Analysis Overview
Threat Level: Known bad
The file https://mega.nz/file/jqxVWIQT#EcaGfUbysreSEyuzDiIu9RNSIk7rIGYTYiGugzjLoqE was found to be: Known bad.
Malicious Activity Summary
NanoCore
Modifies Installed Components in the registry
Adds Run key to start application
Drops file in Program Files directory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-05 08:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-05 08:03
Reported
2024-05-05 08:06
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
NanoCore
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files\\SMTP Subsystem\\smtpss.exe" | C:\Users\Admin\Downloads\godhuntermode.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\SMTP Subsystem\smtpss.exe | C:\Users\Admin\Downloads\godhuntermode.exe | N/A |
| File opened for modification | C:\Program Files\SMTP Subsystem\smtpss.exe | C:\Users\Admin\Downloads\godhuntermode.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{A7877BB6-314B-4D92-9A8D-6CD919E6050E} | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\godhuntermode.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\godhuntermode.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\godhuntermode.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\godhuntermode.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\godhuntermode.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1128 wrote to memory of 1780 | N/A | C:\Users\Admin\Downloads\godhuntermode.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1128 wrote to memory of 1780 | N/A | C:\Users\Admin\Downloads\godhuntermode.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1128 wrote to memory of 4956 | N/A | C:\Users\Admin\Downloads\godhuntermode.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1128 wrote to memory of 4956 | N/A | C:\Users\Admin\Downloads\godhuntermode.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/jqxVWIQT#EcaGfUbysreSEyuzDiIu9RNSIk7rIGYTYiGugzjLoqE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4816 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4892 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4732 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=1328 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=4904 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5236 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x304
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6236 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6212 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6552 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6792 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6976 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\Downloads\godhuntermode.exe
"C:\Users\Admin\Downloads\godhuntermode.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDE45.tmp"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDF11.tmp"
C:\Windows\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=5812 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| GB | 172.165.69.228:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.69.228:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 2.21.17.194:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| NL | 96.16.53.162:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 5.145.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.69.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.53.16.96.in-addr.arpa | udp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| NL | 23.62.61.153:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.13:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.13:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 132.169.44.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.189.173.22:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 22.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | postnav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | postnav-edge.smartscreen.microsoft.com | udp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | xpaycdn.azureedge.net | udp |
| US | 8.8.8.8:53 | xpaycdn.azureedge.net | udp |
| US | 13.107.246.64:443 | xpaycdn.azureedge.net | tcp |
| US | 13.107.246.64:443 | xpaycdn.azureedge.net | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:6341 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gfs270n070.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs270n070.userstorage.mega.co.nz | udp |
| LU | 31.216.148.27:443 | gfs270n070.userstorage.mega.co.nz | tcp |
| LU | 31.216.148.27:443 | gfs270n070.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | dl-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | dl-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.148.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | app-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | app-edge.smartscreen.microsoft.com | udp |
| GB | 13.87.96.169:443 | app-edge.smartscreen.microsoft.com | tcp |
| NL | 23.62.61.153:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | 5.144.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | july-pty.at.ply.gg | udp |
| DE | 209.25.141.212:32243 | july-pty.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 212.141.25.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pornhub.com | udp |
| US | 66.254.114.41:80 | pornhub.com | tcp |
| US | 66.254.114.41:443 | pornhub.com | tcp |
| US | 8.8.8.8:53 | www.pornhub.com | udp |
| US | 66.254.114.41:443 | www.pornhub.com | tcp |
| US | 8.8.8.8:53 | 41.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ei.phncdn.com | udp |
| US | 8.8.8.8:53 | static.trafficjunky.com | udp |
| US | 8.8.8.8:53 | cdn1-smallimg.phncdn.com | udp |
| US | 8.8.8.8:53 | media.trafficjunky.net | udp |
| US | 66.254.114.156:443 | cdn1-smallimg.phncdn.com | tcp |
| GB | 64.210.156.20:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.22:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.22:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.19:443 | media.trafficjunky.net | tcp |
| US | 66.254.114.41:443 | www.pornhub.com | tcp |
| GB | 64.210.156.20:443 | media.trafficjunky.net | tcp |
| US | 8.8.8.8:53 | 156.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
Files
memory/1128-0-0x00007FF8A1115000-0x00007FF8A1116000-memory.dmp
memory/1128-1-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-2-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-3-0x000000001BAA0000-0x000000001BF6E000-memory.dmp
memory/1128-4-0x000000001BF70000-0x000000001C00C000-memory.dmp
memory/1128-5-0x000000001C1C0000-0x000000001C266000-memory.dmp
memory/1128-6-0x0000000000E40000-0x0000000000E48000-memory.dmp
memory/1128-7-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDE45.tmp
| MD5 | 27c110eeac8b064d06586616a32e5ccd |
| SHA1 | c02635e49bb1bbc6a2966e0b7952fff0892d3cf1 |
| SHA256 | 21ad204215b4be0d8900c4f8d19a58fc245db473b3d15101212899b8364d2294 |
| SHA512 | a6928600c976c1ccacfb98c80dd5479f40768100d638babd36da0efd1c34d4dbb7ca555b59d25a8713ad38cffbe7e4ead1c6731820286502a4c986cd93b15c7a |
C:\Users\Admin\AppData\Local\Temp\tmpDF11.tmp
| MD5 | f4819a1db9e68dc60cf594a7262a3f4c |
| SHA1 | 105f1392b72f117e378e502436eafadac5d6eb95 |
| SHA256 | 9648afd55d1ee72983b04b574bb1fa870549d3db91dafdd7a15e253858090f2a |
| SHA512 | 18a71e6ecd89ee2f8cb9d55abc0507acfddacc18c6fff9bbd2e891cf4b3dacad8e2a2bc5a76071d6539ab23b905b8e0e313806152795b9b3a20882d90f6cfa2a |
memory/1128-15-0x000000001CAD0000-0x000000001CADA000-memory.dmp
memory/1128-16-0x000000001CA50000-0x000000001CA6E000-memory.dmp
memory/1128-17-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-18-0x000000001B5A0000-0x000000001B5AA000-memory.dmp
memory/1128-19-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-20-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-21-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-24-0x0000000000E30000-0x0000000000E42000-memory.dmp
memory/1128-25-0x000000001CD60000-0x000000001CD7A000-memory.dmp
memory/1128-26-0x000000001B590000-0x000000001B59E000-memory.dmp
memory/1128-29-0x000000001DAA0000-0x000000001DAAE000-memory.dmp
memory/1128-30-0x000000001DAB0000-0x000000001DAC4000-memory.dmp
memory/1128-28-0x000000001DA90000-0x000000001DA9C000-memory.dmp
memory/1128-27-0x000000001DA80000-0x000000001DA92000-memory.dmp
memory/1128-31-0x0000000000E60000-0x0000000000E70000-memory.dmp
memory/1128-32-0x00000000010D0000-0x00000000010E4000-memory.dmp
memory/1128-33-0x000000001B580000-0x000000001B58E000-memory.dmp
memory/1128-34-0x000000001DAC0000-0x000000001DAEE000-memory.dmp
memory/1128-35-0x000000001CEC0000-0x000000001CED4000-memory.dmp
memory/1128-36-0x000000001DBC0000-0x000000001DC22000-memory.dmp
memory/1128-38-0x00007FF8A1115000-0x00007FF8A1116000-memory.dmp
memory/1128-39-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-40-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-41-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-42-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-43-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-44-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-45-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-46-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp
memory/1128-57-0x000000001EFE0000-0x000000001F737000-memory.dmp
memory/1128-70-0x0000000022150000-0x00000000228F6000-memory.dmp
memory/1128-213-0x000000001EFE0000-0x000000001F737000-memory.dmp
memory/1128-215-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp