Malware Analysis Report

2024-09-11 10:25

Sample ID 240719-l5rnlavgrl
Target 818455c49d4f7d1ac72755eab5482b20N.exe
SHA256 777ee8728510bc40496d40fff073848081d19135c4ae88210e4a1d8c3196a007
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

777ee8728510bc40496d40fff073848081d19135c4ae88210e4a1d8c3196a007

Threat Level: Known bad

The file 818455c49d4f7d1ac72755eab5482b20N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Deletes itself

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-19 10:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 10:07

Reported

2024-07-19 10:09

Platform

win7-20240705-en

Max time kernel

32s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1660 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1660 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1660 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2972 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2972 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2972 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2972 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1660 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe
PID 1660 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe
PID 1660 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe
PID 1660 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe

"C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gycjxmlv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB44.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe" C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1660-0-0x0000000074501000-0x0000000074502000-memory.dmp

memory/1660-1-0x0000000074500000-0x0000000074AAB000-memory.dmp

memory/1660-2-0x0000000074500000-0x0000000074AAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gycjxmlv.cmdline

MD5 c21b3f309fb822bf77657ad1a0a29964
SHA1 37477acff8eb006668a126fc6cfe05ffd6a62dcf
SHA256 d82afaf8ed880d4d61724c8b29591533b7d7d6ddbf82bde1e644950f2d70e609
SHA512 7fd023f99ad54429247e2b57357bdbcb6c3510cdb6a88d3c21e12d5a72278340156a1baff92ec1c7e82407a7de50e0fb8d8ca3d21be878edf7f6a95c7e40fbee

memory/2972-8-0x0000000074500000-0x0000000074AAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gycjxmlv.0.vb

MD5 a52659b7319956b906f5bf581c50649b
SHA1 db14dd0a8e92e5f4ab1fd67d296e2ca569f178c1
SHA256 7594947f13dcb6178fe0bee6ed20f60f48e412ff4447db8f6f1eddc962d69431
SHA512 5df43ae0ae78ba1ffa19b981662c5b79402d8f378a2e497ce1ae0c4ca48a364beecd2faeef283ea397a872524d55991a3617269800ce8643fb22a9191ff50fbd

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcBB44.tmp

MD5 ceccd025c8f66d733af7c74d959e40fc
SHA1 ebfb86372ee69b6bb8ea588c99de8869ed7f5df8
SHA256 d4a18d99f2b681576ebc6e6cb5a8dc8568d4a56fa3212e58388a6b933f505819
SHA512 f59dc32d866ddbb4d338c6ee252648e5bc4ca2cb073f95fadd5ae1ca18f12e7f97cf9a698b81fbf7b62fc77eff2de22ed2e0500aef065ecc1da206bb7e3eb2bc

C:\Users\Admin\AppData\Local\Temp\RESBB45.tmp

MD5 fc8a69990dbbae7111b84143df7c1f64
SHA1 cd227f611f9acb21dc91c00d16ae974de0ad3697
SHA256 79d7b0845eb99367fd367379dcb22df594a563e07908f2c3ba4ce44d6ee16d74
SHA512 1386622358d687ae025e92d001452700d52b74fb2319527593393df0da7c13627ac891996b4007b95efcffab1b6ae03d5bc3fc9e0940a41ea3f0463fce70e87e

memory/2972-18-0x0000000074500000-0x0000000074AAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe

MD5 6f2fbf5213721452e53d53605951b323
SHA1 14b0d0ee0be59edde32b06f4bfd2e1808162eb52
SHA256 e64f526a2377a885390224853e8b275920554f6e260bf17bb7e757ab313ebc29
SHA512 9bc3c2ffaafe7d4dd8610dc9e03956c57ccc00b57bf0908dfb2032cbbb7a4eaede411ba84946b66522411f272716d88f3437be87b65c701d41e5c8b90b43c373

memory/1660-24-0x0000000074500000-0x0000000074AAB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 10:07

Reported

2024-07-19 10:09

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1060 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1060 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1060 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4552 wrote to memory of 4576 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4552 wrote to memory of 4576 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4552 wrote to memory of 4576 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1060 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe
PID 1060 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe
PID 1060 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe

"C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mgxnh8jf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC1DD413EB81B4260B8E49E8AD29A4EBA.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1060-0-0x0000000075092000-0x0000000075093000-memory.dmp

memory/1060-1-0x0000000075090000-0x0000000075641000-memory.dmp

memory/1060-2-0x0000000075090000-0x0000000075641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mgxnh8jf.cmdline

MD5 091fb5bcae0110a28cf951fd9e57fe48
SHA1 f1f94cd18895b0122ef02817ff322304d19c7cd5
SHA256 aae9832ab4bddeeb129f81b9d610f495b614c43831b569b0d66d8f2bef0eeb66
SHA512 090b0eccdc3ef2bc7d8f9a50c3e63aa1d6965d040e9b1cdc8d804a99d0184d867097ad291b6efb2404d53a0e7336b1820c3c74770c1371e3ab5f7b70a08ba45b

C:\Users\Admin\AppData\Local\Temp\mgxnh8jf.0.vb

MD5 1415d03f77ff1f0506f2333750dce18b
SHA1 5067da76da254a09634cdc7be4dacbabb91fafea
SHA256 8f2cc930370c4f7af1a293932603f10ffd9327ef1fef3d03e4fe53dc10d7a6b7
SHA512 397f0329a7e340b277439a5ada7c8f4b29090e3f8795cbe4920d7e04e89faa5eb54045eb0e2f02787f9e8a0d49f97c5bf0d4fbcc3822728208d421cdd051ef3a

memory/4552-9-0x0000000075090000-0x0000000075641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcC1DD413EB81B4260B8E49E8AD29A4EBA.TMP

MD5 f7abdcfa2b84539c1da113e296ba3be0
SHA1 4cf71e72b1098bec9f90712e53d8f356eb5c298d
SHA256 7927bf2e940917113d95771095e4533b97b129705784933cb005e42cd3628553
SHA512 4b933d4ecee30a74f53414dc74a6811cdbb7a9b8547f760fb112b7c14fa424501b6e65c3482b3b408f1ebbe618115050d600773b68b0a9aa40d194a848cfd07b

C:\Users\Admin\AppData\Local\Temp\RESBCD8.tmp

MD5 3d64156068ac9265a65a4a6f28ae0c25
SHA1 e9dd8daac355a7fa7894ebd5bd6b736dddadaadb
SHA256 955f681b4440304986b3f1a37792014fb6202a18c8c5139206a9fdbef9086df2
SHA512 85d3514c64cf3f826893c9c5f1f70ed0cc4639e753ecd6e1675efc2bfe40810fda79bba1215b5b36ec1166e5b9b1433e50c62e00408eb3f3788d58b1b82e841d

memory/4552-18-0x0000000075090000-0x0000000075641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe

MD5 d41405b30b66dd4217aec97b855b8044
SHA1 f74db53a9b13af5d49c5a71da78dc1c9f5530c42
SHA256 f20a3ff72aab049e29b11449f51a1935ca3ca20b37c8a3312b0f7ec9cafd5b00
SHA512 86c54664c0b4d08d7b6b9ff4e3de6604dd828068c9386b3633e37cc13a96ad5ff848d78d8391bc3993b2b204a9ec81c96b7f8443277a8e80060753b899706e51

memory/1060-22-0x0000000075090000-0x0000000075641000-memory.dmp

memory/3684-23-0x0000000075090000-0x0000000075641000-memory.dmp

memory/3684-24-0x0000000075090000-0x0000000075641000-memory.dmp

memory/3684-25-0x0000000075090000-0x0000000075641000-memory.dmp

memory/3684-26-0x0000000075090000-0x0000000075641000-memory.dmp

memory/3684-27-0x0000000075090000-0x0000000075641000-memory.dmp