Analysis Overview
SHA256
6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79
Threat Level: Known bad
The file 6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79 was found to be: Known bad.
Malicious Activity Summary
OutSteel
OutSteel batch script
Deletes itself
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
Suspicious use of SetThreadContext
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 11:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 11:46
Reported
2024-04-10 11:49
Platform
win7-20240221-en
Max time kernel
136s
Max time network
137s
Command Line
Signatures
OutSteel
OutSteel batch script
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2440 set thread context of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe | C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
"C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe"
C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.txt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
cmd /c start /min r.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K r.bat
C:\Windows\SysWOW64\cmd.exe
cmd /min /c del "C:\Users\Admin\AppData\Local\Temp\r.bat"
C:\Windows\SysWOW64\taskkill.exe
Taskkill /IM cmd.exe /F
Network
| Country | Destination | Domain | Proto |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp |
Files
memory/2440-0-0x0000000000F90000-0x000000000101E000-memory.dmp
memory/2440-1-0x0000000074610000-0x0000000074CFE000-memory.dmp
memory/2440-2-0x0000000000680000-0x00000000006C0000-memory.dmp
memory/2440-3-0x0000000000450000-0x000000000045E000-memory.dmp
memory/2716-4-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2440-6-0x0000000074610000-0x0000000074CFE000-memory.dmp
memory/2716-7-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2716-8-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2716-9-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2716-11-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2716-15-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2716-27-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2716-31-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2716-43-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2716-47-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2716-59-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2716-63-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2716-81-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2716-157-0x0000000000400000-0x00000000004E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\r.bat
| MD5 | 481767783ae1eb9829e034b7450c4f97 |
| SHA1 | f80589536789db32b90772f5f51aa5636cc832b9 |
| SHA256 | 502ef9223631bf62206bfc9082d74e0a0c27a8f04b126416f449acad5c0727c4 |
| SHA512 | 9bf3a50818029083314a423be509551e98384797c44074854a96aa3815712b7de1a101ea2f121539038f9ad41a26eaff6835a82e38126275c2ca269221ce26af |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 11:46
Reported
2024-04-10 11:49
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
OutSteel
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1580 set thread context of 4560 | N/A | C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe | C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
"C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe"
C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 45.146.164.37:8080 | tcp | |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| RU | 45.146.164.37:8080 | tcp | |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| US | 8.8.8.8:53 | 58.189.79.40.in-addr.arpa | udp |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp |
Files
memory/1580-1-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/1580-0-0x0000000000910000-0x000000000099E000-memory.dmp
memory/1580-2-0x00000000059E0000-0x0000000005F84000-memory.dmp
memory/1580-3-0x0000000005380000-0x0000000005412000-memory.dmp
memory/1580-4-0x00000000054E0000-0x00000000054F0000-memory.dmp
memory/1580-5-0x00000000054F0000-0x0000000005566000-memory.dmp
memory/1580-6-0x0000000005450000-0x000000000545A000-memory.dmp
memory/1580-7-0x0000000005660000-0x000000000567E000-memory.dmp
memory/1580-8-0x00000000056A0000-0x00000000056AE000-memory.dmp
memory/4560-9-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-10-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1580-13-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/4560-12-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-14-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-15-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-21-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-25-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-29-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-34-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-33-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-45-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-49-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-53-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-55-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-57-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-61-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-65-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-66-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-69-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-73-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4560-87-0x0000000000400000-0x00000000004E2000-memory.dmp