Malware Analysis Report

2024-11-16 12:27

Sample ID 240304-2eet4sfd6x
Target b34206561c1c956fb55bf38933f192e5
SHA256 e1bd8014416249633ac7d3474adc18599e42ec6f443d100d299cb817634775a5
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e1bd8014416249633ac7d3474adc18599e42ec6f443d100d299cb817634775a5

Threat Level: Likely malicious

The file b34206561c1c956fb55bf38933f192e5 was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Modifies file permissions

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 22:29

Reported

2024-03-04 22:32

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\472E.tmp\splash.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\472E.tmp\splash.exe
PID 2484 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\472E.tmp\splash.exe
PID 2484 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\472E.tmp\splash.exe
PID 2484 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\472E.tmp\splash.exe
PID 2484 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2484 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2484 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2484 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2484 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2484 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2484 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2484 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2484 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2484 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2484 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2484 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2484 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2484 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2484 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2484 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2484 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2484 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2484 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2484 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2484 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2484 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2484 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2484 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2484 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2484 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe

"C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\472E.tmp\METRO.cmd" "

C:\Users\Admin\AppData\Local\Temp\472E.tmp\splash.exe

splash.exe

C:\Windows\SysWOW64\takeown.exe

takeown /a /f C:\Windows\System32\shsxs.dll

C:\Windows\SysWOW64\takeown.exe

takeown /a /f C:\Windows\SysWOW64\shsxs.dll

C:\Windows\SysWOW64\icacls.exe

ICACLS C:\Windows\System32\shsxs.dll /Grant Administrators:F

C:\Windows\SysWOW64\icacls.exe

ICACLS C:\Windows\SysWOW64\shsxs.dll /Grant Administrators:F

C:\Windows\SysWOW64\timeout.exe

timeout /t 1

C:\Windows\SysWOW64\timeout.exe

timeout /t 1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im TM.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im splash.exe

Network

N/A

Files

memory/2020-0-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\472E.tmp\METRO.cmd

MD5 03e8fa1d35711b7d7addacebeea35d62
SHA1 4656d99a9dd13a92e3649b25407817b3e6294156
SHA256 b5a16ed052749af003a8127dcd240d69d56df4f430152ea4b40d45c2ac60fea7
SHA512 41eb2ac1a480b9b455516ec4b64090649ec7286ea156c876a0bb7a3c336554682d65f0ee15715ed30e9252d92b64e8cfb81f743e490aa7ea6792ad0627664041

C:\Users\Admin\AppData\Local\Temp\472E.tmp\splash.exe

MD5 da9657d72dd80a58aa108a3dbe381642
SHA1 ca350bd54782601b4faa32a3a8c0b93ad5abb6ee
SHA256 5e03f20b55f186ab0e22a7c3378399e90a89919fd12dc1410f90f83fbd002781
SHA512 e3185605eca861240577b85d5fbaa3e0e31b4495f43a858877d94c1118784f4b1fe49bcf3e4555ba64313153ef413cde62527f71986a869a1be283f63020991e

memory/2648-21-0x0000000000260000-0x0000000000270000-memory.dmp

memory/2648-22-0x0000000072720000-0x0000000072E0E000-memory.dmp

memory/2648-23-0x0000000001EF0000-0x0000000001F30000-memory.dmp

memory/2484-34-0x0000000002270000-0x0000000002271000-memory.dmp

memory/2020-39-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2648-40-0x0000000072720000-0x0000000072E0E000-memory.dmp

memory/2648-41-0x0000000001EF0000-0x0000000001F30000-memory.dmp

memory/2484-42-0x0000000002270000-0x0000000002271000-memory.dmp

memory/2020-47-0x0000000000400000-0x000000000043A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 22:29

Reported

2024-03-04 22:32

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\splash.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\splash.exe
PID 3352 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\splash.exe
PID 3352 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\splash.exe
PID 3352 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3352 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3352 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3352 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3352 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3352 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3352 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3352 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3352 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3352 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3352 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3352 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3352 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3352 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3352 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3352 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3352 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3352 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3352 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3352 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3352 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3352 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3352 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3352 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe

"C:\Users\Admin\AppData\Local\Temp\b34206561c1c956fb55bf38933f192e5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\METRO.cmd" "

C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\splash.exe

splash.exe

C:\Windows\SysWOW64\takeown.exe

takeown /a /f C:\Windows\System32\shsxs.dll

C:\Windows\SysWOW64\takeown.exe

takeown /a /f C:\Windows\SysWOW64\shsxs.dll

C:\Windows\SysWOW64\icacls.exe

ICACLS C:\Windows\System32\shsxs.dll /Grant Administrators:F

C:\Windows\SysWOW64\icacls.exe

ICACLS C:\Windows\SysWOW64\shsxs.dll /Grant Administrators:F

C:\Windows\SysWOW64\timeout.exe

timeout /t 1

C:\Windows\SysWOW64\timeout.exe

timeout /t 1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im TM.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im splash.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.178.78.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 162.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2760-0-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2760-1-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\METRO.cmd

MD5 03e8fa1d35711b7d7addacebeea35d62
SHA1 4656d99a9dd13a92e3649b25407817b3e6294156
SHA256 b5a16ed052749af003a8127dcd240d69d56df4f430152ea4b40d45c2ac60fea7
SHA512 41eb2ac1a480b9b455516ec4b64090649ec7286ea156c876a0bb7a3c336554682d65f0ee15715ed30e9252d92b64e8cfb81f743e490aa7ea6792ad0627664041

C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\splash.exe

MD5 da9657d72dd80a58aa108a3dbe381642
SHA1 ca350bd54782601b4faa32a3a8c0b93ad5abb6ee
SHA256 5e03f20b55f186ab0e22a7c3378399e90a89919fd12dc1410f90f83fbd002781
SHA512 e3185605eca861240577b85d5fbaa3e0e31b4495f43a858877d94c1118784f4b1fe49bcf3e4555ba64313153ef413cde62527f71986a869a1be283f63020991e

memory/3096-11-0x0000000000D40000-0x0000000000D50000-memory.dmp

memory/3096-13-0x0000000073980000-0x0000000074130000-memory.dmp

memory/3096-12-0x0000000005740000-0x00000000057DC000-memory.dmp

memory/3096-14-0x0000000005D90000-0x0000000006334000-memory.dmp

memory/3096-15-0x0000000005880000-0x0000000005912000-memory.dmp

memory/3096-16-0x0000000005A00000-0x0000000005A10000-memory.dmp

memory/3096-17-0x00000000057E0000-0x00000000057EA000-memory.dmp

memory/3096-18-0x0000000005920000-0x0000000005976000-memory.dmp

memory/2760-19-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3096-20-0x0000000073980000-0x0000000074130000-memory.dmp

memory/2760-21-0x0000000000400000-0x000000000043A000-memory.dmp