Malware Analysis Report

2025-08-05 21:22

Sample ID 240305-a6b4rahe6w
Target b35cd39d4d132e5fdd1561644f1d7f4c
SHA256 994302eb33e3da38c27165b7ee9166f880faf46e353d4f21ae5d4d2f832494b0
Tags
aspackv2 persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

994302eb33e3da38c27165b7ee9166f880faf46e353d4f21ae5d4d2f832494b0

Threat Level: Known bad

The file b35cd39d4d132e5fdd1561644f1d7f4c was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence

Modifies WinLogon for persistence

ASPack v2.12-2.42

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-05 00:49

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-05 00:49

Reported

2024-03-05 00:51

Platform

win7-20240221-en

Max time kernel

141s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\ntos.exe," C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ntos.exe C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe N/A
File created C:\Windows\SysWOW64\ntos.exe C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe

"C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe"

Network

N/A

Files

memory/1308-0-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1308-4-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-05 00:49

Reported

2024-03-05 00:51

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

154s

Command Line

winlogon.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\ntos.exe," C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ntos.exe C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe N/A
File created C:\Windows\SysWOW64\ntos.exe C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe C:\Windows\system32\winlogon.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe

"C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp

Files

memory/1264-0-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1264-2-0x0000000000400000-0x000000000042B000-memory.dmp

memory/612-15-0x0000000000400000-0x000000000042B000-memory.dmp

memory/612-24-0x0000000012D80000-0x0000000012DAB000-memory.dmp

memory/612-33-0x0000000012DB0000-0x0000000012DDB000-memory.dmp

memory/612-42-0x0000000012DE0000-0x0000000012E0B000-memory.dmp

memory/612-51-0x0000000012E10000-0x0000000012E3B000-memory.dmp

memory/612-60-0x0000000012E40000-0x0000000012E6B000-memory.dmp

memory/612-69-0x0000000012E70000-0x0000000012E9B000-memory.dmp

memory/612-78-0x0000000012EA0000-0x0000000012ECB000-memory.dmp

memory/612-87-0x0000000012ED0000-0x0000000012EFB000-memory.dmp

memory/612-96-0x0000000012F00000-0x0000000012F2B000-memory.dmp

memory/612-105-0x0000000012F30000-0x0000000012F5B000-memory.dmp

memory/612-114-0x0000000012F60000-0x0000000012F8B000-memory.dmp

memory/612-123-0x0000000012F90000-0x0000000012FBB000-memory.dmp

memory/612-132-0x0000000012FC0000-0x0000000012FEB000-memory.dmp

memory/612-141-0x0000000012FF0000-0x000000001301B000-memory.dmp

memory/612-150-0x0000000013020000-0x000000001304B000-memory.dmp

memory/612-159-0x0000000013050000-0x000000001307B000-memory.dmp

memory/612-168-0x0000000013080000-0x00000000130AB000-memory.dmp

memory/612-177-0x00000000130B0000-0x00000000130DB000-memory.dmp

memory/612-186-0x00000000130E0000-0x000000001310B000-memory.dmp

memory/612-195-0x0000000013110000-0x000000001313B000-memory.dmp

memory/612-204-0x0000000013140000-0x000000001316B000-memory.dmp

memory/612-213-0x0000000013170000-0x000000001319B000-memory.dmp

memory/612-222-0x00000000131A0000-0x00000000131CB000-memory.dmp

memory/612-231-0x00000000131D0000-0x00000000131FB000-memory.dmp

memory/612-240-0x0000000013200000-0x000000001322B000-memory.dmp

memory/612-249-0x0000000013230000-0x000000001325B000-memory.dmp

memory/612-258-0x0000000013260000-0x000000001328B000-memory.dmp

memory/612-267-0x0000000013290000-0x00000000132BB000-memory.dmp

memory/612-276-0x00000000132C0000-0x00000000132EB000-memory.dmp

memory/612-285-0x00000000132F0000-0x000000001331B000-memory.dmp

memory/612-294-0x0000000013320000-0x000000001334B000-memory.dmp

memory/612-303-0x0000000013350000-0x000000001337B000-memory.dmp

memory/612-312-0x0000000013380000-0x00000000133AB000-memory.dmp

memory/612-321-0x00000000133B0000-0x00000000133DB000-memory.dmp

memory/612-330-0x00000000133E0000-0x000000001340B000-memory.dmp

memory/612-339-0x0000000013410000-0x000000001343B000-memory.dmp

memory/612-348-0x0000000013440000-0x000000001346B000-memory.dmp

memory/612-357-0x0000000013470000-0x000000001349B000-memory.dmp

memory/612-366-0x00000000134A0000-0x00000000134CB000-memory.dmp

memory/612-375-0x00000000134D0000-0x00000000134FB000-memory.dmp

memory/612-384-0x0000000013500000-0x000000001352B000-memory.dmp

memory/612-393-0x0000000013530000-0x000000001355B000-memory.dmp

memory/612-402-0x0000000013560000-0x000000001358B000-memory.dmp

memory/612-411-0x0000000013590000-0x00000000135BB000-memory.dmp

memory/612-420-0x00000000135C0000-0x00000000135EB000-memory.dmp

memory/612-429-0x00000000135F0000-0x000000001361B000-memory.dmp

memory/612-438-0x0000000013620000-0x000000001364B000-memory.dmp

memory/612-447-0x0000000013650000-0x000000001367B000-memory.dmp

memory/612-456-0x0000000013680000-0x00000000136AB000-memory.dmp

memory/612-465-0x00000000136B0000-0x00000000136DB000-memory.dmp

memory/612-474-0x00000000136E0000-0x000000001370B000-memory.dmp

memory/612-483-0x0000000013710000-0x000000001373B000-memory.dmp

memory/612-492-0x0000000013740000-0x000000001376B000-memory.dmp

memory/612-501-0x0000000013770000-0x000000001379B000-memory.dmp

memory/612-510-0x00000000137A0000-0x00000000137CB000-memory.dmp

memory/612-519-0x00000000137D0000-0x00000000137FB000-memory.dmp

memory/612-528-0x0000000013800000-0x000000001382B000-memory.dmp

memory/612-537-0x0000000013830000-0x000000001385B000-memory.dmp

memory/612-546-0x0000000013860000-0x000000001388B000-memory.dmp

memory/612-555-0x0000000013890000-0x00000000138BB000-memory.dmp

memory/612-564-0x00000000138C0000-0x00000000138EB000-memory.dmp