Malware Analysis Report

2025-04-13 20:35

Sample ID 230913-qzfflaeh34
Target tmp
SHA256 97a978ec855f5da30b8ab14b02106e6f7ead6ed740a0bdb03c79645aafc1be97
Tags
guloader downloader azorult collection discovery infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97a978ec855f5da30b8ab14b02106e6f7ead6ed740a0bdb03c79645aafc1be97

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

guloader downloader azorult collection discovery infostealer spyware stealer trojan

Guloader,Cloudeye

Azorult

Checks computer location settings

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Loads dropped DLL

Checks QEMU agent file

Reads data files stored by FTP clients

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Delays execution with timeout.exe

Checks processor information in registry

outlook_office_path

Suspicious behavior: MapViewOfSection

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-13 13:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-13 13:41

Reported

2023-09-13 13:44

Platform

win7-20230831-en

Max time kernel

117s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\eviler.sst C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2812 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\WerFault.exe
PID 2812 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\WerFault.exe
PID 2812 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\WerFault.exe
PID 2812 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 552

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst6C2D.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

\Users\Admin\AppData\Local\Temp\nst6C2D.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nst6C2D.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

\Users\Admin\AppData\Local\Temp\nst6C2D.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nst6C2D.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nst6C2D.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nst6C2D.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nst6C2D.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nst6C2D.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nst6C2D.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

memory/2812-38-0x00000000039C0000-0x000000000528E000-memory.dmp

memory/2812-39-0x00000000039C0000-0x000000000528E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-13 13:41

Reported

2023-09-13 13:44

Platform

win10v2004-20230831-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Azorult

trojan infostealer azorult

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4684 set thread context of 1600 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\eviler.sst C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "tmp.exe"

C:\Windows\SysWOW64\timeout.exe

C:\Windows\system32\timeout.exe 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 futotarsakse.hu udp
HU 185.80.49.249:80 futotarsakse.hu tcp
US 8.8.8.8:53 249.49.80.185.in-addr.arpa udp
US 8.8.8.8:53 m2ch.shop udp
US 104.21.43.252:80 m2ch.shop tcp
US 8.8.8.8:53 252.43.21.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 104.21.43.252:80 m2ch.shop tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nso7590.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nso7590.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nso7590.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nso7590.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nso7590.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nso7590.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nso7590.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nso7590.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nso7590.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nso7590.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

memory/4684-30-0x0000000004A50000-0x000000000631E000-memory.dmp

memory/4684-31-0x0000000004A50000-0x000000000631E000-memory.dmp

memory/4684-32-0x0000000077381000-0x00000000774A1000-memory.dmp

memory/4684-33-0x0000000073FD0000-0x0000000073FD7000-memory.dmp

memory/1600-34-0x00000000004A0000-0x0000000001D6E000-memory.dmp

memory/1600-35-0x0000000077408000-0x0000000077409000-memory.dmp

memory/1600-36-0x00000000004A0000-0x0000000001D6E000-memory.dmp

memory/1600-37-0x0000000072AD0000-0x0000000073D24000-memory.dmp

memory/1600-38-0x0000000077425000-0x0000000077426000-memory.dmp

memory/1600-39-0x0000000072AD0000-0x0000000073D24000-memory.dmp

memory/1600-40-0x00000000004A0000-0x0000000001D6E000-memory.dmp

memory/1600-41-0x0000000000060000-0x0000000000087000-memory.dmp

memory/1600-42-0x0000000077381000-0x00000000774A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86A5F4CA\nss3.dll

MD5 556ea09421a0f74d31c4c0a89a70dc23
SHA1 f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256 f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA512 2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

C:\Users\Admin\AppData\Local\Temp\86A5F4CA\mozglue.dll

MD5 9e682f1eb98a9d41468fc3e50f907635
SHA1 85e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512 230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

C:\Users\Admin\AppData\Local\Temp\86A5F4CA\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

C:\Users\Admin\AppData\Local\Temp\86A5F4CA\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

memory/1600-102-0x0000000072AD0000-0x0000000073D24000-memory.dmp

memory/1600-151-0x00000000004A0000-0x0000000001D6E000-memory.dmp

memory/1600-152-0x0000000072AD0000-0x0000000073D24000-memory.dmp