Malware Analysis Report

2024-11-15 06:30

Sample ID 210624-65k7f4nnla
Target cd4ba6a5ecbcbaa727b4da9e16c9f960
SHA256 699724f6a8610c280586bf239477584de4e456b8e6f2aff27fce8c0b41bb56c9
Tags
echelon spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

699724f6a8610c280586bf239477584de4e456b8e6f2aff27fce8c0b41bb56c9

Threat Level: Known bad

The file cd4ba6a5ecbcbaa727b4da9e16c9f960 was found to be: Known bad.

Malicious Activity Summary

echelon spyware stealer

Echelon

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-06-24 00:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-06-24 00:22

Reported

2021-06-24 00:24

Platform

win7v20210408

Max time kernel

55s

Max time network

57s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe"

Signatures

Echelon

stealer spyware echelon

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe N/A
N/A N/A C:\ProgramData\Decoder.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\ProgramData\Decoder.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\ProgramData\Decoder.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\ProgramData\Decoder.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\ProgramData\Decoder.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\ProgramData\Decoder.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe N/A
N/A N/A C:\ProgramData\Decoder.exe N/A
N/A N/A C:\ProgramData\Decoder.exe N/A
N/A N/A C:\ProgramData\Decoder.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Decoder.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 980 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe C:\Users\Admin\AppData\Local\Temp\Borns.exe
PID 980 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe C:\Users\Admin\AppData\Local\Temp\Borns.exe
PID 980 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe C:\Users\Admin\AppData\Local\Temp\Borns.exe
PID 2000 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe C:\ProgramData\Decoder.exe
PID 2000 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe C:\ProgramData\Decoder.exe
PID 2000 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe C:\ProgramData\Decoder.exe
PID 2000 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe C:\ProgramData\Decoder.exe
PID 2000 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 684 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 684 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe

"C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe"

C:\Users\Admin\AppData\Local\Temp\Borns.exe

"C:\Users\Admin\AppData\Local\Temp\Borns.exe"

C:\ProgramData\Decoder.exe

"C:\ProgramData\Decoder.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""

C:\Windows\system32\timeout.exe

timeout 4

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.165.85:443 api.ipify.org tcp
N/A 8.8.8.8:53 f0553854.xsph.ru udp
N/A 141.8.192.151:80 f0553854.xsph.ru tcp
N/A 8.8.8.8:53 freegeoip.app udp
N/A 104.21.19.200:443 freegeoip.app tcp
N/A 8.8.8.8:53 f0521569.xsph.ru udp
N/A 141.8.192.151:80 f0521569.xsph.ru tcp

Files

memory/980-60-0x0000000001330000-0x0000000001331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Borns.exe

MD5 884529a75c3268c5322822bac31a78b0
SHA1 ebe46ead5ea6c147aad4b746bf7db3d065291960
SHA256 76cd69d4dc6d55742fe48e31ac983cc34e3fc7c8ff6e08dd451a87d5e613d2dd
SHA512 fc2f43fd9dee0f4a2cde51539d6be525be3a98cba37e119b24df0a62e7993eccb4bdd075f1cd6ce8f4f3dfa0cfe013d6451531e518ec08bb1bfcd9e8549236ca

memory/2000-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Borns.exe

MD5 884529a75c3268c5322822bac31a78b0
SHA1 ebe46ead5ea6c147aad4b746bf7db3d065291960
SHA256 76cd69d4dc6d55742fe48e31ac983cc34e3fc7c8ff6e08dd451a87d5e613d2dd
SHA512 fc2f43fd9dee0f4a2cde51539d6be525be3a98cba37e119b24df0a62e7993eccb4bdd075f1cd6ce8f4f3dfa0cfe013d6451531e518ec08bb1bfcd9e8549236ca

memory/980-65-0x000000001B060000-0x000000001B062000-memory.dmp

memory/2000-66-0x00000000012B0000-0x00000000012B1000-memory.dmp

memory/2000-68-0x000000001A940000-0x000000001A9B1000-memory.dmp

memory/2000-69-0x000000001AEF0000-0x000000001AEF2000-memory.dmp

C:\ProgramData\Decoder.exe

MD5 c29c0d495ed13e703f433d53bdffdab8
SHA1 74ed36e6b6027b61abcfe2956670ffd9de7fd71a
SHA256 20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b
SHA512 fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426

memory/328-70-0x0000000000000000-mapping.dmp

memory/684-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\.cmd

MD5 73712247036b6a24d16502c57a3e5679
SHA1 65ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA256 8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512 548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

memory/436-74-0x0000000000000000-mapping.dmp

memory/328-75-0x0000000002091000-0x0000000002092000-memory.dmp

memory/328-76-0x00000000048B0000-0x0000000004946000-memory.dmp

memory/328-77-0x0000000004810000-0x00000000048A4000-memory.dmp

memory/328-78-0x0000000002092000-0x0000000002093000-memory.dmp

memory/328-79-0x0000000002093000-0x0000000002094000-memory.dmp

memory/328-80-0x0000000002094000-0x0000000002096000-memory.dmp

memory/328-81-0x0000000004DF0000-0x0000000004E60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-06-24 00:22

Reported

2021-06-24 00:24

Platform

win10v20210410

Max time kernel

34s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe N/A
N/A N/A C:\ProgramData\Decoder.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\ProgramData\Decoder.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\ProgramData\Decoder.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe N/A
N/A N/A C:\ProgramData\Decoder.exe N/A
N/A N/A C:\ProgramData\Decoder.exe N/A
N/A N/A C:\ProgramData\Decoder.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borns.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Decoder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe

"C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe"

C:\Users\Admin\AppData\Local\Temp\Borns.exe

"C:\Users\Admin\AppData\Local\Temp\Borns.exe"

C:\ProgramData\Decoder.exe

"C:\ProgramData\Decoder.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""

C:\Windows\system32\timeout.exe

timeout 4

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.224.49:443 api.ipify.org tcp
N/A 8.8.8.8:53 f0553854.xsph.ru udp
N/A 141.8.192.151:80 f0553854.xsph.ru tcp
N/A 8.8.8.8:53 freegeoip.app udp
N/A 104.21.19.200:443 freegeoip.app tcp
N/A 8.8.8.8:53 f0521569.xsph.ru udp
N/A 141.8.192.151:80 f0521569.xsph.ru tcp

Files

memory/2388-114-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2388-116-0x0000000002720000-0x0000000002722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Borns.exe

MD5 884529a75c3268c5322822bac31a78b0
SHA1 ebe46ead5ea6c147aad4b746bf7db3d065291960
SHA256 76cd69d4dc6d55742fe48e31ac983cc34e3fc7c8ff6e08dd451a87d5e613d2dd
SHA512 fc2f43fd9dee0f4a2cde51539d6be525be3a98cba37e119b24df0a62e7993eccb4bdd075f1cd6ce8f4f3dfa0cfe013d6451531e518ec08bb1bfcd9e8549236ca

memory/2472-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Borns.exe

MD5 884529a75c3268c5322822bac31a78b0
SHA1 ebe46ead5ea6c147aad4b746bf7db3d065291960
SHA256 76cd69d4dc6d55742fe48e31ac983cc34e3fc7c8ff6e08dd451a87d5e613d2dd
SHA512 fc2f43fd9dee0f4a2cde51539d6be525be3a98cba37e119b24df0a62e7993eccb4bdd075f1cd6ce8f4f3dfa0cfe013d6451531e518ec08bb1bfcd9e8549236ca

memory/2472-120-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2472-122-0x000000001BB20000-0x000000001BB91000-memory.dmp

memory/2472-123-0x000000001BDA0000-0x000000001BDA2000-memory.dmp

memory/2172-124-0x0000000000000000-mapping.dmp

C:\ProgramData\Decoder.exe

MD5 c29c0d495ed13e703f433d53bdffdab8
SHA1 74ed36e6b6027b61abcfe2956670ffd9de7fd71a
SHA256 20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b
SHA512 fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426

memory/2476-126-0x0000000000000000-mapping.dmp

C:\ProgramData\Decoder.exe

MD5 c29c0d495ed13e703f433d53bdffdab8
SHA1 74ed36e6b6027b61abcfe2956670ffd9de7fd71a
SHA256 20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b
SHA512 fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426

C:\Users\Admin\AppData\Local\Temp\.cmd

MD5 73712247036b6a24d16502c57a3e5679
SHA1 65ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA256 8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512 548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

memory/2676-129-0x0000000000000000-mapping.dmp

memory/2172-130-0x0000000004B10000-0x0000000004BA6000-memory.dmp

memory/2172-131-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

memory/2172-133-0x0000000004B02000-0x0000000004B03000-memory.dmp

memory/2172-132-0x0000000004B00000-0x0000000004B01000-memory.dmp

memory/2172-134-0x0000000004B03000-0x0000000004B04000-memory.dmp

memory/2172-135-0x0000000004A50000-0x0000000004AE4000-memory.dmp

memory/2172-136-0x0000000005F30000-0x0000000005F31000-memory.dmp

memory/2172-137-0x0000000006170000-0x0000000006171000-memory.dmp

memory/2172-138-0x0000000004B04000-0x0000000004B06000-memory.dmp

memory/2172-139-0x0000000005360000-0x00000000053D0000-memory.dmp