Analysis Overview
SHA256
2b28effca2feb3231324016122924a7873e11d4b0bc3a45467c645d2a73b0d48
Threat Level: Known bad
The file 2b28effca2feb3231324016122924a7873e11d4b0bc3a45467c645d2a73b0d48 was found to be: Known bad.
Malicious Activity Summary
MassLogger log file
MassLogger
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
outlook_office_path
outlook_win_path
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 11:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 11:20
Reported
2022-05-21 11:42
Platform
win7-20220414-en
Max time kernel
152s
Max time network
152s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 880 set thread context of 1112 | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uSRQyICPZwKer" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE1A9.tmp"
C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
Files
memory/880-54-0x0000000000BF0000-0x0000000000CCE000-memory.dmp
memory/880-55-0x0000000000580000-0x000000000058A000-memory.dmp
memory/880-56-0x00000000058A0000-0x0000000005960000-memory.dmp
memory/880-57-0x0000000005C60000-0x0000000005D18000-memory.dmp
memory/1780-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE1A9.tmp
| MD5 | bc61a7afe6e32fc606e4725d18d2758a |
| SHA1 | fae7a2211494033cfdf24737d120d97b75a128d9 |
| SHA256 | 9c45677d92991b72a33710b757616dd5ef5a3631a303f87371387ee2be4cc5fa |
| SHA512 | c72d0ae07fe39ffb5b87a0a54f09c81439be5b2658ff01909cc39c84502ce85d00d38420d537a70e6d14229bc8fd206a84e26d8546bceda7b0cc6e2f01428291 |
memory/1112-60-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1112-61-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1112-63-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1112-64-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1112-65-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1112-66-0x00000000004B2EDE-mapping.dmp
memory/1112-68-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1112-70-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1112-71-0x0000000004400000-0x0000000004478000-memory.dmp
memory/1112-72-0x0000000075711000-0x0000000075713000-memory.dmp
memory/1112-73-0x0000000004525000-0x0000000004536000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 11:20
Reported
2022-05-21 11:41
Platform
win10v2004-20220414-en
Max time kernel
122s
Max time network
114s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3996 set thread context of 868 | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uSRQyICPZwKer" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp"
C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
"{path}"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe'
Network
| Country | Destination | Domain | Proto |
| US | 13.89.178.26:443 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp |
Files
memory/3996-130-0x0000000000D20000-0x0000000000DFE000-memory.dmp
memory/3996-131-0x0000000005AF0000-0x0000000005B8C000-memory.dmp
memory/3996-132-0x0000000005C30000-0x0000000005CC2000-memory.dmp
memory/220-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp
| MD5 | 9102c19eefd948a84ed181429bfae74f |
| SHA1 | 7f9aa98c8fdd29141ab8241038b4d3a8005b631f |
| SHA256 | e24e1885e275c4bbecff6dacfd5e1cbb23a8775f1c3634645e07a2d7f061b089 |
| SHA512 | 570583637114680a097d1ba8de91afe37d4edaa6f5e9c360ed9c7f14ac1b542ee2ceac57488ff8726f71b28fe9d4a666105dfe24f6d91a1357a69944dff5db0b |
memory/3924-135-0x0000000000000000-mapping.dmp
memory/4508-136-0x0000000000000000-mapping.dmp
memory/868-137-0x0000000000000000-mapping.dmp
memory/868-138-0x0000000000400000-0x00000000004B8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order 2020.pdf.exe.log
| MD5 | ad1c7f6525cfeb54c0487efd38b0e26c |
| SHA1 | ed3da94723ac7e3828a9e93d68418bb810592f3b |
| SHA256 | 0a534a3d0fa82e6a427164c5f6e702cac7e4afc9967af9bc5ddba4f84ab33276 |
| SHA512 | 48d625e6be5391d91d95c2850226fe39bb2411cb72139797699cfe126e6b066182e83950a8ea67e63b64a66b0d45f58d8bc97cab0363d55c2fd88c0d1d28009c |
memory/868-140-0x00000000059E0000-0x0000000005F84000-memory.dmp
memory/868-141-0x0000000005520000-0x0000000005586000-memory.dmp
memory/1152-142-0x0000000000000000-mapping.dmp
memory/5008-143-0x0000000000000000-mapping.dmp
memory/5008-144-0x00000000022F0000-0x0000000002326000-memory.dmp
memory/5008-145-0x0000000005000000-0x0000000005628000-memory.dmp
memory/5008-146-0x0000000004C60000-0x0000000004C82000-memory.dmp
memory/5008-147-0x0000000004D00000-0x0000000004D66000-memory.dmp
memory/5008-148-0x0000000005C80000-0x0000000005C9E000-memory.dmp
memory/5008-149-0x0000000007380000-0x00000000079FA000-memory.dmp
memory/5008-150-0x00000000061B0000-0x00000000061CA000-memory.dmp
memory/5008-151-0x0000000006F00000-0x0000000006F96000-memory.dmp
memory/5008-152-0x0000000006280000-0x00000000062A2000-memory.dmp