Analysis Overview
SHA256
0d22dd434899945a1d3c38e17dbf83a2dae6296ec094c273b2f10a0cc7767fc3
Threat Level: Shows suspicious behavior
The file 0653a11e9915e895339ae0b1e1b4b15b was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Runs net.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-21 21:49
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-21 21:49
Reported
2023-12-21 23:26
Platform
win7-20231215-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Appearance\Schemes | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Appearance\Schemes | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe
"C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c sc config "UxSms" start= demand
C:\Windows\SysWOW64\net.exe
net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\sc.exe
sc config "UxSms" start= demand
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\cmd.exe
cmd /c net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\cmd.exe
cmd /c net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
C:\Windows\SysWOW64\cmd.exe
cmd /c net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\SysWOW64\cmd.exe
cmd /c net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
C:\Windows\SysWOW64\cmd.exe
cmd /c net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\cmd.exe
cmd /c net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\DWM" /v Composition /t reg_dword /d 00000001 /f
C:\Windows\SysWOW64\net.exe
net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\DWM" /v CompositionPolicy /t reg_dword /d 00000002 /f
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net stop uxsms
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop uxsms
C:\Windows\SysWOW64\net.exe
net start uxsms
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start uxsms
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 560ka.com | udp |
| US | 8.8.8.8:53 | www.qsjwg.com | udp |
| HK | 154.202.59.188:80 | www.qsjwg.com | tcp |
| HK | 154.202.59.188:80 | www.qsjwg.com | tcp |
| US | 8.8.8.8:53 | yz.gybfz.com | udp |
| US | 8.8.8.8:53 | xzm.0591ibm.com | udp |
| US | 8.8.8.8:53 | km6.nuoyuntech.com | udp |
| US | 8.8.8.8:53 | www.heibaikm.com | udp |
| HK | 45.144.139.252:80 | www.heibaikm.com | tcp |
| US | 8.8.8.8:53 | www.449km.com | udp |
| CN | 111.223.15.134:80 | www.449km.com | tcp |
| US | 8.8.8.8:53 | www.866qk.com | udp |
| CN | 42.56.81.104:443 | www.866qk.com | tcp |
| CN | 118.212.235.102:443 | www.866qk.com | tcp |
| CN | 119.167.229.233:443 | www.866qk.com | tcp |
| CN | 122.189.171.140:443 | www.866qk.com | tcp |
| CN | 123.234.2.80:443 | www.866qk.com | tcp |
| US | 8.8.8.8:53 | www.6sw6.com | udp |
| CN | 120.55.86.76:80 | www.6sw6.com | tcp |
Files
memory/2248-1-0x0000000000400000-0x0000000000FBF000-memory.dmp
memory/2248-0-0x0000000000400000-0x0000000000FBF000-memory.dmp
memory/2248-3-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-5-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-4-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-7-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-9-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-11-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-14-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-18-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-16-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-21-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-27-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-25-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-31-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-34-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-44-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-46-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-42-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-48-0x0000000000400000-0x0000000000FBF000-memory.dmp
memory/2248-50-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-40-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-38-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-36-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-29-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-23-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2248-52-0x00000000035C0000-0x0000000003C34000-memory.dmp
memory/2248-53-0x00000000035C0000-0x0000000003C34000-memory.dmp
memory/2248-57-0x0000000010000000-0x000000001003F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 7c048eaacd1820ac933dccc0b872fa05 |
| SHA1 | 955999eb7463f7e4031d551e24fbd1e1fb812197 |
| SHA256 | 614d7a9ca519b3aa741a512e95f6f99aedd25e8c1630d30d13dd9735b562b3be |
| SHA512 | 09f35a1a69344e64b13f0a54ecc82cd7dd1ee9124bfc274fcd5fe8af2a07e30bbf0841d9230591cbbe12bc8f066f5f36e1577b82d5d1f3f0eb6b9b5154ce5d4b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 29e0e345438882a935d2c0baff457f6c |
| SHA1 | aef4d88c8c81bc9d9440e1f94f792f6ab83e2b5a |
| SHA256 | 0c127592f7670047d0b1928fede6ecf7c827b9e8086500b23756e5c02d09a4c6 |
| SHA512 | 8b87df27f7edc9328debeb3a0f68468d1d46615122e815d03330a9682776f85a47ef37889fc210fb28e56d91bf8cf0f0e594f90c3eaff5827dfd57b97a0b359b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 79c80670a1f627e86c477f22bd2401a0 |
| SHA1 | bff9611be80b049401721d51c89f6ab36436ecec |
| SHA256 | efba6b2855bd351e2d47ca88a3b0e5c664146375262f0fb38f6eefb0809d7eaa |
| SHA512 | 8afa82b401b1f35433f3187d13b46bd8638884de5f11f7a8b207e304290a077d45511faf5c0bc15025995c797537ad5c67b4b1683ef0ebc43e20d03834be20ea |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | b65aeb1b3da0b96313cc6e10dde4afe0 |
| SHA1 | 34039989280d6d5a45793deaab79665c79b74b8d |
| SHA256 | 0254d776e25aeb83f195aacc7d477cd37683932586b27fdb7f09836d08296a3c |
| SHA512 | be5c22848ee3491061feaab9c8e708e04e5d34bc0d8b46e816e059e6616c0114cfe5f40aee935f9d5dee546a990efa3bca00bdec03bcc29fedad37d0dbda95ea |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 05471356f0ea1c0f5f5b8deb29c3ebd1 |
| SHA1 | 12b14b737d1e0f76ca2494fb7a6841e5792a0504 |
| SHA256 | cf59479c75a8803468dd2a2c1d2803a2694c41992d5a0b3b65b1c69c28d1eac7 |
| SHA512 | 942285259612792c2b3a45a65483e0775314841e397e815d447fd8f69f63f5de1ac48653a051c0121bd73415655c468772d39ce72bb1ba3d8ae367f78143502b |
memory/2248-715-0x0000000010000000-0x000000001003F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.bat
| MD5 | 21a67af3a0e70534daf91c971545bc80 |
| SHA1 | 23141575d04651a2cd778a33732805c468033ef0 |
| SHA256 | 940dd6c2693be78a671cad250f75a5b5324b3350e2b2fc1cfc098293b934fdb3 |
| SHA512 | b79f1dd26beee4a6995b0d67f112e4dff152d05822e8482579b6bdbd414b06cfbdeb6f55f4cb41d1821e6e7b98bfa3852e1d163355b3de5cd985373f8a333e66 |
memory/2248-736-0x00000000035C0000-0x0000000003C34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-21 21:49
Reported
2023-12-21 23:26
Platform
win10v2004-20231215-en
Max time kernel
157s
Max time network
161s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe
"C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.qsjwg.com | udp |
| US | 8.8.8.8:53 | 560ka.com | udp |
| US | 8.8.8.8:53 | xzm.0591ibm.com | udp |
| US | 8.8.8.8:53 | km6.nuoyuntech.com | udp |
| US | 8.8.8.8:53 | www.heibaikm.com | udp |
| HK | 154.202.59.188:80 | www.qsjwg.com | tcp |
| HK | 45.144.139.252:80 | www.heibaikm.com | tcp |
| US | 8.8.8.8:53 | www.449km.com | udp |
| HK | 154.202.59.188:80 | www.qsjwg.com | tcp |
| HK | 154.202.59.188:80 | www.qsjwg.com | tcp |
| CN | 111.223.15.134:80 | www.449km.com | tcp |
| US | 8.8.8.8:53 | 252.139.144.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.59.202.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yz.gybfz.com | udp |
| US | 8.8.8.8:53 | www.866qk.com | udp |
| CN | 218.29.50.234:443 | www.866qk.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| CN | 58.144.226.248:443 | www.866qk.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| CN | 36.248.54.85:443 | www.866qk.com | tcp |
| CN | 42.7.60.104:443 | www.866qk.com | tcp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| CN | 118.212.235.102:443 | www.866qk.com | tcp |
Files
memory/4696-0-0x0000000000400000-0x0000000000FBF000-memory.dmp
memory/4696-1-0x0000000000400000-0x0000000000FBF000-memory.dmp
memory/4696-4-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-5-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-8-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-6-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-10-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-12-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-15-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-17-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-19-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-21-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-23-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-25-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-26-0x0000000000400000-0x0000000000FBF000-memory.dmp
memory/4696-28-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-30-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-32-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-34-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-36-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-39-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-42-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-44-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-46-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-48-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-50-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-51-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-53-0x0000000003AE0000-0x0000000004154000-memory.dmp
memory/4696-54-0x0000000003AE0000-0x0000000004154000-memory.dmp
memory/4696-59-0x0000000010000000-0x000000001003F000-memory.dmp
memory/4696-60-0x0000000003AE0000-0x0000000004154000-memory.dmp