Analysis Overview
SHA256
44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
Threat Level: Known bad
The file 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c was found to be: Known bad.
Malicious Activity Summary
NanoCore
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-11 08:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 08:29
Reported
2024-05-11 08:31
Platform
win7-20231129-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
NanoCore
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2332 set thread context of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\TCP Service\tcpsv.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TCP Service\tcpsv.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe
"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5792.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp59D3.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "TCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5A70.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
Files
memory/2332-3-0x0000000000520000-0x000000000053E000-memory.dmp
memory/2332-2-0x0000000074740000-0x0000000074E2E000-memory.dmp
memory/2332-1-0x0000000000CF0000-0x0000000000DE2000-memory.dmp
memory/2332-0-0x000000007474E000-0x000000007474F000-memory.dmp
memory/2332-4-0x0000000000570000-0x0000000000580000-memory.dmp
memory/2332-5-0x0000000000580000-0x0000000000596000-memory.dmp
memory/2332-6-0x0000000004F40000-0x0000000004FBC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c984356377f6023ab02afb0cb56d93e8 |
| SHA1 | a349e0f159091aea365edbb8824e470e5c02ec7f |
| SHA256 | 7e2b3cc44ad801ee61c4505175c05873c4f6d70932b52f439160e2d1a6945834 |
| SHA512 | a4eccf2365650db96fda4a481df2ddfbf6bbd4e47c825d8f2d9815302fda98c08103cf65598c01851d3b7733ecefcb3d56e88ee913bbb0c06c984c4024865153 |
C:\Users\Admin\AppData\Local\Temp\tmp5792.tmp
| MD5 | 37c3bf061fc83cfa0fff578991861201 |
| SHA1 | 2f763a0934087412b1b3691a3ffa0285761861ec |
| SHA256 | e560ac3d5703190d0e476ce0e75ec41d3a7fa9a5e557f593e888b969ed6745cb |
| SHA512 | 70f11f01ce8d207b68a5838da320fba289d26b3060911357e6551c935bde0450b97d2e01f36dd9a5d304210d30b8d5a2e858a974ffaf80dd320e3e95af462a8d |
memory/2408-23-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2408-30-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2408-29-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2408-28-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2408-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2408-25-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2408-21-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2408-19-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2332-31-0x000000007474E000-0x000000007474F000-memory.dmp
memory/2332-32-0x0000000074740000-0x0000000074E2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp59D3.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
C:\Users\Admin\AppData\Local\Temp\tmp5A70.tmp
| MD5 | 93fc3117767507c9889abd12dc667d22 |
| SHA1 | 1096e4cfa0c35756e3c3fb866c1e4c1e59115df9 |
| SHA256 | 684997dd4ce15031cec8f2f93933b1d41d7bf5cbbff655dd64377b07055c449a |
| SHA512 | e403348ee77bd3e7c45245dd5dae81c3ea130d5cf342f630982772ce5f75548b292013480e2831d68cf51349b64afde4589d4eec94b567d20f0a01e3b9549bdc |
memory/2408-40-0x00000000003F0000-0x00000000003FA000-memory.dmp
memory/2408-41-0x0000000000480000-0x000000000048C000-memory.dmp
memory/2408-42-0x0000000000490000-0x00000000004AE000-memory.dmp
memory/2408-43-0x00000000004C0000-0x00000000004CA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-11 08:29
Reported
2024-05-11 08:31
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
NanoCore
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 960 set thread context of 4920 | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DPI Subsystem\dpiss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DPI Subsystem\dpiss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe
"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA1FD.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA7E8.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpABC2.tmp"
Network
| Country | Destination | Domain | Proto |
| BE | 2.17.107.112:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
Files
memory/960-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp
memory/960-1-0x0000000000B50000-0x0000000000C42000-memory.dmp
memory/960-2-0x0000000005A40000-0x0000000005FE4000-memory.dmp
memory/960-3-0x0000000005530000-0x00000000055C2000-memory.dmp
memory/960-4-0x0000000005520000-0x000000000552A000-memory.dmp
memory/960-5-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/960-6-0x00000000058E0000-0x00000000058FE000-memory.dmp
memory/960-7-0x0000000005930000-0x0000000005940000-memory.dmp
memory/960-8-0x0000000005A30000-0x0000000005A46000-memory.dmp
memory/960-9-0x0000000006B10000-0x0000000006B8C000-memory.dmp
memory/960-10-0x0000000009140000-0x00000000091DC000-memory.dmp
memory/960-14-0x0000000074A5E000-0x0000000074A5F000-memory.dmp
memory/4008-16-0x0000000002FC0000-0x0000000002FF6000-memory.dmp
memory/960-18-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/4008-17-0x0000000005B00000-0x0000000006128000-memory.dmp
memory/4008-19-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/4008-20-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/3860-21-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/3860-22-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/3860-23-0x0000000074A50000-0x0000000075200000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA1FD.tmp
| MD5 | f7c5ed2cd473833b154217a52a430c51 |
| SHA1 | 589d8d69330ed81aa7eab30717f4c384b80774c6 |
| SHA256 | f52d3cb7276344ea53186879470ef28cd1bd72838d711ec9630fe8c45a887cab |
| SHA512 | 9cd86b088fe15999de8a6027b379cd5a4c75267ee867fbaa01b52ae1a0a1bef099932bf7998a329c3721adc264f804b66581c23b1f42e65b2abcb9cb7478fd9a |
memory/4008-25-0x0000000005A10000-0x0000000005A32000-memory.dmp
memory/4008-27-0x00000000062A0000-0x0000000006306000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvdet0h4.j1w.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3860-46-0x00000000059C0000-0x0000000005D14000-memory.dmp
memory/4920-47-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4008-26-0x0000000006230000-0x0000000006296000-memory.dmp
memory/960-49-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/4008-50-0x00000000068E0000-0x00000000068FE000-memory.dmp
memory/4008-51-0x0000000006910000-0x000000000695C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA7E8.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
memory/4008-59-0x00000000752E0000-0x000000007532C000-memory.dmp
memory/4008-70-0x0000000007AD0000-0x0000000007B73000-memory.dmp
memory/4008-69-0x0000000007A60000-0x0000000007A7E000-memory.dmp
memory/4008-58-0x0000000007A80000-0x0000000007AB2000-memory.dmp
memory/4008-71-0x0000000008250000-0x00000000088CA000-memory.dmp
memory/4008-72-0x0000000007C10000-0x0000000007C2A000-memory.dmp
memory/4008-73-0x0000000007C80000-0x0000000007C8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpABC2.tmp
| MD5 | 5fea24e883e06e4df6d240dc72abf2c5 |
| SHA1 | d778bf0f436141e02df4b421e8188abdcc9a84a4 |
| SHA256 | e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66 |
| SHA512 | 15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924 |
memory/4920-76-0x0000000005730000-0x000000000573A000-memory.dmp
memory/4008-75-0x0000000007E70000-0x0000000007F06000-memory.dmp
memory/4920-79-0x00000000068B0000-0x00000000068BA000-memory.dmp
memory/4920-78-0x0000000005900000-0x000000000591E000-memory.dmp
memory/4920-77-0x0000000005740000-0x000000000574C000-memory.dmp
memory/4008-80-0x0000000007E30000-0x0000000007E41000-memory.dmp
memory/3860-81-0x00000000752E0000-0x000000007532C000-memory.dmp
memory/4008-91-0x0000000007E60000-0x0000000007E6E000-memory.dmp
memory/4008-92-0x0000000007F10000-0x0000000007F24000-memory.dmp
memory/4008-93-0x0000000007F60000-0x0000000007F7A000-memory.dmp
memory/4008-94-0x0000000007F50000-0x0000000007F58000-memory.dmp
memory/4008-97-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/3860-98-0x0000000074A50000-0x0000000075200000-memory.dmp