Analysis Overview
SHA256
5550ba206748ee9f180a6a868ebd342ead8432b7cfecf0c02f37da86f913fe2a
Threat Level: Known bad
The file ESW2091H52Y6.gz was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Adds policy Run key to start application
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Modifies registry class
Modifies Internet Explorer settings
Runs regedit.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-17 16:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-17 16:35
Reported
2024-07-17 16:37
Platform
win7-20240705-en
Max time kernel
145s
Max time network
135s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1385883288-3042840365-2734249351-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\help.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HHhHh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\4H5XFRP0W6 = "C:\\Program Files (x86)\\Windows Mail\\wab.exe" | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1268 set thread context of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\HHhHh.exe | C:\Program Files (x86)\Windows Mail\wab.exe |
| PID 2992 set thread context of 1196 | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | C:\Windows\Explorer.EXE |
| PID 2992 set thread context of 1196 | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | C:\Windows\Explorer.EXE |
| PID 2908 set thread context of 1196 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\Explorer.EXE |
| PID 2908 set thread context of 2916 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\System32\notepad.exe |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1385883288-3042840365-2734249351-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ESW2091H52Y6.vbe"
C:\Users\Admin\AppData\Local\Temp\HHhHh.exe
"C:\Users\Admin\AppData\Local\Temp\HHhHh.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1268 -s 656
C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.herbatyorganics.com | udp |
| CA | 23.227.38.74:80 | www.herbatyorganics.com | tcp |
| CA | 23.227.38.74:80 | www.herbatyorganics.com | tcp |
| US | 8.8.8.8:53 | www.xn--80ado1abokv5d.xn--p1acf | udp |
| RU | 88.212.206.251:80 | www.xn--80ado1abokv5d.xn--p1acf | tcp |
| RU | 88.212.206.251:80 | www.xn--80ado1abokv5d.xn--p1acf | tcp |
| US | 8.8.8.8:53 | www.dreamgame55.net | udp |
| US | 8.8.8.8:53 | www.legalix.xyz | udp |
| US | 8.8.8.8:53 | www.legalix.xyz | udp |
| US | 8.8.8.8:53 | www.club1stclass.com | udp |
| US | 15.197.148.33:80 | www.club1stclass.com | tcp |
| US | 15.197.148.33:80 | www.club1stclass.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\HHhHh.exe
| MD5 | 2e2001da412256e70357a85c584a5b61 |
| SHA1 | 6d35c2d73b30d6fe0c428687210d591856243006 |
| SHA256 | bad6f8d92ae8b460fa4cba747f45ca96d2292579375a5973a709b03a2e192aa3 |
| SHA512 | 1eef20ee569e98bd5d4f797489745713ab4b8b7c8a97f4367dd13d892afce0e1a5f72c51c6fa82f1fa3a30a1e95b1be03162a9f1ea3ba025356a18619e450d41 |
memory/1268-7-0x000007FEF5643000-0x000007FEF5644000-memory.dmp
memory/1268-8-0x0000000001080000-0x000000000108C000-memory.dmp
memory/1268-9-0x000000001B040000-0x000000001B04C000-memory.dmp
memory/1268-10-0x0000000000BD0000-0x0000000000C58000-memory.dmp
memory/1268-11-0x000007FEF5640000-0x000007FEF602C000-memory.dmp
memory/2888-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2888-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2992-25-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2992-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2992-30-0x00000000008D0000-0x0000000000BD3000-memory.dmp
memory/2992-33-0x0000000000190000-0x00000000001A4000-memory.dmp
memory/2992-32-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1196-34-0x0000000006AB0000-0x0000000006BEB000-memory.dmp
memory/1196-37-0x0000000006AB0000-0x0000000006BEB000-memory.dmp
memory/1196-40-0x0000000007880000-0x0000000007A01000-memory.dmp
memory/2992-39-0x00000000001D0000-0x00000000001E4000-memory.dmp
memory/2992-38-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2908-42-0x00000000004B0000-0x00000000004B6000-memory.dmp
memory/2908-41-0x00000000004B0000-0x00000000004B6000-memory.dmp
memory/1268-43-0x000007FEF5643000-0x000007FEF5644000-memory.dmp
memory/1268-44-0x000007FEF5640000-0x000007FEF602C000-memory.dmp
memory/2908-45-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1196-51-0x0000000007880000-0x0000000007A01000-memory.dmp
memory/1196-54-0x000000000A100000-0x000000000A27B000-memory.dmp
C:\Users\Admin\AppData\Roaming\KNPQ4AV3\KNPlogri.ini
| MD5 | d63a82e5d81e02e399090af26db0b9cb |
| SHA1 | 91d0014c8f54743bba141fd60c9d963f869d76c9 |
| SHA256 | eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae |
| SHA512 | 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad |
C:\Users\Admin\AppData\Roaming\KNPQ4AV3\KNPlogrf.ini
| MD5 | 2f245469795b865bdd1b956c23d7893d |
| SHA1 | 6ad80b974d3808f5a20ea1e766c7d2f88b9e5895 |
| SHA256 | 1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361 |
| SHA512 | 909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f |
C:\Users\Admin\AppData\Roaming\KNPQ4AV3\KNPlogrv.ini
| MD5 | ba3b6bc807d4f76794c4b81b09bb9ba5 |
| SHA1 | 24cb89501f0212ff3095ecc0aba97dd563718fb1 |
| SHA256 | 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507 |
| SHA512 | ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf |
C:\Users\Admin\AppData\Roaming\KNPQ4AV3\KNPlogim.jpeg
| MD5 | f096e655ee6ea3e468e5204124bc6d25 |
| SHA1 | 32c4264d12f227f7b3919975f1ca740ce9e1d60d |
| SHA256 | 024ae9be86ccc0e05cddeb5b6ac956dd99507d662862397c1b7dbaa5b77bfe61 |
| SHA512 | 37bcee3e64ab741724d734657649dff1e09ae75de245295ae2c5208673381d594e32fb11388487acc1dd103d9af69172c6906564c64f2ed17bc2f0899cc60b92 |
memory/1268-66-0x000007FEF5640000-0x000007FEF602C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-17 16:35
Reported
2024-07-17 16:37
Platform
win10v2004-20240709-en
Max time kernel
146s
Max time network
141s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HHhHh.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4612 set thread context of 4536 | N/A | C:\Users\Admin\AppData\Local\Temp\HHhHh.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 4536 set thread context of 3528 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Windows\Explorer.EXE |
| PID 4536 set thread context of 3528 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Windows\Explorer.EXE |
| PID 4928 set thread context of 3528 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ESW2091H52Y6.vbe"
C:\Users\Admin\AppData\Local\Temp\HHhHh.exe
"C:\Users\Admin\AppData\Local\Temp\HHhHh.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
C:\Windows\System32\svchost.exe
"C:\Windows\System32\svchost.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.dreamgame55.net | udp |
| US | 8.8.8.8:53 | www.nbcze.com | udp |
| US | 154.197.220.122:80 | www.nbcze.com | tcp |
| US | 8.8.8.8:53 | 122.220.197.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.rendamaisbr.com | udp |
| US | 172.67.149.56:80 | www.rendamaisbr.com | tcp |
| US | 8.8.8.8:53 | 56.149.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | www.xn--80ado1abokv5d.xn--p1acf | udp |
| RU | 88.212.206.251:80 | www.xn--80ado1abokv5d.xn--p1acf | tcp |
| US | 8.8.8.8:53 | 251.206.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.mceliteroofing.com | udp |
| US | 192.0.78.24:80 | www.mceliteroofing.com | tcp |
| US | 8.8.8.8:53 | 24.78.0.192.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\HHhHh.exe
| MD5 | 2e2001da412256e70357a85c584a5b61 |
| SHA1 | 6d35c2d73b30d6fe0c428687210d591856243006 |
| SHA256 | bad6f8d92ae8b460fa4cba747f45ca96d2292579375a5973a709b03a2e192aa3 |
| SHA512 | 1eef20ee569e98bd5d4f797489745713ab4b8b7c8a97f4367dd13d892afce0e1a5f72c51c6fa82f1fa3a30a1e95b1be03162a9f1ea3ba025356a18619e450d41 |
memory/4612-11-0x00007FFE28B03000-0x00007FFE28B05000-memory.dmp
memory/4612-12-0x000002C0C3960000-0x000002C0C396C000-memory.dmp
memory/4612-14-0x000002C0C55C0000-0x000002C0C5648000-memory.dmp
memory/4612-13-0x000002C0DDE50000-0x000002C0DDE5C000-memory.dmp
memory/4612-15-0x00007FFE28B00000-0x00007FFE295C1000-memory.dmp
memory/4536-16-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4536-17-0x0000000001C80000-0x0000000001FCA000-memory.dmp
memory/4536-20-0x00000000016D0000-0x00000000016E4000-memory.dmp
memory/4536-19-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3528-21-0x0000000008840000-0x00000000089EC000-memory.dmp
memory/4612-22-0x00007FFE28B00000-0x00007FFE295C1000-memory.dmp
memory/4536-24-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4536-25-0x0000000001790000-0x00000000017A4000-memory.dmp
memory/3528-26-0x0000000008D80000-0x0000000008EFC000-memory.dmp
memory/4928-27-0x0000000000A40000-0x0000000000A52000-memory.dmp
memory/4928-29-0x0000000000A40000-0x0000000000A52000-memory.dmp
memory/4928-31-0x0000000000A40000-0x0000000000A52000-memory.dmp
memory/4928-32-0x0000000000600000-0x000000000062F000-memory.dmp
memory/3528-35-0x0000000008D80000-0x0000000008EFC000-memory.dmp
memory/3528-36-0x0000000008F00000-0x0000000008FD1000-memory.dmp