Analysis Overview
SHA256
1fe9144a833c74b3d8a2d093c2d8e77e0edc7d311739fd0190891431662125d7
Threat Level: Known bad
The file iebcqyhjfa.zip was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Blocklisted process makes network request
Loads dropped DLL
Enumerates connected drives
Drops file in Windows directory
Gathers network information
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-01 22:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-01 22:24
Reported
2023-06-01 22:34
Platform
win10v2004-20230220-en
Max time kernel
538s
Max time network
504s
Command Line
Signatures
Qakbot/Qbot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI2DD6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAA5A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57aa1d.msi | C:\Windows\system32\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectFunding_268488_Jun01.js
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Windows\SysWOW64\whoami.exe
whoami /all
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | garokelka.com | udp |
| NL | 217.195.153.225:443 | garokelka.com | tcp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lakirasa.com | udp |
| BR | 216.238.111.194:443 | lakirasa.com | tcp |
| US | 52.152.108.96:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FR | 40.79.141.154:443 | tcp | |
| US | 8.8.8.8:53 | tofinka.com | udp |
| IR | 185.235.138.66:443 | tofinka.com | tcp |
| US | 8.8.8.8:53 | 66.138.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | api.msn.com | tcp |
| US | 8.8.8.8:53 | 80.72.84.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oracle.com | udp |
| US | 147.154.26.35:443 | oracle.com | tcp |
| US | 8.8.8.8:53 | www.oracle.com | udp |
| NL | 95.101.125.213:443 | www.oracle.com | tcp |
| US | 8.8.8.8:53 | 35.26.154.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.125.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| DK | 80.167.196.79:443 | 80.167.196.79 | tcp |
| US | 8.8.8.8:53 | 79.196.167.80.in-addr.arpa | udp |
| DK | 80.167.196.79:443 | 80.167.196.79 | tcp |
| DK | 80.167.196.79:443 | 80.167.196.79 | tcp |
Files
C:\Windows\Installer\MSI2DD6.tmp
| MD5 | e54f16d1a308f1f31865de24f5336d8c |
| SHA1 | f345b6262e40e10bbcd06fb2db53b346b82f6a88 |
| SHA256 | 728170cdd8115f6a897d01235d62259466b6f3540e92e7166a07d7c44661f1d5 |
| SHA512 | 138d2d7b12bd95b1a3647da6c357fbf79b99736734d80611247d881ebed6e41b9dcf765eb4ab1db2d07f990c50a69a97df2029a9b3375f93970ebe1856208ffe |
C:\Config.Msi\e57aa1c.rbs
| MD5 | ee686de077e03cb56f48a0a112bd75ef |
| SHA1 | 93d8bd85f2b211acc95da8b658361ba83b40cbc5 |
| SHA256 | 6995b3d0452b72751077236ed71989b53b77e3a258ad226609e5e207db63f983 |
| SHA512 | 6799cb1b1c4409aab4b27a4c223d9008e05f7ecfa287921317121cd81f3f664fc69fe479ad69659c44b0b634678a0b4d725d12ffe43f4b2b9aefa6c4e36af8bd |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | a9b2ae0ff67dbe87ced4b08dee184b15 |
| SHA1 | ac3101c2db7912b8c90fb323dabd34228081aa6b |
| SHA256 | b7f36f9b2a633ef3019f0dbd9a3e1689a328fce2c9718505bb45442c1829d2c0 |
| SHA512 | a4bc2bdb28ee428004c4d694908ad84761a61e2cb2cc182ecc9670280c668c9922915808daef725021d2865fdb8864501c15096a1af58a4ec17207ad4488614d |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
| MD5 | 0d4c9f15ce74465c59ae36a27f98c817 |
| SHA1 | 9cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a |
| SHA256 | d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a |
| SHA512 | 9bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | a9b2ae0ff67dbe87ced4b08dee184b15 |
| SHA1 | ac3101c2db7912b8c90fb323dabd34228081aa6b |
| SHA256 | b7f36f9b2a633ef3019f0dbd9a3e1689a328fce2c9718505bb45442c1829d2c0 |
| SHA512 | a4bc2bdb28ee428004c4d694908ad84761a61e2cb2cc182ecc9670280c668c9922915808daef725021d2865fdb8864501c15096a1af58a4ec17207ad4488614d |
memory/1836-165-0x0000000002F10000-0x0000000002F13000-memory.dmp
memory/1836-166-0x0000000003030000-0x0000000003054000-memory.dmp
memory/964-171-0x00000000006D0000-0x00000000006D2000-memory.dmp
memory/964-172-0x00000000006A0000-0x00000000006C4000-memory.dmp
memory/964-178-0x00000000006A0000-0x00000000006C4000-memory.dmp
memory/964-179-0x00000000006A0000-0x00000000006C4000-memory.dmp
memory/964-180-0x00000000006A0000-0x00000000006C4000-memory.dmp
memory/964-181-0x00000000006A0000-0x00000000006C4000-memory.dmp
memory/964-182-0x00000000006A0000-0x00000000006C4000-memory.dmp
\??\Volume{af0fc727-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f20c350b-7bc4-4118-b78b-55c3ddffe2c3}_OnDiskSnapshotProp
| MD5 | 153f9842f28382d036c856d4b58ef0c3 |
| SHA1 | 6126357732aacf5ab1f1adb64c4887900b5b4d80 |
| SHA256 | 563996c43ed81ef350460df16e50dc0ec336f7877dd2da7d0d009aa02accd3ae |
| SHA512 | 6233c56a03a58a143b960f904f08a103212424e19d1d1694d51dca3dd8c1ad65df9304d90ad2f534b4c2acb2f505e9dca1d5570c76292e1a5483643008973217 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | e984953caf82d7f87aa8071d85fe033a |
| SHA1 | dd016fb760f516053fc3b21faff9dee2adb47aea |
| SHA256 | 1c12e4e5678a213176eb0e694a465dc17c822907c1ae36bb8552c1bb92d80361 |
| SHA512 | b5f70a0c215a6286e43bab73db87eef9f32cfd032295754d2edb8c5151f43d6e5238dab68f3fd3d441f4165428258222d3e14c23bd2f6b503723ef22c402cf54 |
memory/964-190-0x00000000006A0000-0x00000000006C4000-memory.dmp
memory/964-191-0x00000000006A0000-0x00000000006C4000-memory.dmp
memory/964-193-0x00000000006A0000-0x00000000006C4000-memory.dmp
memory/964-199-0x00000000006A0000-0x00000000006C4000-memory.dmp
memory/964-206-0x00000000006A0000-0x00000000006C4000-memory.dmp
memory/964-207-0x00000000006A0000-0x00000000006C4000-memory.dmp
memory/964-208-0x00000000006A0000-0x00000000006C4000-memory.dmp
memory/964-209-0x00000000006A0000-0x00000000006C4000-memory.dmp