Malware Analysis Report

2024-10-19 07:51

Sample ID 240814-sms72aygrb
Target works (i thimk).exe
SHA256 0a4869f2b7d46eda43c07a1986f8cccecc36b42bf5587b146f6f6a5f119b2bb5
Tags
xenorat discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a4869f2b7d46eda43c07a1986f8cccecc36b42bf5587b146f6f6a5f119b2bb5

Threat Level: Known bad

The file works (i thimk).exe was found to be: Known bad.

Malicious Activity Summary

xenorat discovery rat trojan

Xenorat family

XenorRat

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 15:14

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 15:14

Reported

2024-08-14 15:15

Platform

win7-20240704-en

Max time kernel

0s

Max time network

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe

"C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe"

C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe"

Network

N/A

Files

memory/964-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/964-1-0x0000000001250000-0x0000000001262000-memory.dmp

\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe

MD5 63b36e568577473bb71a7b54f56e8ec2
SHA1 7a36dc6d73687d3e8df8b02abeeaf52b7075e33d
SHA256 0a4869f2b7d46eda43c07a1986f8cccecc36b42bf5587b146f6f6a5f119b2bb5
SHA512 9c41f09037d56b7143596526a26d0a0fd5d45f0d2b1e31e56950a35ef494b60eaf0941cb0e0e485228216aba2fe0accf295988fcc20d664fe9b1bbb20e223305

memory/880-9-0x000000007431E000-0x000000007431F000-memory.dmp

memory/880-10-0x0000000000080000-0x0000000000092000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 15:14

Reported

2024-08-14 15:17

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4056 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe
PID 4056 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe
PID 4056 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe
PID 1956 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe C:\Windows\SysWOW64\schtasks.exe
PID 1956 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe C:\Windows\SysWOW64\schtasks.exe
PID 1956 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe C:\Windows\SysWOW64\schtasks.exe
PID 5044 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe C:\Windows\SysWOW64\schtasks.exe
PID 5044 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe C:\Windows\SysWOW64\schtasks.exe
PID 5044 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe C:\Windows\SysWOW64\schtasks.exe
PID 1956 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe
PID 1956 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe
PID 1956 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe
PID 2232 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe

"C:\Users\Admin\AppData\Local\Temp\works (i thimk).exe"

C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Java Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB5F2.tmp" /F

C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Java Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp49B6.tmp" /F

C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Java Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp82C7.tmp" /F

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 communication-sig.gl.at.ply.gg udp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 8.8.8.8:53 22.221.185.147.in-addr.arpa udp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 147.185.221.22:3038 communication-sig.gl.at.ply.gg tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4056-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

memory/4056-1-0x0000000000C30000-0x0000000000C42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XenoManager\works (i thimk).exe

MD5 63b36e568577473bb71a7b54f56e8ec2
SHA1 7a36dc6d73687d3e8df8b02abeeaf52b7075e33d
SHA256 0a4869f2b7d46eda43c07a1986f8cccecc36b42bf5587b146f6f6a5f119b2bb5
SHA512 9c41f09037d56b7143596526a26d0a0fd5d45f0d2b1e31e56950a35ef494b60eaf0941cb0e0e485228216aba2fe0accf295988fcc20d664fe9b1bbb20e223305

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\works (i thimk).exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/1956-15-0x0000000074A80000-0x0000000075230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB5F2.tmp

MD5 29eb753358d125c7c390bbc045159183
SHA1 e4d75fddaed27d5f9c6cebb61b9a894c86537172
SHA256 177305de144cf978284546c92b54d160292c5eadc50d1a60e6e5d4d335558129
SHA512 f81ceaf387b4ba65cbfec795231422a6df11bc7f4a9566c68a3f5c4407283adfe1e5d3f27259f84a101460fdcd4369fe7089b88d36b2651ad5656bb4aba39820

memory/1956-18-0x0000000005CC0000-0x0000000005D26000-memory.dmp

memory/1956-19-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/1956-20-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/1956-21-0x0000000005C60000-0x0000000005C6C000-memory.dmp

memory/5044-23-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/5044-29-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/1956-30-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

memory/1956-31-0x0000000006B30000-0x00000000070D4000-memory.dmp

memory/1956-32-0x0000000006580000-0x0000000006612000-memory.dmp

memory/1956-33-0x0000000005F20000-0x0000000005F2A000-memory.dmp

memory/3668-36-0x000001AB990B0000-0x000001AB990B1000-memory.dmp

memory/3668-35-0x000001AB990B0000-0x000001AB990B1000-memory.dmp

memory/3668-34-0x000001AB990B0000-0x000001AB990B1000-memory.dmp

memory/3668-40-0x000001AB990B0000-0x000001AB990B1000-memory.dmp

memory/3668-46-0x000001AB990B0000-0x000001AB990B1000-memory.dmp

memory/3668-45-0x000001AB990B0000-0x000001AB990B1000-memory.dmp

memory/3668-44-0x000001AB990B0000-0x000001AB990B1000-memory.dmp

memory/3668-43-0x000001AB990B0000-0x000001AB990B1000-memory.dmp

memory/3668-42-0x000001AB990B0000-0x000001AB990B1000-memory.dmp

memory/3668-41-0x000001AB990B0000-0x000001AB990B1000-memory.dmp