Analysis Overview
SHA256
bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
Threat Level: Known bad
The file 8663ed0caec9adcb980a4a7ea23e7984 was found to be: Known bad.
Malicious Activity Summary
Oski
Checks computer location settings
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-02-01 08:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-01 08:18
Reported
2024-02-01 08:21
Platform
win7-20231215-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Oski
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2064 set thread context of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp11A.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 112
Network
Files
memory/2064-1-0x0000000074DA0000-0x000000007548E000-memory.dmp
memory/2064-0-0x0000000000830000-0x0000000000982000-memory.dmp
memory/2064-2-0x0000000004D80000-0x0000000004DC0000-memory.dmp
memory/2064-3-0x0000000000350000-0x0000000000362000-memory.dmp
memory/2064-4-0x0000000074DA0000-0x000000007548E000-memory.dmp
memory/2064-5-0x0000000004D80000-0x0000000004DC0000-memory.dmp
memory/2064-6-0x0000000007320000-0x00000000073C0000-memory.dmp
memory/2064-7-0x00000000005B0000-0x00000000005E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp11A.tmp
| MD5 | 54fa8bc5bbafc3584dbfa158d162cd17 |
| SHA1 | f821b3a2bc1eca5d0b168a0adb74ccb4ab91647c |
| SHA256 | 98cfd9fea95710566df443a797c3b2194c2ba2bb3538993bc655aaf7737d5eca |
| SHA512 | 74ee2b117a814ea4b75bee425a9c6cb9d894c3831584c9625c5a4e7ea936444f4b40114a3317384e3c7f85feaad39e3e9e20804674cef42b50e2988f0cba4b18 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1F5MMQFBI360BKZ38KLI.temp
| MD5 | 4f1ce12a4b1dafd88533a8e9ff43a54b |
| SHA1 | 4e026cbc27aa930e04e8f0393802959b79e4341d |
| SHA256 | cbfadc2117af87deca05322c52a9e0a0537a0b3c2c739f98feb2de88fb6e9850 |
| SHA512 | 48dc884b1dc9691d9a0affbe2e5976ebf61d6d4012ac34d5af716e932dd7bcd1fef2a32498d75a7667d6c1a355bd968423221201e44569a6799a7650c593027c |
memory/2944-20-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2944-23-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2944-24-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2944-25-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2944-26-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2944-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2944-33-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2944-35-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2064-36-0x0000000074DA0000-0x000000007548E000-memory.dmp
memory/2588-37-0x000000006FC30000-0x00000000701DB000-memory.dmp
memory/1152-38-0x000000006FC30000-0x00000000701DB000-memory.dmp
memory/2588-39-0x00000000023C0000-0x0000000002400000-memory.dmp
memory/1152-40-0x000000006FC30000-0x00000000701DB000-memory.dmp
memory/2588-41-0x000000006FC30000-0x00000000701DB000-memory.dmp
memory/2908-42-0x000000006FC30000-0x00000000701DB000-memory.dmp
memory/2908-43-0x000000006FC30000-0x00000000701DB000-memory.dmp
memory/2908-44-0x0000000002590000-0x00000000025D0000-memory.dmp
memory/1152-49-0x00000000025E0000-0x0000000002620000-memory.dmp
memory/2588-48-0x00000000023C0000-0x0000000002400000-memory.dmp
memory/2908-50-0x0000000002590000-0x00000000025D0000-memory.dmp
memory/1152-47-0x00000000025E0000-0x0000000002620000-memory.dmp
memory/1152-46-0x00000000025E0000-0x0000000002620000-memory.dmp
memory/2588-45-0x00000000023C0000-0x0000000002400000-memory.dmp
memory/2588-53-0x000000006FC30000-0x00000000701DB000-memory.dmp
memory/2908-52-0x000000006FC30000-0x00000000701DB000-memory.dmp
memory/1152-51-0x000000006FC30000-0x00000000701DB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-01 08:18
Reported
2024-02-01 08:21
Platform
win10v2004-20231215-en
Max time kernel
90s
Max time network
158s
Command Line
Signatures
Oski
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2368 set thread context of 3808 | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF48.tmp"
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3808 -ip 3808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1328
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fine.le-pearl.com | udp |
| US | 108.167.158.96:80 | fine.le-pearl.com | tcp |
| US | 8.8.8.8:53 | 96.158.167.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2368-0-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/2368-1-0x0000000000230000-0x0000000000382000-memory.dmp
memory/2368-2-0x0000000005430000-0x00000000059D4000-memory.dmp
memory/2368-3-0x0000000004D90000-0x0000000004E22000-memory.dmp
memory/2368-4-0x0000000005060000-0x0000000005070000-memory.dmp
memory/2368-5-0x0000000004D70000-0x0000000004D7A000-memory.dmp
memory/2368-6-0x0000000005110000-0x00000000051AC000-memory.dmp
memory/2368-7-0x00000000027F0000-0x0000000002802000-memory.dmp
memory/2368-8-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/2368-9-0x0000000005060000-0x0000000005070000-memory.dmp
memory/2368-10-0x0000000007BE0000-0x0000000007C80000-memory.dmp
memory/2368-11-0x0000000000830000-0x0000000000868000-memory.dmp
memory/3612-14-0x00000000049F0000-0x0000000004A26000-memory.dmp
memory/3612-16-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/3612-17-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/3612-19-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/3612-20-0x0000000005190000-0x00000000057B8000-memory.dmp
memory/388-21-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/388-22-0x0000000004530000-0x0000000004540000-memory.dmp
memory/388-23-0x0000000004530000-0x0000000004540000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF48.tmp
| MD5 | bfef3e0f4a9459d614280e57d66331fd |
| SHA1 | 82db44dbeb70eedbc3fad4a6b5b1a7aa45067f07 |
| SHA256 | aecc57f67936fe509d09e8c82743e056a3d2b0d20d3ab5cd39d9e654b525f4de |
| SHA512 | 6f2b0edce0c944760721e5cb6e636babf6ceed54cfa220e8afcebde01fb2c2c9ead37df97eaa102af7324b939a7a22dc4a5073903b4adbad2696aa211bebf55e |
memory/388-25-0x0000000004A30000-0x0000000004A52000-memory.dmp
memory/388-26-0x00000000051A0000-0x0000000005206000-memory.dmp
memory/388-27-0x0000000005380000-0x00000000053E6000-memory.dmp
memory/3808-28-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3808-29-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jx5o5fh.fct.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3808-41-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3808-42-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3612-51-0x00000000059B0000-0x0000000005D04000-memory.dmp
memory/2368-52-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/4524-53-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/4524-54-0x00000000055D0000-0x00000000055E0000-memory.dmp
memory/4524-55-0x00000000055D0000-0x00000000055E0000-memory.dmp
memory/3612-65-0x0000000004D40000-0x0000000004D5E000-memory.dmp
memory/388-66-0x0000000005A60000-0x0000000005AAC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\suspendedpage[1].htm
| MD5 | 1842eed13fddc700a50adada08a0f84d |
| SHA1 | 5e7b6997ffaf89afdb803de2e9231cd8886621ae |
| SHA256 | 47ac9eef48022403111f9cef6871af594079acdd88da83e7d2b2a92fa47f7368 |
| SHA512 | 0d0086367e60782f81324abc5a79ae4c19aaa96aeb7aead23d4ca2dde0af5cc7cf3cc9b6e391b95405ed97a136fcd99af3f868a6027b89b5fcc47cff52272b1d |
memory/3612-81-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/4524-84-0x00000000055D0000-0x00000000055E0000-memory.dmp
memory/3612-86-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/388-87-0x000000007FD60000-0x000000007FD70000-memory.dmp
memory/388-90-0x0000000071330000-0x000000007137C000-memory.dmp
memory/3612-110-0x000000007FA30000-0x000000007FA40000-memory.dmp
memory/3612-111-0x00000000065A0000-0x00000000065BE000-memory.dmp
memory/4524-92-0x0000000071330000-0x000000007137C000-memory.dmp
memory/4524-91-0x000000007F8B0000-0x000000007F8C0000-memory.dmp
memory/3612-89-0x0000000071330000-0x000000007137C000-memory.dmp
memory/4524-88-0x0000000006ED0000-0x0000000006F02000-memory.dmp
memory/388-122-0x0000000006C60000-0x0000000006D03000-memory.dmp
memory/4524-123-0x0000000008270000-0x00000000088EA000-memory.dmp
memory/388-124-0x0000000006D50000-0x0000000006D6A000-memory.dmp
memory/4524-125-0x0000000007C90000-0x0000000007C9A000-memory.dmp
memory/388-126-0x0000000006FD0000-0x0000000007066000-memory.dmp
memory/4524-127-0x0000000007E20000-0x0000000007E31000-memory.dmp
memory/3808-128-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3612-129-0x0000000007530000-0x000000000753E000-memory.dmp
memory/4524-130-0x0000000007E60000-0x0000000007E74000-memory.dmp
memory/388-131-0x0000000007090000-0x00000000070AA000-memory.dmp
memory/388-132-0x0000000007070000-0x0000000007078000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7b3838f4190c655faff2b16381db2da0 |
| SHA1 | 07ef36fbf036addeb4e3efe56d9d31d68250da2a |
| SHA256 | bd6ff03e889eb9055996414672e89cd161a76d929bcf8344c80307319c19cf67 |
| SHA512 | 7a0196559971e9338c18931742ddb844313edc9550fc1e30fc17f6f851ed10008658b94d9c6e26423aa622fdbfd7c68917c65ce11d5750a7534a85f0c9f94e36 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/4524-140-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/388-142-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/3612-141-0x0000000074B40000-0x00000000752F0000-memory.dmp