Analysis Overview
SHA256
0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3
Threat Level: Known bad
The file 0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-05 18:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 18:11
Reported
2024-08-05 18:14
Platform
win7-20240705-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
NanoCore
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Subsystem = "C:\\Program Files (x86)\\AGP Subsystem\\agpss.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2372 set thread context of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AGP Subsystem\agpss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AGP Subsystem\agpss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe
"C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mzHFviYTm.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mzHFviYTm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1BAB.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1D7F.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1DCE.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | tcp |
Files
memory/2372-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp
memory/2372-1-0x0000000000050000-0x00000000000FE000-memory.dmp
memory/2372-2-0x0000000074A50000-0x000000007513E000-memory.dmp
memory/2372-3-0x0000000000880000-0x0000000000898000-memory.dmp
memory/2372-4-0x00000000008A0000-0x00000000008AE000-memory.dmp
memory/2372-5-0x0000000000A80000-0x0000000000A96000-memory.dmp
memory/2372-6-0x00000000058F0000-0x000000000596C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1BAB.tmp
| MD5 | dfa09ddcfd1937a6af01dd0a99f1b2b7 |
| SHA1 | cf5af2524c4af1cbd40744c5dce520dc0b5d1340 |
| SHA256 | 24df013ee91967e64a038166c0cc155f8731b4dbe22538fad19831ed887009a1 |
| SHA512 | 6841306787671d4916ed49173801dca20de13c54c28451b7642983f29bc88d366fd7af7db01f01219614b769aed0bf3bd416aeee2234c0eea447812b74d0289f |
memory/2476-23-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2476-14-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2476-24-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2476-26-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2476-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2476-20-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2476-18-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2476-16-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2372-27-0x0000000074A50000-0x000000007513E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1D7F.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
C:\Users\Admin\AppData\Local\Temp\tmp1DCE.tmp
| MD5 | 8aefdc623880016d77594b1802f74db6 |
| SHA1 | 17608aaab6106247dec66a472516d023272c9b9b |
| SHA256 | ccd9d374a356e8635fe06015e07c986fb0e6f71099234ddc2935a6cb5e1571ac |
| SHA512 | bde73cc8244dcb054ff68b86df14ae644b0816aac8524e746e9bf0e68406c6d7e8ee6a0c642b11a9b197319b023c43fcbdc5eafe9c32e4011ad8065cea0b1eb5 |
memory/2476-35-0x00000000003F0000-0x00000000003FA000-memory.dmp
memory/2476-36-0x0000000000480000-0x000000000048C000-memory.dmp
memory/2476-37-0x0000000000790000-0x00000000007AE000-memory.dmp
memory/2476-38-0x0000000000680000-0x000000000068A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 18:11
Reported
2024-08-05 18:14
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
150s
Command Line
Signatures
NanoCore
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3936 set thread context of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DPI Subsystem\dpiss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DPI Subsystem\dpiss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe
"C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mzHFviYTm.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mzHFviYTm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDD8F.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDDBE.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
Files
memory/3936-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp
memory/3936-1-0x0000000000100000-0x00000000001AE000-memory.dmp
memory/3936-2-0x0000000005090000-0x0000000005634000-memory.dmp
memory/3936-3-0x0000000004B90000-0x0000000004C22000-memory.dmp
memory/3936-4-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/3936-5-0x0000000004C40000-0x0000000004C4A000-memory.dmp
memory/3936-6-0x0000000004F00000-0x0000000004F18000-memory.dmp
memory/3936-7-0x0000000004F20000-0x0000000004F2E000-memory.dmp
memory/3936-8-0x0000000005050000-0x0000000005066000-memory.dmp
memory/3936-9-0x0000000008990000-0x0000000008A0C000-memory.dmp
memory/3936-10-0x0000000008780000-0x000000000881C000-memory.dmp
memory/3936-14-0x0000000074F3E000-0x0000000074F3F000-memory.dmp
memory/4156-16-0x0000000002E00000-0x0000000002E36000-memory.dmp
memory/3936-17-0x0000000074F30000-0x00000000756E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmp
| MD5 | 7981eebe755ccc342576981272e781a6 |
| SHA1 | 7f8ac0e50a7bd2fb923b85944aff8df941973e54 |
| SHA256 | 665d2204f88763f169136196875e2ca72039416460b61c330863a938db0090e8 |
| SHA512 | eb0dbe1b45d84ec140b62a13117df1379b61f94004bc2da17b000d322c29cf7493b5de57f601d583b9a742c3f7d3cbd12fffbf0360cba142237c08099947a2e0 |
memory/4156-19-0x0000000005B90000-0x00000000061B8000-memory.dmp
memory/4156-20-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/4156-21-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/2576-22-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2576-23-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/3936-25-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/4156-28-0x0000000005AA0000-0x0000000005B06000-memory.dmp
memory/4156-27-0x0000000005A30000-0x0000000005A96000-memory.dmp
memory/4156-26-0x0000000005990000-0x00000000059B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dpfxg4q4.434.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\tmpDD8F.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
C:\Users\Admin\AppData\Local\Temp\tmpDDBE.tmp
| MD5 | 5fea24e883e06e4df6d240dc72abf2c5 |
| SHA1 | d778bf0f436141e02df4b421e8188abdcc9a84a4 |
| SHA256 | e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66 |
| SHA512 | 15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924 |
memory/2576-48-0x00000000068C0000-0x00000000068DE000-memory.dmp
memory/2576-49-0x00000000069F0000-0x00000000069FA000-memory.dmp
memory/2576-47-0x0000000005A70000-0x0000000005A7C000-memory.dmp
memory/2576-46-0x0000000005950000-0x000000000595A000-memory.dmp
memory/4156-40-0x00000000061C0000-0x0000000006514000-memory.dmp
memory/4156-50-0x0000000006720000-0x000000000673E000-memory.dmp
memory/4156-51-0x0000000006770000-0x00000000067BC000-memory.dmp
memory/4156-52-0x00000000076F0000-0x0000000007722000-memory.dmp
memory/4156-53-0x0000000070AD0000-0x0000000070B1C000-memory.dmp
memory/4156-63-0x0000000006D10000-0x0000000006D2E000-memory.dmp
memory/4156-64-0x0000000007730000-0x00000000077D3000-memory.dmp
memory/4156-65-0x00000000080B0000-0x000000000872A000-memory.dmp
memory/4156-66-0x0000000007A70000-0x0000000007A8A000-memory.dmp
memory/4156-67-0x0000000007AE0000-0x0000000007AEA000-memory.dmp
memory/4156-68-0x0000000007CF0000-0x0000000007D86000-memory.dmp
memory/4156-69-0x0000000007C70000-0x0000000007C81000-memory.dmp
memory/4156-70-0x0000000007CA0000-0x0000000007CAE000-memory.dmp
memory/4156-71-0x0000000007CB0000-0x0000000007CC4000-memory.dmp
memory/4156-72-0x0000000007DB0000-0x0000000007DCA000-memory.dmp
memory/4156-73-0x0000000007D90000-0x0000000007D98000-memory.dmp
memory/4156-76-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/2576-77-0x0000000074F30000-0x00000000756E0000-memory.dmp