Analysis Overview
SHA256
ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf
Threat Level: Known bad
The file ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.exe was found to be: Known bad.
Malicious Activity Summary
Qakbot family
Qakbot/Qbot
Windows security bypass
Loads dropped DLL
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 13:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 13:49
Reported
2024-11-22 13:51
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
97s
Command Line
Signatures
Qakbot family
Qakbot/Qbot
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Zlphxl = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Kqitlq = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\19ec6470 = b9eb59336bc9174abbe9ef931cb5dc5e0e1272b66ab3dc53f3a478e0e6ffbfb765063780e0b5bf13e0d886ae6bbbb976262f | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\2c73b43e = 6a427018f1e40c8dec00aa9597956234688b7bbc80234b646b9f71bf4dffdff2460d00b1abb95270650e08a91d608f896fca7be999ab37b1638859f230e6642dfaa23ce2aa25d6b9a765f73021de9d5e64636a8f43a41e3eb262d97bf0cd378368c4f528ac271d97877de3d821e916e5c9c5e4909f14c40cbf42e7e0756cb1fbdd284f3a4a422b01659d45fb5cfda6a79509b0047b3926f4a1c701c3a939f683 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\533adbc8 = ef111254998871b83da05aca4a6cce033fac0a21c09d8b31ffa76a3f9e8b3a6f0550d015f38ca75aa7bc1b56c6dd199195c36b223b47fb65e3ce26a53d50 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\94cfd35b = 68ac269afa050e2a4504ce674c7d4ac2b593aa975872bbabe6f3536ce3c3236cb3a2aac3df380134b6ff303b3e37e47656c21117cf3d0695a97fd3a5de37b3fa367263630a9418f3eb6a351731783c | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\2e329442 = 264eb310f9c479a9822b8092987a092ece61 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\968ef327 = 5511134a72295d3660ad77484cdc70ab3d9352544d5cd0d42b426d22393dbb | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\eb86bcad = 1939c3c0c962b59629ec3ee7737771c4353091afe532c028fa1bf8f9b3c1087f8d8303a045 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\66a50b86 = c11d74d6798c99cebade937b3aead329832931d2326b51f9008ea1f23a8f616b07e0de1b8233c6987f838a1e5c965589a3142fe20f46d59defd0c7717112b8ad4634e3 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\19ec6470 = b9eb4e336bc922b999bf1659d4b55572cf5726056b26daae9f179060097b4e2a5392479b3feccdd765d4c7744c2f940b901316f87742351e22519c5c6e34cba8d91a814becbb82 | C:\Windows\SysWOW64\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll,#1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vphgozbh /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll\"" /SC ONCE /Z /ST 13:51 /ET 14:03
C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll"
C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Zlphxl" /d "0"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Kqitlq" /d "0"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.146.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.146.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4804-1-0x0000000075460000-0x0000000075466000-memory.dmp
memory/4804-0-0x00000000752D0000-0x000000007547B000-memory.dmp
memory/4804-2-0x00000000752D0000-0x000000007547B000-memory.dmp
memory/4804-4-0x00000000752D0000-0x000000007547B000-memory.dmp
memory/4804-5-0x00000000752D0000-0x000000007547B000-memory.dmp
memory/744-6-0x0000000000CE0000-0x0000000000D01000-memory.dmp
memory/744-10-0x0000000000CE0000-0x0000000000D01000-memory.dmp
memory/744-12-0x0000000000CE0000-0x0000000000D01000-memory.dmp
memory/744-11-0x0000000000CE0000-0x0000000000D01000-memory.dmp
memory/744-14-0x0000000000CE0000-0x0000000000D01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll
| MD5 | 6ed47a0963d414bd3e945dad0d45ecb6 |
| SHA1 | 4c229de8ee285cf6f1fca195036532550e30c624 |
| SHA256 | ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf |
| SHA512 | fae4f2d72e4595ce828313617960fed144897e623bef519ef7f785a7ae06b47e0fa8d1ca2223c4fa9bb7ccea2b791dcb760cd430ba2149f54018ac8b8843f806 |
memory/3108-18-0x0000000073B30000-0x0000000073CDB000-memory.dmp
memory/3108-19-0x0000000073B30000-0x0000000073CDB000-memory.dmp
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3108-22-0x0000000073B30000-0x0000000073CDB000-memory.dmp
memory/548-24-0x00000000004B0000-0x00000000004D1000-memory.dmp
memory/548-25-0x00000000004B0000-0x00000000004D1000-memory.dmp
memory/548-26-0x00000000004B0000-0x00000000004D1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 13:49
Reported
2024-11-22 13:51
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Qakbot family
Qakbot/Qbot
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Zbecg = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Ydpnrodvu = "0" | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\fe8ecd92 = 7c26cd29d666860f25408787441dc2972cc5c271ce3828288dacac296daf5caa6156114107ae6a6914596e5bf002c07a00d8b51b4a | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\fe8ecd92 = 7c26da29d666b3bd8635a186d9e25eded2f0bed5ae389a87add2da50e4c94a24 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\cb111ddc = 986391fee6fef2f2b4e281f971509da55f8b0b7d73bca9830deaa328f1ec53f237a19304a6d1d5a7cf8d116c5375302de7601928ce977c429cf65a17e66f53cd06f0b18e918a36b6cc3a8a8a60326aa59bee7017f35d26cef819a17a80aa0b74adada292fb2ecf524b9610280958cd15cb5723e74658f9e3a79388a9b991df74425df20b0a482c965bf0830aba93db059cb6fb3239b508e6e1703386cf2f2d5b88eb92b6971b39f8f331c52e5b7ad5fc3c73c56bb6292f | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\c9503da0 = b04921f3d185ced8c112cf2446855b4f0cae31 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\71ec5ac5 = 2781e5448a5ce7de8edee4ba0c88ba414b1d94a792304b6934f9ccd04eedb5e42c43f96a33fb8cdee66f2bb13ca2bc8ae43eb8ee0d2c9799100714455d5187a00bf44c25f1 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\ce4154f = c9b984ff7af91bd9b3a81e68f391b650162e6db3fc060d0b050d16abc2c6b728c7acb15e64aad4d27ef810b3caa62bd3571997537e946f7227c8d4be7a8bd10d3db4cfb19509e46315809ed435751f5b65d8 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\b458722a = c91cbb8a2261b6b9871d7bf81a795cc538806a8686287ace9ff4acbdaab5886b2ab217fc63f6ac482e02e69c733f72fac10f496a13d5a54cf15ed21be277e5be351f84541d7f9e1b3cf084c7cbb6e288bc770d85f501b1242b72d138864667a79391ea457e809be2a03704042e | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\73ad7ab9 = d97dfac5ce3441b53f9fd77574306664df1082440b095664445bbb98faff64d575e32fa8be4c429358dd7ce75934ef0d2665f3 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xwtnxipavatr | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\81c7a264 = 1847b82ebc682b88e9bc3f5ac191c494d97fb1d2f1fb55802be999df85a1ea9a14c38da0925ef734ed2115575fef2c6c | C:\Windows\SysWOW64\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll,#1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn cjpksvzp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll\"" /SC ONCE /Z /ST 13:51 /ET 14:03
C:\Windows\system32\taskeng.exe
taskeng.exe {64AA58DE-7159-46C1-A409-270AF0D43FDD} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll"
C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ydpnrodvu" /d "0"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Zbecg" /d "0"
Network
Files
memory/1528-0-0x0000000074C80000-0x0000000074E2B000-memory.dmp
memory/1528-1-0x0000000074C80000-0x0000000074E2B000-memory.dmp
memory/1528-4-0x0000000074C80000-0x0000000074E2B000-memory.dmp
memory/1528-3-0x0000000074E10000-0x0000000074E16000-memory.dmp
memory/828-5-0x0000000000080000-0x0000000000082000-memory.dmp
memory/828-7-0x00000000000D0000-0x00000000000F1000-memory.dmp
memory/1528-9-0x0000000074C80000-0x0000000074E2B000-memory.dmp
memory/828-12-0x00000000000D0000-0x00000000000F1000-memory.dmp
memory/828-14-0x00000000000D0000-0x00000000000F1000-memory.dmp
memory/828-13-0x00000000000D0000-0x00000000000F1000-memory.dmp
memory/828-16-0x00000000000D0000-0x00000000000F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll
| MD5 | 6ed47a0963d414bd3e945dad0d45ecb6 |
| SHA1 | 4c229de8ee285cf6f1fca195036532550e30c624 |
| SHA256 | ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf |
| SHA512 | fae4f2d72e4595ce828313617960fed144897e623bef519ef7f785a7ae06b47e0fa8d1ca2223c4fa9bb7ccea2b791dcb760cd430ba2149f54018ac8b8843f806 |
memory/2980-22-0x00000000743E0000-0x000000007458B000-memory.dmp
memory/2980-21-0x00000000743E0000-0x000000007458B000-memory.dmp
memory/2980-25-0x00000000743E0000-0x000000007458B000-memory.dmp
memory/2868-27-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2868-28-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2868-29-0x0000000000080000-0x00000000000A1000-memory.dmp