2.exe

General
Target

2.exe

Filesize

8MB

Completed

19-11-2021 20:41

Score
10/10
MD5

b7d2178b855a201f4801c52991bf696e

SHA1

62429eeee9a7c9facf7b6be530f841e90b34dcba

SHA256

b99fe8335ed77a79bf9b98eb1f5b9179c6ad64951631e946636d87e146d8abd7

Malware Config

Extracted

Path C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\ReadMe.txt
Ransom Note
Distribution Summary ~~~~~~~~~~~~~~~~~~~~~ GRBackPro: Professional backup for Windows 10/8.1/8/7/Vista/XP ans Windows Server 2019/2016/2012/2008/2003 v9.3.x Release Date: 19 October 2021 Categories: backup utility, file utility, system utility Supported Platforms: Win10, Win8.1, Win2019, Win2016, Win2012, Win8, Win7, Win2008, Vista, Win2003, WinXP Description ~~~~~~~ GRBackPro is a professional Windows backup program that helps you maintain your vital computer data. It can re-create your source folder tree onto the destination drive (or a single compressed archive) and for every folder it can copy your files or create a PKZIP� compatible compressed archive with long file name support and password protection. You can run a full, incremental or differential backup of your files. You can synchronize your backup files/directories with your sources. You can easily restore all or just some files to either the original source or to a new location. You can define multiple backup sessions and customize them to your needs. An integrated restore facility allows you to quickly restore your backed-up data. GRBackPro has a scheduler to make your backup automatically start without intervention even if your PC is in stand-by mode (sleep). GRBackPro supports network, floppy, hard drives, and all removable hard drives (but not tapes). You can install GRBackPro as a Windows service to have your backups start on a schedule even if no users are logged in. You can execute a list of tasks before the backup begins and also after the backup has been completed. GRBackPro maintains a log file where it automatically stores all program activities and at every backup completion you can get a copy of it emailed to one or more addresses. GRBackPro is fully featured with many other professional options and comes with a setup program for an easy installation. GRBackPro is an easy to use backup software application. Major GRBackPro features: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Support for network, fixed, and removable drives. Tape devices are not supported unless they are visible as a drive letter by Windows. * Can run as a Windows service process and can logon to any account. * Windows Volume Shadow Copy support to backup open or locked files. * Unicode file and folder names are supported. * Long path names are supported up to 1024 characters. * Can store backup files/archives on multiple removable media (split across media). * Fully customizable: include, exclude files; exclude, skip directories. * Backup a single file or folder, multiple folders, or even a complete disk drive. * Backup modes are: Full, Incremental, and Differential. * Integrated professional scheduler. * Create ZIP64 compatible archives. * Supports the PKZIP� password protection scheme. * Integrated restore facility. * Allows you to simply copy files instead of compressing them. * Re-create exactly your source directory structure so that you can easily navigate into the backup archives and restore single files. * Backup to a single archive with stored path names. * Synchronize backup archives with source files/directories. * Run in the background and is available from a task tray icon. * Can start the backup at Windows shutdown or automatically shutdown Windows after backup completion. * Can wake up your PC from stand-by and start your backup. * All backup activities are recorded in a detailed log file. * A report dialog allows you to view and extract selected activities from the log file. * Backup Wizard for a guided and easy backup setup. * You can limit program access using a password. * Automatic software update facility. New Features for Version 9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Windows 10 and Windows Server 2019 100% compatible. - New customizable colors with effects. - Zip AES 256 ciphered compression compatible with WinZip. - New Add/Edit Job dialog. Many per session options have been moved at Job level. - New user interface check boxes. - New user interface buttons. - New Report tab. The log files are now separated to make them smaller and quickly handled. - New Report tab. The number of log files to keep can be programmed. - Added to the backup Job the possibility to skip folder names. - Zip compression level has been moved to the backup Job. - Option to move or copy has been moved to the backup Job. - Clear Archive attribute option has been moved to the backup Job. - Include system and hidden files option has been moved to the backup Job. - Include file older or younger than N days options has been moved to the backup Job. - Include wild chars specific files option has been moved to the backup Job. - Skip specified wild chars defined files option has been moved to the backup Job. - Skip specified wild chars defined folders option has been moved to the backup Job. - Backup security attributes option has been moved to the backup Job. - Updated registry backup option. - Added Run pause Task to allow networked computer to restart at a specified time. - The "At backup completion do" option has been moved to the Scheduler tab that is now accessible during the backup. - Many internal optimizations and bug fixes. - Minimum Windows version supported is XP SP3 (for 32 bit versions only). - Detection of the program that locks files with reporting on the backup log Report. - New Report right click popup menu to capture log text and file/folder names to automatically skip. Partial list of updates and changes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Added a confirmation message before to delete a Scheduler Event. - Added Shield icon on the Backup button when the registry backup is active. - Added on the Report tab, operation activities list, pressing CTRL-C you can now copy the current log line to the clipboard. - During a backup run the user can now enable or disable the scheduler. - The Progress Tab Status column has been modified to provide more information about the file compression or copying method. - Enhanced Report tab. - Rearranged some tab options to improve logic and ease of use. - Added backup Jobs list icons. - Removed empty Job list button. - New Add/Edit Job dialog destination tree control. - Various bug fixes. What's New in version 9.0.48 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: When using the Job synchronization option and doing a full backup then in some cases the destination disk could be wiped out. - Fixed: When using the backup simulation option and full backup then the Abort button was not handled. - Fixed: When using the History mode, once the programmed number of folders had been reached the program failed to fill the newly created one with the current files. What's New in version 9.0.50 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: When the program is installed as Service and the user runs the program from the Start menu or from a shortcut GR will issue a warning. -Fixed: Setup problem for 64 bit demo version What's New in version 9.0.56 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: Setup of Service on Windows Server. - Added: New button on the Options tab to Export the current settings to a file. - Added: New button on the Options tab to Import settings from a file. - Fixed: Bug implementing the /B and /R command line options. - Fixed: Some bugs on handling the automatic program update and upgrade. What's New in version 9.0.62 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: Crash in a particular situation when a second copy began to run and would then quit. - Fixed: Adjusted some errors messages when the user try to back up long paths. - Changed: All message boxes have been replaced with a new auto adaptable message box with a new look. - Fixed: The Restore tab, Single Files... dialog didn't render the programmed colors. - Fixed: The Single Files... restore dialog failed to restore simple files (i.e. not zipped ones) - Fixed: Service could not start GRBackPro in certain circumstances. - Fixed: Registry access problem from 64 bit applications. - Fixed: The 64 bit demo version showed as expired as soon as it was installed. What's New in version 9.0.69 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: When GRBackPro needs to restart Elevated but the option "Warn if the scheduler needs the program running" is active then the first copy remains active. - Added: Program log entry at backup start with details about the backup type. - Changed: Lowered the timeout of the message balloon that appears on the Flag button 3 seconds instead of 10. - Fixed: On certain circumstances the error message didn't include the folder/file full path and in case where a folder/file was locked the program failed to check who was locking. - Fixed: When both zip compression and synchronization are active, a deleted or renamed source folder isn't reflected on the old destination folder. - Fixed: Bug when reporting a file write error. - Changed: The log file has been optimized, removing entries which did not display useful details. - Changed: When you edit a scheduler event the start date is always set to today. - Added: Check to verify matching "" when you type on the Skip Folder names in Adv. Backup tab. What's New in version 9.0.74 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: When the user changes the locale time format then the program automatically conforms to it. - Changed: The check for update options dialog has been removed from the Options tab. - Changed: The program now checks for updates (if enabled) automatically and if an update is found will notify the user on the Flag button. - Added: New option to set how to display times. Choices are Windows Default, 12 hours AM/PM and 24 hours. - Fixed: When the Scheduler autostart is enabled and you disable an event (instead of executing it) then the event is disabled but the scheduler still repeatedly tries to restart. - Added: Program update check in the About dialog. - Fixed: In case of VSS errors the program failed to report the errors. - Added: more log entries for the VSS options. What's New in version 9.0.76 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: When set for a full backup and the source drive was not ready the program would deleted the destination files - Fixed: In some cases, when going to the Report tab the screen would continue to update. - Fixed: Cosmetic UI problem on the Options tab. - Fixed: The program sometimes failed to start the VSS service when required. - Fixed: Messages from the program were sometime missing some parts of the text. - Fixed: When running as a Service the Help didn't show. What's New in version 9.0.77 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: The Restore and Verify log show a strange "Backup Method =" string. - Fixed: On some foreign languages the program could crash during a backup. What's New in version 9.0.78 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: When updating the program from the About dialog the new version installation window is not in foreground. - Fixed: When you edit a scheduler event the start date is left unchanged. What's New in version 9.0.79 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Changed: The support buttons of the Options tab have been collected inside a support group. - Fixed: Minor problem when the grsoftware.net web site is not reachable and you check for updates. - Fixed: "Email to support" feature when the user has not set any email options. - Fixed: When the program tries to back up a locked file on a network drive it could hang. - Added: When you try to run a second instance of the program using the same settings the already running instance is now activated (un.hide if hidden). - Fixed: Email to support without setting email options failed too often to succeed. - Changed: Search for locked file sources is now done only three times in order to save backup processing time. - Fixed: Registry backup also try to back up "Virtual Registry" entries that doesn't really exists in the registry. What's New in version 9.0.86 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Moved: option "Warn if an Event wasn't executed more than N days" from Options tab to Scheduler tab. - Fixed: when the destination path is not ready the error message was issued two times. - Changed: The option "Disable the Scheduler (no sessions will run)" has been changed to "Enable the Scheduler". - Added: on the Add Event conditions a new option has been added to force backup execution when the retry expires. What's New in version 9.0.91 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: When executing a Task that terminates a process the log always shown "[Closing Process: The process 'name' was not found!]". - Fixed: If the backup session has many Jobs and one of then has a drive not ready problem then the whole backup was aborted. What's New in version 9.0.92 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Added: Published Italian Translation. - Fixed: Some cosmetics problems on the user interface. What's New in version 9.0.98 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: Message about backup not executed since N days was erroneously issued after a program update. - Fixed: Program update from Flag button didn't start. - Fixed: If a computer goes into sleep while a backup was running the backup was blocked until next day. - Fixed: If using the command line option /MH the program would flash and not hide. - Fixed: If the program is run with /MH command line option AND if the "Unhide when backup if finished" option is active the program flashes before going hidden. - Fixed: When the backup ended the statistics on the Progress tab were not complete. What's New in version 9.0.102 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: The option to start GRBackPro at Windows start didn't work correctly in some cases. - Added: When there is an access denied error during the backup a message is now shown on the progress tab. - Changed: Improved the response time when the user presses the progress tab Abort button. - Added: When the program searches in the Progress tabb for who is locking a file, pressing ESC will abort this long search. - Added: On the backup log the folders with total file size greater than 200MB are logged with the "BIG size" string. What's New in version 9.1.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Added: New option in the Scheduler Event to force the backup verify. - Added: Indication on the "Search For Text" dialog to explain that F3 search for next match - Added: On the Progress tab statistic the number of deleted files. - Fixed: Bug on the Progress Tab. Occasionally it could crash the whole application. - Changed: The Report tab log rendering has been improved. - Fixed: On the Add/Edit Job dialog when a new folder was created it was not then set as the active folder and had to be reselected. - Fixed: When the program searches for who is locking a file or folder, the timeout was not checked. What's New in version 9.1.2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Added: the full path of the executable file has been added to the backup log. - Changed: the code that try to search for the process that could lock a file has been improved in speed. - Fixed: On first installation the program erroneously stated that a backup was not executed since 18797 days. What's New in version 9.3.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Fixed: During restore if one or more files were restored the item color in the Progress tab was not set to yellow. - Fixed: During verify if the backup is OK (test passed) the item color in the Progress tab was not set to green. - Changed: The behavior of the message center is changed. No more balloon messages are issued but a counter inside the icon has been added. - Fixed: Minor problems on the Scheduler tab. - Changed: When you disable the scheduler and there are one or more active events defined the program will now issue a message on the Windows message notifications. - Fixed: Check boxes text were sometime drawn as bold. - Fixed: The Add/Edit Job dialog didn't handle correctly all the check boxes. User Manual in PDF ~~~~~~~~~~~~~~~~~~~ You can download a PDF manual from: http://www.grsoftware.net/downloads/grbackpro/grbakpro.pdf Open and Locked Files support ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now supported using Windows Volume Shadow Copy service. You need to enable this service in o
Emails

sales@grsoftware.net

grsoftware@grsoftware.net

support@grsoftware.net

URLs

http://www.grsoftware.net/downloads/grbackpro/grbakpro.pdf

http://www.grsoftware.net/home/buynow.html

https://www.grsoftware.net

Signatures 9

Filter: none

Discovery
  • SystemBC

    Description

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Executes dropped EXE
    snmpmanager.exesnmpmanager.exe

    Reported IOCs

    pidprocess
    240snmpmanager.exe
    1556snmpmanager.exe
  • Loads dropped DLL
    2.exesnmpmanager.exesnmpmanager.exe

    Reported IOCs

    pidprocess
    4682.exe
    240snmpmanager.exe
    1556snmpmanager.exe
  • Drops file in Windows directory
    snmpmanager.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\Tasks\wow64.jobsnmpmanager.exe
    File opened for modificationC:\Windows\Tasks\wow64.jobsnmpmanager.exe
  • HTTP links in PDF interactive object

    Description

    Detects HTTP links in interactive objects within PDF files.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00050000000132e0-62.datpdf_with_link_action
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies data under HKEY_USERS
    snmpmanager.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001snmpmanager.exe
    Key created\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0snmpmanager.exe
    Key created\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInputsnmpmanager.exe
    Key created\REGISTRY\USER\.DEFAULT\Systemsnmpmanager.exe
    Key created\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSetsnmpmanager.exe
    Key created\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Controlsnmpmanager.exe
    Key created\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaPropertiessnmpmanager.exe
    Key created\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInputsnmpmanager.exe
    Key created\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivatePropertiessnmpmanager.exe
    Key created\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibrationsnmpmanager.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0\GUID = 700cf5a38049ec118001444553540000snmpmanager.exe
    Key created\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\DeviceInstancessnmpmanager.exe
  • Suspicious use of SetWindowsHookEx
    snmpmanager.exesnmpmanager.exe

    Reported IOCs

    pidprocess
    240snmpmanager.exe
    1556snmpmanager.exe
  • Suspicious use of WriteProcessMemory
    2.exetaskeng.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 468 wrote to memory of 2404682.exesnmpmanager.exe
    PID 468 wrote to memory of 2404682.exesnmpmanager.exe
    PID 468 wrote to memory of 2404682.exesnmpmanager.exe
    PID 468 wrote to memory of 2404682.exesnmpmanager.exe
    PID 968 wrote to memory of 1556968taskeng.exesnmpmanager.exe
    PID 968 wrote to memory of 1556968taskeng.exesnmpmanager.exe
    PID 968 wrote to memory of 1556968taskeng.exesnmpmanager.exe
    PID 968 wrote to memory of 1556968taskeng.exesnmpmanager.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:468
    • C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exe
      "C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exe"
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:240
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x474
    PID:580
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A5EEBF01-5B83-4300-89E7-90F435619E93} S-1-5-18:NT AUTHORITY\System:Service:
    Suspicious use of WriteProcessMemory
    PID:968
    • C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exe
      "C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exe" start
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1556
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\libmtm3.dll

                          MD5

                          3e90cf9f12da95d5c248d6f51ed2cc81

                          SHA1

                          9faeefaaa6e049f64a3dae4f11fa1e657b6a02e3

                          SHA256

                          8434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734

                          SHA512

                          925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c

                        • C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\pwt

                          MD5

                          b96c921864afb25455285860307a47ac

                          SHA1

                          85555837a8299bfe5d75b8269ef8d98daa9c132a

                          SHA256

                          677bc795baac677dcf6760d1f6fadcf191995c137bf583e695ac0b6ba112828d

                          SHA512

                          90bb66eeeb5400b55549e1bf7ee98c07f65818cd038fe9c4858fd6cfba0ab0ae31529388a933d93c2c28642f3b4916d124e4812a5e6f147be1d24660d092707a

                        • C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exe

                          MD5

                          4474b0449b173664ec17a6f98e15b728

                          SHA1

                          fd28d5b82a071ce7a8efb1eb01d92d350c870cb8

                          SHA256

                          78280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f

                          SHA512

                          74f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b

                        • C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exe

                          MD5

                          4474b0449b173664ec17a6f98e15b728

                          SHA1

                          fd28d5b82a071ce7a8efb1eb01d92d350c870cb8

                          SHA256

                          78280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f

                          SHA512

                          74f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b

                        • \Users\Admin\AppData\Local\IIS Application Health Monitor Premium\libmtm3.dll

                          MD5

                          3e90cf9f12da95d5c248d6f51ed2cc81

                          SHA1

                          9faeefaaa6e049f64a3dae4f11fa1e657b6a02e3

                          SHA256

                          8434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734

                          SHA512

                          925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c

                        • \Users\Admin\AppData\Local\IIS Application Health Monitor Premium\libmtm3.dll

                          MD5

                          3e90cf9f12da95d5c248d6f51ed2cc81

                          SHA1

                          9faeefaaa6e049f64a3dae4f11fa1e657b6a02e3

                          SHA256

                          8434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734

                          SHA512

                          925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c

                        • \Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exe

                          MD5

                          4474b0449b173664ec17a6f98e15b728

                          SHA1

                          fd28d5b82a071ce7a8efb1eb01d92d350c870cb8

                          SHA256

                          78280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f

                          SHA512

                          74f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b

                        • memory/240-57-0x0000000000000000-mapping.dmp

                        • memory/240-63-0x0000000004950000-0x0000000009A50000-memory.dmp

                        • memory/468-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

                        • memory/1556-64-0x0000000000000000-mapping.dmp

                        • memory/1556-68-0x0000000003690000-0x0000000008790000-memory.dmp