Malware Analysis Report

2024-11-15 06:30

Sample ID 201109-8gcfqqwmcx
Target 19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c
SHA256 19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c
Tags
echelon discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c

Threat Level: Known bad

The file 19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c was found to be: Known bad.

Malicious Activity Summary

echelon discovery spyware stealer

Echelon

Echelon log file

ServiceHost packer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-09 21:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 21:17

Reported

2020-11-11 06:11

Platform

win7v20201028

Max time kernel

107s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c.exe"

Signatures

Echelon

stealer spyware echelon

Echelon log file

Description Indicator Process Target
N/A N/A N/A N/A

ServiceHost packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Downloads\images.exe N/A

Reads user/profile data of web browsers

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Public\Downloads\images.exe

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B C:\Users\Public\Downloads\images.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a11800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 C:\Users\Public\Downloads\images.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\Downloads\images.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\Downloads\images.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c.exe

"C:\Users\Admin\AppData\Local\Temp\19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c.exe"

C:\Users\Public\Downloads\images.exe

"C:\Users\Public\Downloads\images.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 2604

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.204.14.42:443 api.ipify.org tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 54.204.14.42:443 api.ipify.org tcp
N/A 8.8.8.8:53 g.api.mega.co.nz udp
N/A 66.203.125.15:443 g.api.mega.co.nz tcp

Files

memory/1684-0-0x0000000000FF0000-0x00000000010F1000-memory.dmp

\Users\Public\Downloads\images.exe

MD5 3f7049b2c628eac94f17629f3e7d5830
SHA1 61ad825e39e19472d06a3080367a858e18187d05
SHA256 af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA512 6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

\Users\Public\Downloads\images.exe

MD5 3f7049b2c628eac94f17629f3e7d5830
SHA1 61ad825e39e19472d06a3080367a858e18187d05
SHA256 af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA512 6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

\Users\Public\Downloads\images.exe

MD5 3f7049b2c628eac94f17629f3e7d5830
SHA1 61ad825e39e19472d06a3080367a858e18187d05
SHA256 af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA512 6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

\Users\Public\Downloads\images.exe

MD5 3f7049b2c628eac94f17629f3e7d5830
SHA1 61ad825e39e19472d06a3080367a858e18187d05
SHA256 af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA512 6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

memory/2012-6-0x0000000000000000-mapping.dmp

C:\Users\Public\Downloads\images.exe

MD5 3f7049b2c628eac94f17629f3e7d5830
SHA1 61ad825e39e19472d06a3080367a858e18187d05
SHA256 af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA512 6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

\??\c:\users\public\downloads\images.exe

MD5 3f7049b2c628eac94f17629f3e7d5830
SHA1 61ad825e39e19472d06a3080367a858e18187d05
SHA256 af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA512 6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

memory/2012-9-0x0000000002F70000-0x0000000002F81000-memory.dmp

memory/2012-10-0x0000000003250000-0x0000000003261000-memory.dmp

memory/2012-11-0x0000000073C70000-0x000000007435E000-memory.dmp

memory/2012-12-0x0000000000A30000-0x0000000000A31000-memory.dmp

memory/2012-14-0x00000000032A0000-0x00000000032DE000-memory.dmp

memory/2012-15-0x0000000000720000-0x000000000072F000-memory.dmp

memory/2012-16-0x00000000009C0000-0x00000000009C9000-memory.dmp

memory/2012-17-0x0000000002F70000-0x0000000002F88000-memory.dmp

memory/2012-18-0x0000000006C90000-0x0000000006D1D000-memory.dmp

memory/1956-19-0x0000000000000000-mapping.dmp

memory/1956-20-0x00000000021D0000-0x00000000021E1000-memory.dmp

\Users\Public\Downloads\images.exe

MD5 608a7fb2707b4bea6927f76d6460632c
SHA1 dd9e694779d9ff67a69aa38a3156430543f1df08
SHA256 b4bb355c06b470363ca70a6f95cf2d9a6245310633de9267ba8045600c7d4a8f
SHA512 796c29145ae1d1f83b22e729da16e4c31140ff151950e704b07ff7ba5ba6d1d7043066c83fd56dc2838844d959ad9d4f3e508b35d4551fcbbcf42d2e3523142e

\Users\Public\Downloads\images.exe

MD5 10cedd205c413ecd51bafb5b86204f91
SHA1 d86e0f10cf2d6513455c4016db82ee80281df8aa
SHA256 b815c1b20d0fd96d3797b355b3d0527097d85d67473f9cc6318c59b0ab5c522b
SHA512 f8eef2100379312870e3d9f9da97c1ec6ac4af7f59ea033a40e98377129fb32da6e2af5a637e66a6f1c2e70ffa18b5d53007d8b14e9abf3b6e061ca41f1eea4a

\Users\Public\Downloads\images.exe

MD5 0f436c19925ef100bd3c3a6440c0bce8
SHA1 a12e67cc3b3193629f2e176c1179ec9ff58b19ae
SHA256 d5eb33f1c6d993549dc5af825fe9bba882b5f8c28e887e74952e65d4f21df8e7
SHA512 4088e8089dcc66f71de1d9a286998e27e070889a06e8eaae16d8a16e24ca900db9887bd4379643e76f98805d2cd12b7f50109c9aa8c267810ab84b212f144c87

\Users\Public\Downloads\images.exe

MD5 2dbecbfab6b295b0e3269c018202512c
SHA1 095991b151fc72807051742f3cd9ccf0b7c914d8
SHA256 4d9971651283fd2ada036a58863557a9850ec69dace5551f18cd9cefa715e898
SHA512 eabcf472c08f7f053ae8151203adfcab61af2798ae94b43411f73013145c8b9f684a2488c6f2f5311aa8e628d2c3e99bf8472c7db11c0bb78694c58fac45964a

memory/2012-29-0x0000000000000000-mapping.dmp

memory/2012-30-0x0000000000000000-mapping.dmp

memory/2012-31-0x0000000000000000-mapping.dmp

memory/2012-32-0x0000000000000000-mapping.dmp

memory/2012-33-0x0000000000000000-mapping.dmp

memory/2012-34-0x0000000000000000-mapping.dmp

memory/2012-35-0x0000000000000000-mapping.dmp

memory/2012-36-0x0000000000000000-mapping.dmp

memory/2012-37-0x0000000000000000-mapping.dmp

memory/2012-39-0x0000000000000000-mapping.dmp

memory/2012-38-0x0000000000000000-mapping.dmp

memory/2012-41-0x0000000000000000-mapping.dmp

memory/2012-40-0x0000000000000000-mapping.dmp

memory/2012-42-0x0000000000000000-mapping.dmp

memory/2012-44-0x0000000000000000-mapping.dmp

memory/2012-43-0x0000000000000000-mapping.dmp

memory/2012-46-0x0000000000000000-mapping.dmp

memory/2012-45-0x0000000000000000-mapping.dmp

memory/2012-47-0x0000000000000000-mapping.dmp

memory/2012-49-0x0000000000000000-mapping.dmp

memory/2012-48-0x0000000000000000-mapping.dmp

memory/2012-52-0x0000000000000000-mapping.dmp

memory/2012-51-0x0000000000000000-mapping.dmp

memory/2012-50-0x0000000000000000-mapping.dmp

memory/1956-53-0x0000000002760000-0x0000000002771000-memory.dmp

\Users\Public\Downloads\images.exe

MD5 243661b6335a1d70d84a4d0ff5cc0c2f
SHA1 d744b4cb60acd44ff1bc3c3f1cc44ced9dcddfd1
SHA256 dd3ba336990b8eccbe187ca04682fce5440e29c9abcb8eb990ffb075a5a348d2
SHA512 e6f775e229578b1dee198d1763d007e74aaa2fe6c6555e58d7bfe9df3d0f1fb7677b0895f2711572675ffb5dd305ccaad40164287f9520d7bd001b1b4bacd0fd

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 21:17

Reported

2020-11-11 06:11

Platform

win10v20201028

Max time kernel

139s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c.exe"

Signatures

Echelon

stealer spyware echelon

Echelon log file

Description Indicator Process Target
N/A N/A N/A N/A

ServiceHost packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Downloads\images.exe N/A

Reads user/profile data of web browsers

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Public\Downloads\images.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\Downloads\images.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\Downloads\images.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c.exe

"C:\Users\Admin\AppData\Local\Temp\19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c.exe"

C:\Users\Public\Downloads\images.exe

"C:\Users\Public\Downloads\images.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 2384

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 184.72.229.11:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 g.api.mega.co.nz udp
N/A 66.203.125.12:443 g.api.mega.co.nz tcp
N/A 13.107.4.52:80 www.msftconnecttest.com tcp

Files

memory/2252-1-0x0000000000000000-mapping.dmp

C:\Users\Public\Downloads\images.exe

MD5 3f7049b2c628eac94f17629f3e7d5830
SHA1 61ad825e39e19472d06a3080367a858e18187d05
SHA256 af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA512 6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

\??\c:\users\public\downloads\images.exe

MD5 3f7049b2c628eac94f17629f3e7d5830
SHA1 61ad825e39e19472d06a3080367a858e18187d05
SHA256 af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA512 6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

memory/2252-4-0x0000000003180000-0x0000000003181000-memory.dmp

memory/2252-5-0x0000000003280000-0x0000000003281000-memory.dmp

memory/2252-6-0x00000000739A0000-0x000000007408E000-memory.dmp

memory/2252-7-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2252-9-0x00000000057F0000-0x00000000057F1000-memory.dmp

memory/2252-10-0x0000000005EF0000-0x0000000005F2E000-memory.dmp

memory/2252-11-0x0000000006490000-0x0000000006491000-memory.dmp

memory/2252-12-0x0000000006410000-0x000000000641F000-memory.dmp

memory/2252-13-0x0000000005F90000-0x0000000005F99000-memory.dmp

memory/2252-14-0x0000000006D70000-0x0000000006D71000-memory.dmp

memory/2252-15-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

memory/2252-16-0x0000000008230000-0x0000000008248000-memory.dmp

memory/2252-17-0x0000000008250000-0x00000000082DD000-memory.dmp

memory/2252-18-0x0000000008330000-0x0000000008331000-memory.dmp

memory/2252-19-0x0000000008370000-0x0000000008371000-memory.dmp

memory/1628-20-0x0000000004D30000-0x0000000004D31000-memory.dmp

memory/1628-21-0x0000000004D30000-0x0000000004D31000-memory.dmp

memory/2252-24-0x0000000000000000-mapping.dmp

memory/2252-23-0x0000000000000000-mapping.dmp

memory/2252-26-0x0000000000000000-mapping.dmp

memory/2252-25-0x0000000000000000-mapping.dmp

memory/2252-27-0x0000000000000000-mapping.dmp

memory/2252-28-0x0000000000000000-mapping.dmp

memory/2252-29-0x0000000000000000-mapping.dmp

memory/2252-30-0x0000000000000000-mapping.dmp

memory/2252-31-0x0000000000000000-mapping.dmp

memory/2252-32-0x0000000000000000-mapping.dmp

memory/2252-33-0x0000000000000000-mapping.dmp

memory/2252-35-0x0000000000000000-mapping.dmp

memory/2252-36-0x0000000000000000-mapping.dmp

memory/2252-37-0x0000000000000000-mapping.dmp

memory/2252-38-0x0000000000000000-mapping.dmp

memory/2252-39-0x0000000000000000-mapping.dmp

memory/2252-40-0x0000000000000000-mapping.dmp

memory/2252-41-0x0000000000000000-mapping.dmp

memory/2252-42-0x0000000000000000-mapping.dmp

memory/2252-43-0x0000000000000000-mapping.dmp

memory/2252-44-0x0000000000000000-mapping.dmp

memory/2252-45-0x0000000000000000-mapping.dmp

memory/2252-46-0x0000000000000000-mapping.dmp

memory/2252-47-0x0000000000000000-mapping.dmp

memory/2252-34-0x0000000000000000-mapping.dmp

memory/1628-48-0x00000000057B0000-0x00000000057B1000-memory.dmp

memory/2252-97-0x0000000000000000-mapping.dmp

memory/2252-96-0x0000000000000000-mapping.dmp

memory/2252-100-0x0000000000000000-mapping.dmp

memory/2252-101-0x0000000000000000-mapping.dmp

memory/2252-99-0x0000000000000000-mapping.dmp

memory/2252-102-0x0000000000000000-mapping.dmp

memory/2252-103-0x0000000000000000-mapping.dmp

memory/2252-104-0x0000000000000000-mapping.dmp

memory/2252-106-0x0000000000000000-mapping.dmp

memory/2252-107-0x0000000000000000-mapping.dmp

memory/2252-108-0x0000000000000000-mapping.dmp

memory/2252-109-0x0000000000000000-mapping.dmp

memory/2252-110-0x0000000000000000-mapping.dmp

memory/2252-111-0x0000000000000000-mapping.dmp

memory/2252-112-0x0000000000000000-mapping.dmp

memory/2252-113-0x0000000000000000-mapping.dmp

memory/2252-105-0x0000000000000000-mapping.dmp

memory/2252-98-0x0000000000000000-mapping.dmp

memory/2252-115-0x0000000000000000-mapping.dmp

memory/2252-114-0x0000000000000000-mapping.dmp

memory/2252-116-0x0000000000000000-mapping.dmp

memory/2252-117-0x0000000000000000-mapping.dmp

memory/2252-119-0x0000000000000000-mapping.dmp

memory/2252-118-0x0000000000000000-mapping.dmp

memory/2252-120-0x0000000000000000-mapping.dmp

memory/1628-121-0x0000000005F70000-0x0000000005F71000-memory.dmp