Analysis Overview
SHA256
09233ec1998287e1addfde586c10fe3493ac90fa51d2bb0ed95a5bf685f258fe
Threat Level: Known bad
The file Note.zip was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Adds Run key to start application
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-10-11 12:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2023-10-11 12:03
Reported
2023-10-11 21:26
Platform
win7-20230831-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\envsrv.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2023-10-11 12:03
Reported
2023-10-11 21:27
Platform
win7-20230831-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mschost.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-11 12:03
Reported
2023-10-11 21:26
Platform
win10v2004-20230915-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AppvIsvSubsystems64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/628-0-0x00007FF98A330000-0x00007FF98A525000-memory.dmp
memory/628-1-0x00007FF989800000-0x00007FF9898BE000-memory.dmp
memory/628-2-0x00007FF97C980000-0x00007FF97CE50000-memory.dmp
memory/628-3-0x00007FF987F10000-0x00007FF9881D9000-memory.dmp
memory/628-4-0x00007FF988520000-0x00007FF988875000-memory.dmp
memory/628-5-0x00007FF987D00000-0x00007FF987E00000-memory.dmp
memory/628-6-0x00007FF988DA0000-0x00007FF988ECA000-memory.dmp
memory/628-8-0x00007FF988450000-0x00007FF98846D000-memory.dmp
memory/628-7-0x00007FF988C90000-0x00007FF988D3D000-memory.dmp
memory/628-9-0x00007FF988880000-0x00007FF988A21000-memory.dmp
memory/628-11-0x00007FF989070000-0x00007FF98909B000-memory.dmp
memory/628-10-0x00007FF987A50000-0x00007FF987A72000-memory.dmp
memory/628-12-0x00007FF987E00000-0x00007FF987F0B000-memory.dmp
memory/628-14-0x00007FF989180000-0x00007FF98922C000-memory.dmp
memory/628-13-0x00007FF9892B0000-0x00007FF9892E0000-memory.dmp
memory/628-15-0x00007FF989BB0000-0x00007FF98A2EF000-memory.dmp
memory/628-16-0x00007FF988BF0000-0x00007FF988C8E000-memory.dmp
memory/628-17-0x00007FF9881E0000-0x00007FF98827D000-memory.dmp
memory/628-18-0x00007FF985490000-0x00007FF98552E000-memory.dmp
memory/628-19-0x00007FF981AE0000-0x00007FF981AFB000-memory.dmp
memory/628-20-0x00007FF9892E0000-0x00007FF98937B000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-10-11 12:03
Reported
2023-10-11 21:27
Platform
win7-20230831-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\Note .exe
"C:\Users\Admin\AppData\Local\Temp\Note .exe"
Network
Files
memory/1072-1-0x0000000076EA0000-0x0000000077049000-memory.dmp
memory/1072-2-0x0000000076C80000-0x0000000076D9F000-memory.dmp
memory/1072-4-0x000007FEFD2C0000-0x000007FEFD500000-memory.dmp
memory/1072-6-0x000007FEFCFE0000-0x000007FEFD04C000-memory.dmp
memory/1072-7-0x000007FEF65D0000-0x000007FEF66C2000-memory.dmp
memory/1072-8-0x000007FEFEE90000-0x000007FEFEFBD000-memory.dmp
memory/1072-9-0x0000000076DA0000-0x0000000076E9A000-memory.dmp
memory/1072-10-0x000007FEFEDA0000-0x000007FEFEE07000-memory.dmp
memory/1072-11-0x000007FEFD830000-0x000007FEFD85E000-memory.dmp
memory/1072-12-0x000007FEFD080000-0x000007FEFD15B000-memory.dmp
memory/1072-13-0x000007FEFE010000-0x000007FEFED98000-memory.dmp
memory/1072-15-0x000007FEFD880000-0x000007FEFD91F000-memory.dmp
memory/1072-14-0x000007FEFEE10000-0x000007FEFEE81000-memory.dmp
memory/1072-16-0x000007FEFF0A0000-0x000007FEFF1A9000-memory.dmp
memory/1072-17-0x000007FEFDD60000-0x000007FEFE008000-memory.dmp
memory/1072-18-0x000007FEFABA0000-0x000007FEFABBB000-memory.dmp
memory/1072-19-0x000007FEFD860000-0x000007FEFD87F000-memory.dmp
memory/1072-21-0x0000000076EA0000-0x0000000077049000-memory.dmp
memory/1072-25-0x000007FEF65D0000-0x000007FEF66C2000-memory.dmp
memory/1072-33-0x000007FEFD880000-0x000007FEFD91F000-memory.dmp
memory/1072-38-0x0000000076EA0000-0x0000000077049000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-10-11 12:03
Reported
2023-10-11 21:27
Platform
win10v2004-20230915-en
Max time kernel
166s
Max time network
172s
Command Line
Signatures
Cobaltstrike
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsWordHostService = "C:\\Users\\Admin\\AppData\\Local\\MsWordHostService\\Note .exe" | C:\Windows\system32\taskhostw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskhostw.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2588 wrote to memory of 2744 | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | C:\Windows\system32\taskhostw.exe |
| PID 2588 wrote to memory of 3316 | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | C:\Windows\system32\svchost.exe |
| PID 2588 wrote to memory of 3820 | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | C:\Windows\System32\RuntimeBroker.exe |
| PID 2588 wrote to memory of 3956 | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | C:\Windows\System32\RuntimeBroker.exe |
| PID 2588 wrote to memory of 2456 | N/A | C:\Users\Admin\AppData\Local\Temp\Note .exe | C:\Windows\system32\svchost.exe |
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\Note .exe
"C:\Users\Admin\AppData\Local\Temp\Note .exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | communitypowersports.com | udp |
| IT | 179.43.162.63:443 | communitypowersports.com | tcp |
| IT | 179.43.162.63:443 | communitypowersports.com | tcp |
| IT | 179.43.162.63:443 | communitypowersports.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.86.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| IT | 179.43.162.63:443 | communitypowersports.com | tcp |
| IT | 179.43.162.63:443 | communitypowersports.com | tcp |
| IT | 179.43.162.63:443 | communitypowersports.com | tcp |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
Files
memory/2588-0-0x00007FFC08FF0000-0x00007FFC091E5000-memory.dmp
memory/2588-1-0x00007FFC089C0000-0x00007FFC08A7E000-memory.dmp
memory/2588-2-0x00007FFBFB170000-0x00007FFBFB640000-memory.dmp
memory/2588-3-0x00007FFC06940000-0x00007FFC06C09000-memory.dmp
memory/2588-4-0x00007FFC084D0000-0x00007FFC08825000-memory.dmp
memory/2588-5-0x00007FFC06EA0000-0x00007FFC06FA0000-memory.dmp
memory/2588-6-0x00007FFC08890000-0x00007FFC089BA000-memory.dmp
memory/2588-7-0x00007FFC08190000-0x00007FFC08331000-memory.dmp
memory/2588-8-0x00007FFC06C10000-0x00007FFC06C32000-memory.dmp
memory/2588-9-0x00007FFC08160000-0x00007FFC0818B000-memory.dmp
memory/2588-10-0x00007FFC067A0000-0x00007FFC068AB000-memory.dmp
memory/2588-11-0x00007FFC07D80000-0x00007FFC07DB0000-memory.dmp
memory/2588-12-0x00007FFC07040000-0x00007FFC070EC000-memory.dmp
memory/2588-13-0x00007FFC071A0000-0x00007FFC078DF000-memory.dmp
memory/2588-14-0x00007FFC06770000-0x00007FFC06797000-memory.dmp
memory/2588-15-0x00007FFC07CE0000-0x00007FFC07D7E000-memory.dmp
memory/2588-17-0x00007FFC06C90000-0x00007FFC06DE6000-memory.dmp
memory/2588-16-0x00007FFC06FA0000-0x00007FFC0703D000-memory.dmp
memory/2588-18-0x00007FFBFECC0000-0x00007FFBFECDB000-memory.dmp
memory/2588-19-0x00007FFC07100000-0x00007FFC0719B000-memory.dmp
memory/2588-20-0x00007FFC08FF0000-0x00007FFC091E5000-memory.dmp
memory/2588-25-0x00007FFC06EA0000-0x00007FFC06FA0000-memory.dmp
memory/2588-35-0x00007FFC07CE0000-0x00007FFC07D7E000-memory.dmp
memory/2744-40-0x00007FFBFB170000-0x00007FFBFB640000-memory.dmp
memory/2744-41-0x00007FFC071A0000-0x00007FFC078DF000-memory.dmp
memory/2744-42-0x00007FFBFECC0000-0x00007FFBFECDB000-memory.dmp
memory/3316-51-0x00007FFBFB170000-0x00007FFBFB640000-memory.dmp
memory/3316-52-0x00007FFC071A0000-0x00007FFC078DF000-memory.dmp
memory/3316-53-0x00007FFBFECC0000-0x00007FFBFECDB000-memory.dmp
memory/3316-59-0x000001C892D20000-0x000001C892D60000-memory.dmp
memory/3316-87-0x000001C893940000-0x000001C893B35000-memory.dmp
memory/3316-90-0x000001C893940000-0x000001C893C09000-memory.dmp
memory/3316-93-0x000001C893940000-0x000001C893A40000-memory.dmp
memory/3316-94-0x000001C893940000-0x000001C893A6A000-memory.dmp
memory/3316-99-0x000001C893940000-0x000001C893A4B000-memory.dmp
memory/3316-96-0x000001C893940000-0x000001C893AE1000-memory.dmp
memory/3316-106-0x000001C893940000-0x000001C893A96000-memory.dmp
memory/3316-108-0x000001C893940000-0x000001C893BF0000-memory.dmp
memory/3956-126-0x00007FFBFECC0000-0x00007FFBFECDB000-memory.dmp
memory/2456-167-0x00007FFBFB170000-0x00007FFBFB640000-memory.dmp
memory/2456-171-0x00007FFC071A0000-0x00007FFC078DF000-memory.dmp
memory/3316-285-0x000001C892D20000-0x000001C892D60000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-10-11 12:03
Reported
2023-10-11 21:29
Platform
win10v2004-20230915-en
Max time kernel
206s
Max time network
224s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\envsrv.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.87.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-10-11 12:03
Reported
2023-10-11 21:27
Platform
win10v2004-20230915-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mschost.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.5.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.86.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.17.178.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2023-10-11 12:03
Reported
2023-10-11 21:26
Platform
win7-20230831-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msword.dll,#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-10-11 12:03
Reported
2023-10-11 21:26
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msword.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.7.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.86.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.5.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-11 12:03
Reported
2023-10-11 21:26
Platform
win7-20230831-en
Max time kernel
119s
Max time network
133s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AppvIsvSubsystems64.dll,#1
Network
Files
memory/2456-1-0x0000000077320000-0x00000000774C9000-memory.dmp
memory/2456-3-0x0000000077100000-0x000000007721F000-memory.dmp
memory/2456-4-0x000007FEFF130000-0x000007FEFF370000-memory.dmp
memory/2456-5-0x000007FEFD3F0000-0x000007FEFD45C000-memory.dmp
memory/2456-7-0x000007FEF6AC0000-0x000007FEF6BB2000-memory.dmp
memory/2456-8-0x000007FEFEDD0000-0x000007FEFEEFD000-memory.dmp
memory/2456-9-0x000007FEFF5F0000-0x000007FEFF607000-memory.dmp
memory/2456-10-0x0000000077220000-0x000000007731A000-memory.dmp
memory/2456-11-0x000007FEFE290000-0x000007FEFE2F7000-memory.dmp
memory/2456-12-0x000007FEFF010000-0x000007FEFF03E000-memory.dmp
memory/2456-13-0x000007FEFE900000-0x000007FEFE9DB000-memory.dmp
memory/2456-14-0x000007FEFD500000-0x000007FEFE288000-memory.dmp
memory/2456-16-0x000007FEFF370000-0x000007FEFF40F000-memory.dmp
memory/2456-17-0x000007FEFEF00000-0x000007FEFF009000-memory.dmp
memory/2456-15-0x000007FEFE710000-0x000007FEFE781000-memory.dmp
memory/2456-18-0x000007FEFEA40000-0x000007FEFECE8000-memory.dmp
memory/2456-19-0x000007FEFADC0000-0x000007FEFADDB000-memory.dmp
memory/2456-20-0x000007FEFF110000-0x000007FEFF12F000-memory.dmp
memory/2456-21-0x0000000077320000-0x00000000774C9000-memory.dmp
memory/2456-22-0x0000000077100000-0x000000007721F000-memory.dmp