Analysis Overview
SHA256
c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4
Threat Level: Known bad
The file c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4 was found to be: Known bad.
Malicious Activity Summary
RMS
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-28 18:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-28 18:21
Reported
2022-01-28 18:37
Platform
win7-en-20211208
Max time kernel
141s
Max time network
167s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\rutserv.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe
"C:\Users\Admin\AppData\Local\Temp\c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\wet.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\install.cmd" /silent"
C:\Windows\SysWOW64\PING.EXE
ping -n 9 localhost
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "sys" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe -second
Network
| Country | Destination | Domain | Proto |
| NL | 91.240.118.172:80 | tcp | |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
memory/1660-55-0x0000000076141000-0x0000000076143000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\wet.vbs
| MD5 | 0d3eed47d75c9c7d3185e7b61d06652a |
| SHA1 | ae2e913135d03cbc8f853321ef6b96906e1f6962 |
| SHA256 | 0c592272859379c675f4f5f741fe3cb44c22ee137a7d601ac712c59e1a0f6041 |
| SHA512 | 328766ce9996c34a740e8853f3df4fe384fa56a6032f6480e5e422daef87ddb957872a31b91174c4f2de13580f6e0669854b3b38d1536b62b02093fc1e14cae7 |
C:\Users\Admin\AppData\Roaming\Microsoft\install.cmd
| MD5 | ad508eb4095f5a6041eb3cf37bd0e7d6 |
| SHA1 | 6501ce523df29802bfc2c81e32bc8e98033958d6 |
| SHA256 | f2ecaefeee8b594292a7b5e64afc1f4f5dcc1c21aa7ad8a910dccbc0f5385876 |
| SHA512 | e0a64721ffd2bb30dec61bc1b63c148bb7289a63d5c1c6f151b0e79d6cf7181b22e76bea0c89b4882d83423727866e24087d9ee690ec3d939aca55666bc71ce5 |
\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
| MD5 | 133852043c5bc42337579df1377dc425 |
| SHA1 | ae49521602846df51c8c5a9d08a4d3de8c207aee |
| SHA256 | 7b24f3dad3d4e9c0474ff34a98160ae52b3c9134757b834bebaeca6efa013493 |
| SHA512 | a5291691f625b369f5e75f24299dd2ac716f26ec5aa176d14bb765a1d732849565af60c652305b5b4c390694db2a8b61fb6a3d65665f6a4e9fab559a5a4ce327 |
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
| MD5 | 133852043c5bc42337579df1377dc425 |
| SHA1 | ae49521602846df51c8c5a9d08a4d3de8c207aee |
| SHA256 | 7b24f3dad3d4e9c0474ff34a98160ae52b3c9134757b834bebaeca6efa013493 |
| SHA512 | a5291691f625b369f5e75f24299dd2ac716f26ec5aa176d14bb765a1d732849565af60c652305b5b4c390694db2a8b61fb6a3d65665f6a4e9fab559a5a4ce327 |
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
| MD5 | 133852043c5bc42337579df1377dc425 |
| SHA1 | ae49521602846df51c8c5a9d08a4d3de8c207aee |
| SHA256 | 7b24f3dad3d4e9c0474ff34a98160ae52b3c9134757b834bebaeca6efa013493 |
| SHA512 | a5291691f625b369f5e75f24299dd2ac716f26ec5aa176d14bb765a1d732849565af60c652305b5b4c390694db2a8b61fb6a3d65665f6a4e9fab559a5a4ce327 |
memory/1180-66-0x0000000000400000-0x0000000000D80000-memory.dmp
memory/1180-67-0x0000000002930000-0x0000000002931000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
| MD5 | 133852043c5bc42337579df1377dc425 |
| SHA1 | ae49521602846df51c8c5a9d08a4d3de8c207aee |
| SHA256 | 7b24f3dad3d4e9c0474ff34a98160ae52b3c9134757b834bebaeca6efa013493 |
| SHA512 | a5291691f625b369f5e75f24299dd2ac716f26ec5aa176d14bb765a1d732849565af60c652305b5b4c390694db2a8b61fb6a3d65665f6a4e9fab559a5a4ce327 |
memory/1480-70-0x0000000000D80000-0x0000000000D81000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\settings.dat
| MD5 | 6e4dfa11271182f559b54e4d8fd496ab |
| SHA1 | 3265a9b2f3386f1b9a1904b7d674a4aee9937470 |
| SHA256 | 96abb6e4fcb9d6ad3500fcc17c4f428fcb7dee3ec8074d8e5a278ce186989aa8 |
| SHA512 | 3ce5a910fb6df23ea846cfbe859a40b36d32ad091d9b7cb86070f594de29c45736df8a9d7150c964f369cf1bcca23a07822c1a88936020572260829e01123d47 |
memory/1480-72-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
memory/1480-74-0x0000000004E40000-0x0000000004E41000-memory.dmp
memory/1480-73-0x0000000004BC0000-0x0000000004CD0000-memory.dmp
memory/1480-76-0x0000000005550000-0x0000000005551000-memory.dmp
memory/1480-75-0x00000000056A0000-0x00000000056A1000-memory.dmp
memory/1480-78-0x0000000005490000-0x0000000005491000-memory.dmp
memory/1480-77-0x0000000005440000-0x0000000005441000-memory.dmp
memory/1480-79-0x00000000054E0000-0x00000000054E1000-memory.dmp
memory/1480-80-0x00000000054F0000-0x00000000054F1000-memory.dmp
memory/1480-81-0x0000000005540000-0x0000000005541000-memory.dmp
memory/1480-82-0x0000000005900000-0x0000000005901000-memory.dmp
memory/1480-83-0x00000000058B0000-0x00000000058B1000-memory.dmp
memory/1480-84-0x0000000005CB0000-0x0000000005CB1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-28 18:21
Reported
2022-01-28 18:36
Platform
win10-en-20211208
Max time kernel
151s
Max time network
166s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\rutserv.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe
"C:\Users\Admin\AppData\Local\Temp\c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\wet.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\install.cmd" /silent"
C:\Windows\SysWOW64\PING.EXE
ping -n 9 localhost
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "sys" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe -second
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.20:443 | tcp | |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| NL | 67.26.105.254:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\wet.vbs
| MD5 | 0d3eed47d75c9c7d3185e7b61d06652a |
| SHA1 | ae2e913135d03cbc8f853321ef6b96906e1f6962 |
| SHA256 | 0c592272859379c675f4f5f741fe3cb44c22ee137a7d601ac712c59e1a0f6041 |
| SHA512 | 328766ce9996c34a740e8853f3df4fe384fa56a6032f6480e5e422daef87ddb957872a31b91174c4f2de13580f6e0669854b3b38d1536b62b02093fc1e14cae7 |
C:\Users\Admin\AppData\Roaming\Microsoft\install.cmd
| MD5 | ad508eb4095f5a6041eb3cf37bd0e7d6 |
| SHA1 | 6501ce523df29802bfc2c81e32bc8e98033958d6 |
| SHA256 | f2ecaefeee8b594292a7b5e64afc1f4f5dcc1c21aa7ad8a910dccbc0f5385876 |
| SHA512 | e0a64721ffd2bb30dec61bc1b63c148bb7289a63d5c1c6f151b0e79d6cf7181b22e76bea0c89b4882d83423727866e24087d9ee690ec3d939aca55666bc71ce5 |
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
| MD5 | 133852043c5bc42337579df1377dc425 |
| SHA1 | ae49521602846df51c8c5a9d08a4d3de8c207aee |
| SHA256 | 7b24f3dad3d4e9c0474ff34a98160ae52b3c9134757b834bebaeca6efa013493 |
| SHA512 | a5291691f625b369f5e75f24299dd2ac716f26ec5aa176d14bb765a1d732849565af60c652305b5b4c390694db2a8b61fb6a3d65665f6a4e9fab559a5a4ce327 |
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
| MD5 | 133852043c5bc42337579df1377dc425 |
| SHA1 | ae49521602846df51c8c5a9d08a4d3de8c207aee |
| SHA256 | 7b24f3dad3d4e9c0474ff34a98160ae52b3c9134757b834bebaeca6efa013493 |
| SHA512 | a5291691f625b369f5e75f24299dd2ac716f26ec5aa176d14bb765a1d732849565af60c652305b5b4c390694db2a8b61fb6a3d65665f6a4e9fab559a5a4ce327 |
memory/1444-205-0x0000000000400000-0x0000000000D80000-memory.dmp
memory/1444-207-0x0000000002B50000-0x0000000002F10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
| MD5 | 133852043c5bc42337579df1377dc425 |
| SHA1 | ae49521602846df51c8c5a9d08a4d3de8c207aee |
| SHA256 | 7b24f3dad3d4e9c0474ff34a98160ae52b3c9134757b834bebaeca6efa013493 |
| SHA512 | a5291691f625b369f5e75f24299dd2ac716f26ec5aa176d14bb765a1d732849565af60c652305b5b4c390694db2a8b61fb6a3d65665f6a4e9fab559a5a4ce327 |
memory/1476-209-0x0000000001230000-0x0000000001231000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\settings.dat
| MD5 | 6e4dfa11271182f559b54e4d8fd496ab |
| SHA1 | 3265a9b2f3386f1b9a1904b7d674a4aee9937470 |
| SHA256 | 96abb6e4fcb9d6ad3500fcc17c4f428fcb7dee3ec8074d8e5a278ce186989aa8 |
| SHA512 | 3ce5a910fb6df23ea846cfbe859a40b36d32ad091d9b7cb86070f594de29c45736df8a9d7150c964f369cf1bcca23a07822c1a88936020572260829e01123d47 |
memory/1476-211-0x0000000004450000-0x0000000004451000-memory.dmp
memory/1476-212-0x0000000004460000-0x0000000004461000-memory.dmp
memory/1476-214-0x0000000004E70000-0x0000000004E71000-memory.dmp
memory/1476-213-0x0000000004D20000-0x0000000004D21000-memory.dmp
memory/1476-215-0x0000000004FC0000-0x0000000004FC1000-memory.dmp
memory/1476-216-0x0000000004E40000-0x0000000004E41000-memory.dmp
memory/1476-218-0x0000000004E60000-0x0000000004E61000-memory.dmp
memory/1476-217-0x0000000004E50000-0x0000000004E51000-memory.dmp
memory/1476-219-0x0000000005260000-0x0000000005261000-memory.dmp
memory/1476-220-0x0000000006D70000-0x0000000006D71000-memory.dmp
memory/1476-221-0x00000000071F0000-0x00000000072C1000-memory.dmp
memory/1476-222-0x0000000007340000-0x0000000007341000-memory.dmp