-0x0000000002181000-memory.dmp
memory/1368-4-0x0000000002130000-0x0000000002131000-memory.dmp
memory/1368-3-0x0000000000650000-0x0000000000651000-memory.dmp
memory/1368-7-0x0000000000400000-0x000000000047C000-memory.dmp
memory/1368-10-0x00000000021E0000-0x00000000021E1000-memory.dmp
memory/1368-9-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/1368-12-0x00000000029B0000-0x00000000029B1000-memory.dmp
memory/1368-11-0x00000000029A0000-0x00000000029A1000-memory.dmp
memory/2316-13-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1392-24-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2316-27-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1392-26-0x0000000000400000-0x0000000000415000-memory.dmp
memory/1392-21-0x0000000000400000-0x0000000000415000-memory.dmp
memory/1368-20-0x00000000036D0000-0x00000000036D1000-memory.dmp
memory/1368-19-0x0000000003690000-0x0000000003691000-memory.dmp
memory/1368-18-0x0000000003680000-0x0000000003681000-memory.dmp
memory/2316-17-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1368-16-0x00000000029D0000-0x00000000029D1000-memory.dmp
memory/1368-33-0x0000000000400000-0x000000000047C000-memory.dmp
C:\Users\Admin\AppData\Roaming\FirstRow.pif
| MD5 | aaddea69bccad9c0654d2e14fdd083e0 |
| SHA1 | 3fbcb921138f51790ecfaf80af84b5c172770a05 |
| SHA256 | 66522b1f3560592b34f0555dc030a6063a6a8145e83c8b3cfa65678e050df931 |
| SHA512 | 7cf57a601db87868345344affbca43585fd9728a841c7a2c103e45b34b9340b2ee52dc5fa8c498c51c0e1d20e71fd55eda8466f56546ce47ea9a91d8b0e54077 |
memory/1392-43-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2312-41-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2316-46-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2316-47-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2312-49-0x0000000000400000-0x000000000047C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TMLTH.txt
| MD5 | f36ef4e2bfb399e9159d71c0806dc34f |
| SHA1 | 9ce20868ec14cabf37d77a1995b1399ebf40681d |
| SHA256 | 99a012606942fe84a0ed1b09c60ef765cef48e4ba317b3a71595b300ae531cc2 |
| SHA512 | ad7cd152f2b8f04aeee6838ccb2cc10675f289f0e4fd0e6175dace10a062655df1ec2a8d5e80ba65e5d6d0237311c91b0fce54c16e7576dc38b3399abc304b0b |
memory/2316-68-0x0000000000400000-0x0000000000416000-memory.dmp
memory/4280-77-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2312-76-0x0000000000400000-0x000000000047C000-memory.dmp
memory/4280-78-0x0000000000400000-0x000000000041A000-memory.dmp
memory/4280-79-0x0000000000400000-0x000000000041A000-memory.dmp
memory/3364-81-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2680-87-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2316-95-0x0000000000400000-0x0000000000416000-memory.dmp
memory/4280-101-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2316-120-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2316-139-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2316-158-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2316-244-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2316-282-0x0000000000400000-0x0000000000416000-memory.dmp