Analysis Overview
SHA256
6d880189693cf93dd4ca145b0d3cc8e9295da375654d04ea68a5f67c9f62ae87
Threat Level: Known bad
The file KMS.exe was found to be: Known bad.
Malicious Activity Summary
Turns off Windows Defender SpyNet reporting
Modifies Windows Defender Real-time Protection settings
Netwire
NetWire RAT payload
Windows security bypass
Modifies WinLogon for persistence
Drops startup file
Checks computer location settings
Windows security modification
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-09 19:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-09 19:27
Reported
2023-10-09 19:30
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe\"" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Turns off Windows Defender SpyNet reporting
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KMS.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3108 set thread context of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c timeout 5
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\KMS.exe" -Force
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3108 -ip 3108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 2244
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | haija.mine.nu | udp |
| NL | 45.81.39.46:1338 | haija.mine.nu | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | haija.mine.nu | udp |
| NL | 45.81.39.46:1338 | haija.mine.nu | tcp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
memory/3108-0-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3108-1-0x0000000000BB0000-0x0000000000D62000-memory.dmp
memory/3108-2-0x0000000005BD0000-0x0000000006174000-memory.dmp
memory/3108-3-0x0000000005700000-0x000000000579C000-memory.dmp
memory/3108-4-0x0000000005190000-0x00000000051D6000-memory.dmp
memory/3108-6-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/1728-7-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3928-8-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/1728-9-0x0000000002AE0000-0x0000000002B16000-memory.dmp
memory/3928-10-0x0000000005090000-0x00000000050A0000-memory.dmp
memory/3204-11-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/1188-12-0x00000000047E0000-0x00000000047F0000-memory.dmp
memory/3928-13-0x0000000005090000-0x00000000050A0000-memory.dmp
memory/3204-14-0x0000000002760000-0x0000000002770000-memory.dmp
memory/1188-15-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3204-16-0x0000000002760000-0x0000000002770000-memory.dmp
memory/3204-17-0x00000000050F0000-0x0000000005718000-memory.dmp
memory/3108-18-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/1728-19-0x0000000005350000-0x0000000005372000-memory.dmp
memory/3204-20-0x0000000005790000-0x00000000057F6000-memory.dmp
memory/1728-21-0x0000000005CB0000-0x0000000005D16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h2hdvnvc.mop.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1728-42-0x0000000005E20000-0x0000000006174000-memory.dmp
memory/1728-59-0x0000000005190000-0x00000000051AE000-memory.dmp
memory/1188-60-0x0000000005D40000-0x0000000005D8C000-memory.dmp
memory/1728-61-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3928-62-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3204-63-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/1188-64-0x00000000047E0000-0x00000000047F0000-memory.dmp
memory/3928-66-0x0000000005090000-0x00000000050A0000-memory.dmp
memory/3204-65-0x0000000002760000-0x0000000002770000-memory.dmp
memory/1188-67-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/2220-68-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1728-71-0x0000000002BD0000-0x0000000002BE0000-memory.dmp
memory/3928-73-0x0000000070050000-0x000000007009C000-memory.dmp
memory/1188-74-0x00000000047E0000-0x00000000047F0000-memory.dmp
memory/3204-76-0x0000000070050000-0x000000007009C000-memory.dmp
memory/1728-108-0x0000000007490000-0x0000000007533000-memory.dmp
memory/1728-107-0x000000007FDD0000-0x000000007FDE0000-memory.dmp
memory/1188-82-0x000000007F910000-0x000000007F920000-memory.dmp
memory/3928-87-0x0000000006AA0000-0x0000000006ABE000-memory.dmp
memory/1728-75-0x0000000070050000-0x000000007009C000-memory.dmp
memory/3204-72-0x00000000066E0000-0x0000000006712000-memory.dmp
memory/2220-70-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1188-106-0x0000000070050000-0x000000007009C000-memory.dmp
memory/2220-118-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3204-119-0x0000000002760000-0x0000000002770000-memory.dmp
memory/1728-120-0x0000000007E20000-0x000000000849A000-memory.dmp
memory/3928-121-0x0000000007830000-0x000000000784A000-memory.dmp
memory/3108-122-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/3928-123-0x00000000078A0000-0x00000000078AA000-memory.dmp
memory/1728-124-0x0000000007A50000-0x0000000007AE6000-memory.dmp
memory/3928-125-0x0000000007B50000-0x0000000007B61000-memory.dmp
memory/3204-126-0x0000000007630000-0x000000000763E000-memory.dmp
memory/1728-127-0x0000000007A10000-0x0000000007A24000-memory.dmp
memory/3204-128-0x0000000007740000-0x000000000775A000-memory.dmp
memory/3204-129-0x0000000007720000-0x0000000007728000-memory.dmp
memory/1728-130-0x0000000002BD0000-0x0000000002BE0000-memory.dmp
memory/3204-131-0x0000000002760000-0x0000000002770000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7186a555eb7d39d33905e9375ee560b4 |
| SHA1 | c7e4de3ef3d60d1a07f3608ec9a9f55fc62081ad |
| SHA256 | eac654157f70c9cf5dc363ad064d3f0c90e6aa8f98583165937a48f217f615da |
| SHA512 | 19dcacf9d2fb348e3fc38ce31ba0743d3acc62c91cacb028aa3f76c265aaba22fb4a6c25559eb23b8a940c7d4862bb86866681c918e1a080eb5ad7dd9752e19b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7186a555eb7d39d33905e9375ee560b4 |
| SHA1 | c7e4de3ef3d60d1a07f3608ec9a9f55fc62081ad |
| SHA256 | eac654157f70c9cf5dc363ad064d3f0c90e6aa8f98583165937a48f217f615da |
| SHA512 | 19dcacf9d2fb348e3fc38ce31ba0743d3acc62c91cacb028aa3f76c265aaba22fb4a6c25559eb23b8a940c7d4862bb86866681c918e1a080eb5ad7dd9752e19b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0a25edaa27d535e857d3a700df9435f6 |
| SHA1 | 370f53509862d9381a045523e9f47b153fefcb6b |
| SHA256 | 7c20ef9d623455bba431ed46c37ed4264c74652190040ef93f9a54ef6cabe3a6 |
| SHA512 | e7a352405f8a79a6440f14753ca1138a48ca32a0827ac851761a4bb02b1ffbbfcfae5d9af8ca8bd1d94db7731a7a479dad7818aa4bf7f3c43376d5b0f4811723 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/3928-145-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/1188-147-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/1728-146-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3204-144-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/2220-148-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3108-149-0x0000000075000000-0x00000000757B0000-memory.dmp