Analysis Overview
SHA256
7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f
Threat Level: Known bad
The file 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f was found to be: Known bad.
Malicious Activity Summary
Detects PlugX payload
PlugX
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-10 12:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 12:08
Reported
2024-04-10 12:11
Platform
win7-20240215-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftManager.exe | N/A |
| N/A | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| N/A | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003700310033003200330030003300330039003000440046003000310033000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SoftManager.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SoftManager.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe
"C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe"
C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
"C:\Users\Admin\AppData\Local\Temp\SoftManager.exe"
C:\ProgramData\360SoftManager\softmgr\SoftManager.exe
"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 100 2976
C:\ProgramData\360SoftManager\softmgr\SoftManager.exe
"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 2848
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
Files
\Users\Admin\AppData\Local\Temp\SoftManager.exe
| MD5 | cffab901ec1573799473a7b4d110cf08 |
| SHA1 | 4dae9fc43de6bb4b3b47fcac5348a104c4792988 |
| SHA256 | 5ea1bb2021e94cd70d21bc51d586a1edc0cc1e584986cfc4460a2a98a828db97 |
| SHA512 | 8ab0334dbad12047e743c51cd44aec3287e4c938b904b01b9586e73c10d3aa1f36347f00045c89a2ca2399d140b804be789c502251b9d5b9dc7610ab9dc9cd60 |
C:\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | ce07ef4ef68a65715bb2c2beabdd289e |
| SHA1 | bc9565fc5b790cb6e6c7097248a3f4063db33ce6 |
| SHA256 | ddd19d60f37f04e33fb74f6ef2e45f24be1bab8423aba608987804eed9316567 |
| SHA512 | d24023ac21524e5e9d7d885c65038533ef055a9ada45a0a6f5b8218a88328dec27ea83fbff0423daf331b038da4fae2df3b450e3bfe41882b29e57fbea689227 |
C:\Users\Admin\AppData\Local\Temp\SoftManager.dat
| MD5 | e46f18ec2a13ef883c1b6a50ec157971 |
| SHA1 | 816e48a51827797bf3ab2204b962ab1edcb018d6 |
| SHA256 | 31ba90be019b15895da9b3a0943e88115fc08769d7857fc2fedc6eb7b13fd9c9 |
| SHA512 | 6c9da9296390c050af8255f1dead0bc18835bc5dbe2fd0e2baa6d00ed5c58b5109f06b4edd76e826b1976ce513cb0c097243ce5812f17b6be518469b10e35b0d |
memory/2976-25-0x0000000001FB0000-0x00000000020B0000-memory.dmp
memory/2976-26-0x0000000000230000-0x0000000000265000-memory.dmp
memory/2976-39-0x0000000000230000-0x0000000000265000-memory.dmp
memory/2648-48-0x00000000008E0000-0x0000000000915000-memory.dmp
memory/2372-55-0x00000000001A0000-0x00000000001D5000-memory.dmp
memory/2372-56-0x00000000001A0000-0x00000000001D5000-memory.dmp
memory/2848-57-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2848-61-0x00000000000A0000-0x00000000000C4000-memory.dmp
memory/2848-63-0x00000000000D0000-0x00000000000D2000-memory.dmp
memory/2848-65-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2848-66-0x0000000000280000-0x00000000002B5000-memory.dmp
memory/2848-68-0x0000000000280000-0x00000000002B5000-memory.dmp
memory/2372-67-0x00000000001A0000-0x00000000001D5000-memory.dmp
memory/2848-79-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2848-80-0x0000000000280000-0x00000000002B5000-memory.dmp
memory/2848-81-0x0000000000280000-0x00000000002B5000-memory.dmp
memory/2848-82-0x0000000000280000-0x00000000002B5000-memory.dmp
memory/2848-84-0x0000000000280000-0x00000000002B5000-memory.dmp
memory/2848-85-0x0000000000280000-0x00000000002B5000-memory.dmp
memory/2848-86-0x0000000000280000-0x00000000002B5000-memory.dmp
memory/2848-89-0x0000000000280000-0x00000000002B5000-memory.dmp
memory/2648-90-0x00000000008E0000-0x0000000000915000-memory.dmp
memory/1616-99-0x0000000000090000-0x0000000000091000-memory.dmp
memory/1616-100-0x00000000002F0000-0x0000000000325000-memory.dmp
memory/1616-102-0x0000000000090000-0x0000000000091000-memory.dmp
memory/1616-103-0x00000000002F0000-0x0000000000325000-memory.dmp
memory/1616-104-0x00000000002F0000-0x0000000000325000-memory.dmp
memory/1616-105-0x00000000002F0000-0x0000000000325000-memory.dmp
memory/2848-107-0x0000000000280000-0x00000000002B5000-memory.dmp
memory/1616-108-0x00000000002F0000-0x0000000000325000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 12:08
Reported
2024-04-10 12:11
Platform
win10v2004-20240226-en
Max time kernel
159s
Max time network
168s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftManager.exe | N/A |
| N/A | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| N/A | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftManager.exe | N/A |
| N/A | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| N/A | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| N/A | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| N/A | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| N/A | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| N/A | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42004400460031003200390043003700310034004400300041003000330041000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SoftManager.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SoftManager.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\360SoftManager\softmgr\SoftManager.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe
"C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe"
C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
"C:\Users\Admin\AppData\Local\Temp\SoftManager.exe"
C:\ProgramData\360SoftManager\softmgr\SoftManager.exe
"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 100 4488
C:\ProgramData\360SoftManager\softmgr\SoftManager.exe
"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 2312
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | rc.dajuw.com | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
| US | 8.8.8.8:53 | steam.dajuw.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
| MD5 | cffab901ec1573799473a7b4d110cf08 |
| SHA1 | 4dae9fc43de6bb4b3b47fcac5348a104c4792988 |
| SHA256 | 5ea1bb2021e94cd70d21bc51d586a1edc0cc1e584986cfc4460a2a98a828db97 |
| SHA512 | 8ab0334dbad12047e743c51cd44aec3287e4c938b904b01b9586e73c10d3aa1f36347f00045c89a2ca2399d140b804be789c502251b9d5b9dc7610ab9dc9cd60 |
C:\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | ce07ef4ef68a65715bb2c2beabdd289e |
| SHA1 | bc9565fc5b790cb6e6c7097248a3f4063db33ce6 |
| SHA256 | ddd19d60f37f04e33fb74f6ef2e45f24be1bab8423aba608987804eed9316567 |
| SHA512 | d24023ac21524e5e9d7d885c65038533ef055a9ada45a0a6f5b8218a88328dec27ea83fbff0423daf331b038da4fae2df3b450e3bfe41882b29e57fbea689227 |
memory/4488-21-0x0000000002CC0000-0x0000000002DC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SoftManager.dat
| MD5 | e46f18ec2a13ef883c1b6a50ec157971 |
| SHA1 | 816e48a51827797bf3ab2204b962ab1edcb018d6 |
| SHA256 | 31ba90be019b15895da9b3a0943e88115fc08769d7857fc2fedc6eb7b13fd9c9 |
| SHA512 | 6c9da9296390c050af8255f1dead0bc18835bc5dbe2fd0e2baa6d00ed5c58b5109f06b4edd76e826b1976ce513cb0c097243ce5812f17b6be518469b10e35b0d |
memory/4488-22-0x0000000002C10000-0x0000000002C45000-memory.dmp
memory/4488-23-0x0000000002C10000-0x0000000002C45000-memory.dmp
memory/4512-46-0x00000000010E0000-0x0000000001110000-memory.dmp
memory/4512-45-0x0000000001110000-0x0000000001145000-memory.dmp
memory/1044-52-0x0000000000F60000-0x0000000000F95000-memory.dmp
memory/1044-53-0x0000000000F60000-0x0000000000F95000-memory.dmp
memory/2312-54-0x0000000001240000-0x0000000001241000-memory.dmp
memory/2312-55-0x00000000018F0000-0x0000000001925000-memory.dmp
memory/1044-56-0x0000000000F60000-0x0000000000F95000-memory.dmp
memory/2312-57-0x00000000018F0000-0x0000000001925000-memory.dmp
memory/2312-59-0x00000000018F0000-0x0000000001925000-memory.dmp
memory/2312-69-0x0000000001240000-0x0000000001241000-memory.dmp
memory/2312-70-0x00000000018F0000-0x0000000001925000-memory.dmp
memory/2312-71-0x00000000018F0000-0x0000000001925000-memory.dmp
memory/2312-72-0x00000000018F0000-0x0000000001925000-memory.dmp
memory/2312-74-0x00000000018F0000-0x0000000001925000-memory.dmp
memory/4488-75-0x0000000002C10000-0x0000000002C45000-memory.dmp
memory/2312-76-0x00000000018F0000-0x0000000001925000-memory.dmp
memory/4512-78-0x0000000001110000-0x0000000001145000-memory.dmp
memory/2312-80-0x00000000018F0000-0x0000000001925000-memory.dmp
memory/2312-81-0x00000000018F0000-0x0000000001925000-memory.dmp
memory/2312-83-0x00000000018F0000-0x0000000001925000-memory.dmp
memory/4572-85-0x0000000000F00000-0x0000000000F01000-memory.dmp
memory/4572-84-0x0000000002A40000-0x0000000002A75000-memory.dmp
memory/4572-86-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
memory/4572-88-0x0000000002A40000-0x0000000002A75000-memory.dmp
memory/4572-89-0x0000000002A40000-0x0000000002A75000-memory.dmp
memory/4572-87-0x0000000002A40000-0x0000000002A75000-memory.dmp
memory/4572-90-0x0000000002A40000-0x0000000002A75000-memory.dmp
memory/2312-92-0x00000000018F0000-0x0000000001925000-memory.dmp
memory/4572-93-0x0000000002A40000-0x0000000002A75000-memory.dmp