Analysis Overview
SHA256
e23943f7a0d3e8bfcb2ea6debdd990281fd94e32629db00f12b8208b668bed52
Threat Level: Known bad
The file REVISED PO -TSTC22-1011_Pdf.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Checks computer location settings
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-15 11:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-15 11:37
Reported
2022-11-15 11:39
Platform
win7-20221111-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2012 set thread context of 564 | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ISS Manager\issmgr.exe | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ISS Manager\issmgr.exe | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uuPTAGHRzGi.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uuPTAGHRzGi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA600.tmp"
C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAAB2.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAB4F.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 8.8.4.4:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
Files
memory/2012-54-0x0000000000120000-0x00000000001EE000-memory.dmp
memory/2012-55-0x00000000767D1000-0x00000000767D3000-memory.dmp
memory/2012-56-0x0000000000310000-0x0000000000328000-memory.dmp
memory/2012-57-0x0000000000330000-0x000000000033C000-memory.dmp
memory/2012-58-0x0000000004F90000-0x0000000005004000-memory.dmp
memory/520-59-0x0000000000000000-mapping.dmp
memory/1904-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA600.tmp
| MD5 | 3b39ef848eaf4ea5a27da018bd2de1ed |
| SHA1 | ffb5be4dd0076143b79f27f95e0feb02d5bdbb8b |
| SHA256 | 95dedca679f3ef361e3a9b06932734302597b7061aa4dbd7a2d5f7da35f16f4a |
| SHA512 | be028b1140906e98fdaf08e9a7516d20166c55639e18984906e9f83dd91ba1033a027babbf0275a16f31bda8fe62d9b22e33b0a0cb094180086080016ec30fb1 |
memory/2012-63-0x0000000005000000-0x000000000503A000-memory.dmp
memory/564-64-0x0000000000400000-0x0000000000438000-memory.dmp
memory/564-65-0x0000000000400000-0x0000000000438000-memory.dmp
memory/564-67-0x0000000000400000-0x0000000000438000-memory.dmp
memory/564-68-0x0000000000400000-0x0000000000438000-memory.dmp
memory/564-70-0x0000000000400000-0x0000000000438000-memory.dmp
memory/564-71-0x000000000041E792-mapping.dmp
memory/564-73-0x0000000000400000-0x0000000000438000-memory.dmp
memory/564-75-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1484-77-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAAB2.tmp
| MD5 | 009102eae052bce5463af965c53565c9 |
| SHA1 | f6291373c2ebf187e3724dc7d4f9c7baf57173bb |
| SHA256 | db50cd26a722c0e7c0bf9810f8a24fb79db2c28dee5e5473b32cdafb4c440421 |
| SHA512 | 6103132503be7601ee96a1f75a83923c436881983d2f451cab298a3376f88b5614e5567c088364c5c50ad03f79d121e174b86c285b2a846d73bf2bd39399a2cd |
memory/1020-79-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAB4F.tmp
| MD5 | ea7095fa975a5ac043c9de2899ce61d0 |
| SHA1 | ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3 |
| SHA256 | 5a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f |
| SHA512 | b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb |
memory/564-81-0x0000000000460000-0x000000000046A000-memory.dmp
memory/564-82-0x0000000000470000-0x000000000048E000-memory.dmp
memory/564-83-0x0000000000490000-0x000000000049A000-memory.dmp
memory/520-84-0x000000006E1E0000-0x000000006E78B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-15 11:37
Reported
2022-11-15 11:39
Platform
win10v2004-20220901-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
NanoCore
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3828 set thread context of 1420 | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uuPTAGHRzGi.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uuPTAGHRzGi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B29.tmp"
C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe"
C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\REVISED PO -TSTC22-1011_Pdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8F20.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8F70.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.73.24:443 | tcp | |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 2.18.109.224:443 | tcp | |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 88.221.25.155:80 | tcp | |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
| N/A | 8.8.8.8:53 | henzy.ddns.net | udp |
| N/A | 37.0.14.216:2828 | henzy.ddns.net | tcp |
Files
memory/3828-132-0x0000000000680000-0x000000000074E000-memory.dmp
memory/3828-133-0x00000000056B0000-0x0000000005C54000-memory.dmp
memory/3828-134-0x0000000005100000-0x0000000005192000-memory.dmp
memory/3828-135-0x00000000051A0000-0x00000000051AA000-memory.dmp
memory/3828-136-0x00000000090A0000-0x000000000913C000-memory.dmp
memory/3916-137-0x0000000000000000-mapping.dmp
memory/3720-138-0x0000000000000000-mapping.dmp
memory/3916-139-0x0000000004F70000-0x0000000004FA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8B29.tmp
| MD5 | 5341da50d695c0d6bb8c34e0808280b9 |
| SHA1 | db363abbcc306bd731d2402a8e8048457494c8b4 |
| SHA256 | 6dcf8069c0894cc17214b286a11d1f59c9752331f730ca0b0a631b50654e996d |
| SHA512 | 9c4fa299bdaaa0975a6eac0472d21e037ae8b50cdeb5f32ed9581f4a290eb2b106266db24a417f1d88335ca9ed1e18863c75f405a8fdc19c64fda47c5b7f67c4 |
memory/1408-141-0x0000000000000000-mapping.dmp
memory/3916-143-0x0000000005640000-0x0000000005C68000-memory.dmp
memory/1420-144-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1420-142-0x0000000000000000-mapping.dmp
memory/3916-145-0x00000000055A0000-0x00000000055C2000-memory.dmp
memory/3916-146-0x0000000005D20000-0x0000000005D86000-memory.dmp
memory/3916-147-0x0000000005F40000-0x0000000005FA6000-memory.dmp
memory/2548-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8F20.tmp
| MD5 | 009102eae052bce5463af965c53565c9 |
| SHA1 | f6291373c2ebf187e3724dc7d4f9c7baf57173bb |
| SHA256 | db50cd26a722c0e7c0bf9810f8a24fb79db2c28dee5e5473b32cdafb4c440421 |
| SHA512 | 6103132503be7601ee96a1f75a83923c436881983d2f451cab298a3376f88b5614e5567c088364c5c50ad03f79d121e174b86c285b2a846d73bf2bd39399a2cd |
memory/4960-150-0x0000000000000000-mapping.dmp
memory/3916-151-0x0000000006540000-0x000000000655E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8F70.tmp
| MD5 | 2f26d92c1eeead3896820e56ec46f6f1 |
| SHA1 | d95533b61eed7d89e4ada56bc566d60e42ac1f61 |
| SHA256 | 99a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa |
| SHA512 | 6c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892 |
memory/3916-153-0x00000000074E0000-0x0000000007512000-memory.dmp
memory/3916-154-0x0000000070C70000-0x0000000070CBC000-memory.dmp
memory/3916-155-0x0000000006B00000-0x0000000006B1E000-memory.dmp
memory/3916-156-0x0000000007E90000-0x000000000850A000-memory.dmp
memory/3916-157-0x0000000007840000-0x000000000785A000-memory.dmp
memory/3916-158-0x00000000078B0000-0x00000000078BA000-memory.dmp
memory/3916-159-0x0000000007AC0000-0x0000000007B56000-memory.dmp
memory/3916-160-0x0000000007A70000-0x0000000007A7E000-memory.dmp
memory/3916-161-0x0000000007B80000-0x0000000007B9A000-memory.dmp
memory/3916-162-0x0000000007B60000-0x0000000007B68000-memory.dmp