60bb544289cfeb878cf212268ad90d9b.exe

General
Target

60bb544289cfeb878cf212268ad90d9b.exe

Filesize

113KB

Completed

21-07-2021 18:08

Score
10 /10
MD5

60bb544289cfeb878cf212268ad90d9b

SHA1

894de031e4cd521c10739650d56d8527c66b6655

SHA256

88172a45ab45c79f77b1a560dea8fcbb0ca7db792ca3d77e513e190dffc2a7f0

Malware Config

Extracted

Family warzonerat
C2

trenchesrelax.duckdns.org:302

Signatures 9

Filter: none

Collection
Credential Access
  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00030000000130ca-61.datwarzonerat
    behavioral1/files/0x00030000000130ca-62.datwarzonerat
    behavioral1/files/0x00030000000130ca-64.datwarzonerat
    behavioral1/files/0x00030000000130ca-73.datwarzonerat
  • Executes dropped EXE
    svcew.exe

    Reported IOCs

    pidprocess
    1572svcew.exe
  • Loads dropped DLL
    60bb544289cfeb878cf212268ad90d9b.exesvcew.exe

    Reported IOCs

    pidprocess
    110460bb544289cfeb878cf212268ad90d9b.exe
    110460bb544289cfeb878cf212268ad90d9b.exe
    1572svcew.exe
    1572svcew.exe
    1572svcew.exe
    1572svcew.exe
    1572svcew.exe
    1572svcew.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious behavior: EnumeratesProcesses
    powershell.exepowershell.exe

    Reported IOCs

    pidprocess
    316powershell.exe
    316powershell.exe
    336powershell.exe
    336powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege316powershell.exe
    Token: SeDebugPrivilege336powershell.exe
  • Suspicious use of SetWindowsHookEx
    svcew.exe

    Reported IOCs

    pidprocess
    1572svcew.exe
  • Suspicious use of WriteProcessMemory
    60bb544289cfeb878cf212268ad90d9b.exesvcew.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1104 wrote to memory of 316110460bb544289cfeb878cf212268ad90d9b.exepowershell.exe
    PID 1104 wrote to memory of 316110460bb544289cfeb878cf212268ad90d9b.exepowershell.exe
    PID 1104 wrote to memory of 316110460bb544289cfeb878cf212268ad90d9b.exepowershell.exe
    PID 1104 wrote to memory of 316110460bb544289cfeb878cf212268ad90d9b.exepowershell.exe
    PID 1104 wrote to memory of 1572110460bb544289cfeb878cf212268ad90d9b.exesvcew.exe
    PID 1104 wrote to memory of 1572110460bb544289cfeb878cf212268ad90d9b.exesvcew.exe
    PID 1104 wrote to memory of 1572110460bb544289cfeb878cf212268ad90d9b.exesvcew.exe
    PID 1104 wrote to memory of 1572110460bb544289cfeb878cf212268ad90d9b.exesvcew.exe
    PID 1572 wrote to memory of 3361572svcew.exepowershell.exe
    PID 1572 wrote to memory of 3361572svcew.exepowershell.exe
    PID 1572 wrote to memory of 3361572svcew.exepowershell.exe
    PID 1572 wrote to memory of 3361572svcew.exepowershell.exe
    PID 1572 wrote to memory of 15441572svcew.execmd.exe
    PID 1572 wrote to memory of 15441572svcew.execmd.exe
    PID 1572 wrote to memory of 15441572svcew.execmd.exe
    PID 1572 wrote to memory of 15441572svcew.execmd.exe
    PID 1572 wrote to memory of 15441572svcew.execmd.exe
    PID 1572 wrote to memory of 15441572svcew.execmd.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\60bb544289cfeb878cf212268ad90d9b.exe
    "C:\Users\Admin\AppData\Local\Temp\60bb544289cfeb878cf212268ad90d9b.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:316
    • C:\ProgramData\svcew.exe
      "C:\ProgramData\svcew.exe"
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:336
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        PID:1544
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\ProgramData\svcew.exe

                        MD5

                        60bb544289cfeb878cf212268ad90d9b

                        SHA1

                        894de031e4cd521c10739650d56d8527c66b6655

                        SHA256

                        88172a45ab45c79f77b1a560dea8fcbb0ca7db792ca3d77e513e190dffc2a7f0

                        SHA512

                        e39c040150665f18e2638436e62f2efd282e5c8945b18ae7ab5fb506db6178892525478e38a6269c2e0dead296eaaf189052e3b15743afedbd93eb71790134e6

                      • C:\ProgramData\svcew.exe

                        MD5

                        60bb544289cfeb878cf212268ad90d9b

                        SHA1

                        894de031e4cd521c10739650d56d8527c66b6655

                        SHA256

                        88172a45ab45c79f77b1a560dea8fcbb0ca7db792ca3d77e513e190dffc2a7f0

                        SHA512

                        e39c040150665f18e2638436e62f2efd282e5c8945b18ae7ab5fb506db6178892525478e38a6269c2e0dead296eaaf189052e3b15743afedbd93eb71790134e6

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96

                        MD5

                        df44874327d79bd75e4264cb8dc01811

                        SHA1

                        1396b06debed65ea93c24998d244edebd3c0209d

                        SHA256

                        55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

                        SHA512

                        95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc

                        MD5

                        be4d72095faf84233ac17b94744f7084

                        SHA1

                        cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

                        SHA256

                        b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

                        SHA512

                        43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_20a18d7d-e430-43ba-8d72-ab81e5039b66

                        MD5

                        d89968acfbd0cd60b51df04860d99896

                        SHA1

                        b3c29916ccb81ce98f95bbf3aa8a73de16298b29

                        SHA256

                        1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

                        SHA512

                        b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c

                        MD5

                        a725bb9fafcf91f3c6b7861a2bde6db2

                        SHA1

                        8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

                        SHA256

                        51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

                        SHA512

                        1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75

                        MD5

                        02ff38ac870de39782aeee04d7b48231

                        SHA1

                        0390d39fa216c9b0ecdb38238304e518fb2b5095

                        SHA256

                        fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

                        SHA512

                        24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_66393355-2875-45f6-8c6e-ae1b0f23b199

                        MD5

                        7f79b990cb5ed648f9e583fe35527aa7

                        SHA1

                        71b177b48c8bd745ef02c2affad79ca222da7c33

                        SHA256

                        080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

                        SHA512

                        20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b

                        MD5

                        b6d38f250ccc9003dd70efd3b778117f

                        SHA1

                        d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

                        SHA256

                        4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

                        SHA512

                        67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bc5ca8a-50eb-4a28-856a-31595e01418a

                        MD5

                        597009ea0430a463753e0f5b1d1a249e

                        SHA1

                        4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

                        SHA256

                        3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

                        SHA512

                        5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_809ebb94-a573-4e32-bdea-38f69f48aae2

                        MD5

                        e36e413334d4226cfecaebdd90e31c04

                        SHA1

                        a70ab4d400261150d6ce6798cadc6e2539ec84c7

                        SHA256

                        fa3e9bdb2278858c97da8478ed573db4a6642363775b1530ab0b24571e2c0f4a

                        SHA512

                        f2cd799769189ca59190fee5b1a44f0a7ead22874763291462fbe86865cdba5ff2854279a0d918b3769ec4d8f4e9198b5ac4f30dc3325386da5b73e18af2ca63

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6

                        MD5

                        75a8da7754349b38d64c87c938545b1b

                        SHA1

                        5c28c257d51f1c1587e29164cc03ea880c21b417

                        SHA256

                        bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

                        SHA512

                        798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c54cafad-1047-457c-8e6f-154301539124

                        MD5

                        354b8209f647a42e2ce36d8cf326cc92

                        SHA1

                        98c3117f797df69935f8b09fc9e95accfe3d8346

                        SHA256

                        feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

                        SHA512

                        420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5

                        MD5

                        5e3c7184a75d42dda1a83606a45001d8

                        SHA1

                        94ca15637721d88f30eb4b6220b805c5be0360ed

                        SHA256

                        8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

                        SHA512

                        fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cff2ce8b-29aa-43cd-8e66-b9b3aef940a9

                        MD5

                        a70ee38af4bb2b5ed3eeb7cbd1a12fa3

                        SHA1

                        81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

                        SHA256

                        dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

                        SHA512

                        8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

                        MD5

                        bcc655bb2eab76b0db53c7766e26ef59

                        SHA1

                        c6edcfd4e2138df2066ed213a5e47d3afdd8b7f7

                        SHA256

                        f4cae051d6e98d812b119f1d289415aec2c0e3ea5a68476916d93b099f1946da

                        SHA512

                        450cee408cebe6b11688259920f9799b55333e52a7096cef6cb1b0ae45c3fc1154accd48b3e7c818e5201e6908ec83e36b96ab7af54780fdd3271b23a50e9be0

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

                        MD5

                        bffae4d41454f6eeae07848525c0bf9c

                        SHA1

                        d22d83167a95f16046a6a5a19aaff7914c8a0aac

                        SHA256

                        d1841f0822fa8c25d6bc92cbf570e493f2447193afa0564ce6d98902bc65e936

                        SHA512

                        5ff5998f3ebcb11661796987171c513cd831ec279378a8d23a58dd94222277d5fe38f58483b1849c609b69b390533025d9467425b8bfd056cece3f6638526fd0

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                        MD5

                        c790de98c0d36d6e3f924f3b08df4075

                        SHA1

                        d5b6be1ebafe10d1efb775efc35c7bc9efdaf7ff

                        SHA256

                        bd77dc0b2b51f9ae2b1e72a60c22fff2aec845e33b91756bf40a6ec29d7522e7

                        SHA512

                        8b2acee4251c4a2b5a450afdfd7048b84dd1e290ddbe7bf306682baa27f89c62962f7901f75f6073d33a1248ea502d06df457368cbb838771ca4e4f0667ae3e5

                      • \ProgramData\svcew.exe

                        MD5

                        60bb544289cfeb878cf212268ad90d9b

                        SHA1

                        894de031e4cd521c10739650d56d8527c66b6655

                        SHA256

                        88172a45ab45c79f77b1a560dea8fcbb0ca7db792ca3d77e513e190dffc2a7f0

                        SHA512

                        e39c040150665f18e2638436e62f2efd282e5c8945b18ae7ab5fb506db6178892525478e38a6269c2e0dead296eaaf189052e3b15743afedbd93eb71790134e6

                      • \ProgramData\svcew.exe

                        MD5

                        60bb544289cfeb878cf212268ad90d9b

                        SHA1

                        894de031e4cd521c10739650d56d8527c66b6655

                        SHA256

                        88172a45ab45c79f77b1a560dea8fcbb0ca7db792ca3d77e513e190dffc2a7f0

                        SHA512

                        e39c040150665f18e2638436e62f2efd282e5c8945b18ae7ab5fb506db6178892525478e38a6269c2e0dead296eaaf189052e3b15743afedbd93eb71790134e6

                      • \Users\Admin\AppData\Local\Temp\freebl3.dll

                        MD5

                        ef12ab9d0b231b8f898067b2114b1bc0

                        SHA1

                        6d90f27b2105945f9bb77039e8b892070a5f9442

                        SHA256

                        2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

                        SHA512

                        2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

                      • \Users\Admin\AppData\Local\Temp\mozglue.dll

                        MD5

                        75f8cc548cabf0cc800c25047e4d3124

                        SHA1

                        602676768f9faecd35b48c38a0632781dfbde10c

                        SHA256

                        fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

                        SHA512

                        ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

                      • \Users\Admin\AppData\Local\Temp\msvcp140.dll

                        MD5

                        109f0f02fd37c84bfc7508d4227d7ed5

                        SHA1

                        ef7420141bb15ac334d3964082361a460bfdb975

                        SHA256

                        334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

                        SHA512

                        46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

                      • \Users\Admin\AppData\Local\Temp\nss3.dll

                        MD5

                        d7858e8449004e21b01d468e9fd04b82

                        SHA1

                        9524352071ede21c167e7e4f106e9526dc23ef4e

                        SHA256

                        78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db

                        SHA512

                        1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

                      • \Users\Admin\AppData\Local\Temp\softokn3.dll

                        MD5

                        471c983513694ac3002590345f2be0da

                        SHA1

                        6612b9af4ff6830fa9b7d4193078434ef72f775b

                        SHA256

                        bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f

                        SHA512

                        a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

                      • \Users\Admin\AppData\Local\Temp\vcruntime140.dll

                        MD5

                        7587bf9cb4147022cd5681b015183046

                        SHA1

                        f2106306a8f6f0da5afb7fc765cfa0757ad5a628

                        SHA256

                        c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

                        SHA512

                        0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

                      • memory/316-70-0x0000000004942000-0x0000000004943000-memory.dmp

                      • memory/316-69-0x0000000004940000-0x0000000004941000-memory.dmp

                      • memory/316-68-0x0000000004980000-0x0000000004981000-memory.dmp

                      • memory/316-107-0x00000000055D0000-0x00000000055D1000-memory.dmp

                      • memory/316-101-0x0000000006240000-0x0000000006241000-memory.dmp

                      • memory/316-122-0x0000000006300000-0x0000000006301000-memory.dmp

                      • memory/316-123-0x0000000006310000-0x0000000006311000-memory.dmp

                      • memory/316-93-0x000000007EF30000-0x000000007EF31000-memory.dmp

                      • memory/316-92-0x0000000005710000-0x0000000005711000-memory.dmp

                      • memory/316-71-0x0000000002580000-0x0000000002581000-memory.dmp

                      • memory/316-60-0x0000000000000000-mapping.dmp

                      • memory/316-85-0x0000000005610000-0x0000000005611000-memory.dmp

                      • memory/316-72-0x0000000005240000-0x0000000005241000-memory.dmp

                      • memory/316-91-0x0000000005670000-0x0000000005671000-memory.dmp

                      • memory/316-67-0x0000000002360000-0x0000000002361000-memory.dmp

                      • memory/336-74-0x0000000000000000-mapping.dmp

                      • memory/336-81-0x0000000004882000-0x0000000004883000-memory.dmp

                      • memory/336-80-0x0000000004880000-0x0000000004881000-memory.dmp

                      • memory/1104-59-0x0000000075551000-0x0000000075553000-memory.dmp

                      • memory/1544-76-0x0000000000000000-mapping.dmp

                      • memory/1544-94-0x00000000000F0000-0x00000000000F1000-memory.dmp

                      • memory/1572-136-0x0000000003FE0000-0x0000000004064000-memory.dmp

                      • memory/1572-141-0x0000000003EA0000-0x0000000003F24000-memory.dmp

                      • memory/1572-63-0x0000000000000000-mapping.dmp

                      • memory/1572-128-0x0000000003050000-0x0000000003150000-memory.dmp