Malware Analysis Report

2024-11-13 19:14

Sample ID 240824-w3r7fstbkd
Target NitroGenerator.exe
SHA256 101e7be71c1ef5b6c772b7e6f2374d5d9bd2f55f8c1cbd051fe504e9610ce2ee
Tags
discovery sectoprat evasion rat themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

101e7be71c1ef5b6c772b7e6f2374d5d9bd2f55f8c1cbd051fe504e9610ce2ee

Threat Level: Known bad

The file NitroGenerator.exe was found to be: Known bad.

Malicious Activity Summary

discovery sectoprat evasion rat themida trojan

SectopRAT

SectopRAT payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Loads dropped DLL

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-24 18:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-24 18:27

Reported

2024-08-24 18:29

Platform

win7-20240704-en

Max time kernel

13s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3008_133689976358714000\main.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\onefile_3008_133689976358714000\main.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe

"C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_3008_133689976358714000\main.exe

C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\onefile_3008_133689976358714000\main.exe

MD5 fe881dbd608450f02a03bd30cf4f9c6a
SHA1 8200652ae003860d6a8b56680821cedda70ded3b
SHA256 188878f5fbe1f06203d60a08f6abc3495f0187907eda787c4c3e12c2a73de03f
SHA512 af8c785cf08df429b558c97b5b86507ad5dbad7bed2474317012f05a365ad487a3a57c70ff17f8e57c9ca00aee0265f746a4eb1e42f806f122cfdd7d52f1f137

C:\Users\Admin\AppData\Local\Temp\onefile_3008_133689976358714000\python311.dll

MD5 01dad4bcbf2d93c294ec789cead86c81
SHA1 68983bb44bd719bb8b68ef6653eecb5e274bac53
SHA256 4c70503cd8ec785604eae405d0e59aaf649b6a62d284deccebeaa51da47d6c6c
SHA512 4f2f06f7fcee7291794e674b7033f6777a7605e475b771598ec5d247e483944c4d92967c3b86d84b828b2415e457198f667183609cf39ec8f8ce177c285847cb

memory/3008-49-0x0000000001390000-0x0000000001AC3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-24 18:27

Reported

2024-08-24 18:29

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe

"C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe

C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cwel.me udp
US 172.67.154.53:443 cwel.me tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 53.154.67.172.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 kacperciesninski.cwel.me udp
PL 45.138.16.155:2137 kacperciesninski.cwel.me tcp
NL 52.178.17.2:443 tcp
PL 45.138.16.155:2137 kacperciesninski.cwel.me tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
PL 45.138.16.155:2137 kacperciesninski.cwel.me tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
PL 45.138.16.155:2137 kacperciesninski.cwel.me tcp
PL 45.138.16.155:2137 kacperciesninski.cwel.me tcp

Files

C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe

MD5 fe881dbd608450f02a03bd30cf4f9c6a
SHA1 8200652ae003860d6a8b56680821cedda70ded3b
SHA256 188878f5fbe1f06203d60a08f6abc3495f0187907eda787c4c3e12c2a73de03f
SHA512 af8c785cf08df429b558c97b5b86507ad5dbad7bed2474317012f05a365ad487a3a57c70ff17f8e57c9ca00aee0265f746a4eb1e42f806f122cfdd7d52f1f137

C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\python311.dll

MD5 01dad4bcbf2d93c294ec789cead86c81
SHA1 68983bb44bd719bb8b68ef6653eecb5e274bac53
SHA256 4c70503cd8ec785604eae405d0e59aaf649b6a62d284deccebeaa51da47d6c6c
SHA512 4f2f06f7fcee7291794e674b7033f6777a7605e475b771598ec5d247e483944c4d92967c3b86d84b828b2415e457198f667183609cf39ec8f8ce177c285847cb

C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\VCRUNTIME140.dll

MD5 17f01742d17d9ffa7d8b3500978fc842
SHA1 2da2ff031da84ac8c2d063a964450642e849144d
SHA256 70dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e
SHA512 c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 5a15ebc6fea692994aebf7a33eb9537a
SHA1 cd701822370b4837cb64a964ffc9a2a39b49412d
SHA256 f819d0444aeff705aea0f011f3787a04220f426eef0130a899b84d4848f78627
SHA512 628f7232ad358647e1d4ce2d19a200c184ffe3f0d0f387fb3473169bb0c4594dd380b59887d59fdaff1a36a6a15e7953356eef828f8dd3fcf422414f88a2efe8

C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\select.pyd

MD5 1b9bb917bf3d56a711c0dc5098eb3be6
SHA1 b7951787cc9037259b01ff5b5462cfcdac2f1c9b
SHA256 2af9f8340f380b51dc0673d5e458caf3e56f3a395f6884962c71f9293391c70b
SHA512 058c28af566d3344d91f0428a228cd30f52ff7275c35371ddc677c3620160e3164ec34037f7901c39aa0392bd5fea17961d2d7ab93974c661831dd0dc076ebc1

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

MD5 6238633c459e1e2af10f9cb33162eee8
SHA1 5b20757caddfd79b8080dd8978b1e092b3ef54e8
SHA256 b48adf6f1286a0f2dd8a4442fe8a2200db7addd8400dfe99080556f815d40cff
SHA512 db59fd425c7f51f85f9988cdc739d6590803efed2d013c0222a6c9c36fc464479a35366c0b3ba573de601a36a68ae50fd27a6b6fa5b41e86a72fa8f5f37c9670

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

MD5 2e9277a5dd088949086d450da0e5f4e8
SHA1 c939886464bb65dc4667d8e477d97a619eadddfc
SHA256 7de51a1913ca3b10027f83d99ccccb166d6a3c06ca5d6358f260342dbacdbf6a
SHA512 9f16c77cd90e1b6657f3d2cbd131273bf24becff01c198690ebadb2c454e3f84b88a7e9c6fecdb7f564e1aa99a5583bbd1933e5db408efce3a9095776fa1a056

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

MD5 8b8fb5ec8d5fca88463bb9ad9fa23344
SHA1 cbc26ffca78f03b146c84925749029ca2777b30a
SHA256 b777ccc04c05ca5b0a6ff68e6c46ad9837dc02311ee132ad6a81910f4a1ed54f
SHA512 3763752732822b80622d5260745313575993f535b1fed49434483b644009eb09ab91a1a7f32df22ada477d873ddb0726e0ab5e9416b08fa70e6446d8e981104d

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

MD5 cf015a78b6aaeeb4d03484f4085ebe9e
SHA1 2f08f97b4435d57846f7e9ff247acfd5784ba93e
SHA256 1cc522afa8efd21280af65ac3015c1439cc6654ecc88053dd76a491ec1a3fbe4
SHA512 aafa8f2c5817ac256c9e3e197c813cdcffbe936b4826797face8566a05dc19a68bed9ae7047d3f5a06408ad3e42459325e77266d606fcf827287940e7e250d51

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 fba68bf5c0074a51901b87e26a8c8f97
SHA1 2866d58bfbb19c1a629baebc00ef7a6debb9e1fe
SHA256 f2f775916f24d7b949b68d460fd34cdc86825f542b3d6207733b84106cb43e2e
SHA512 66b55a4ff7ed51e5997285f20fb585ea33dd48e7156d5e0d826bb37bf473a43116d19d1295cbb58f1e6e833f34a91e6550c893c6bc89f895273d785982920f05

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

MD5 181ac9a809b1a8f1bc39c1c5c777cf2a
SHA1 9341e715cea2e6207329e7034365749fca1f37dc
SHA256 488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee
SHA512 e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

MD5 8b4d78b1bd4795f786125c8032cd7018
SHA1 01ac050850aa60167936ce7963b349407e60a803
SHA256 03da5f3cfbd22c024bc30623123d6eb200d8cd51fd6911a26dba9c6bd742dfdc
SHA512 697f1f480c4f490c74ba959bfa22a5ac169fda450cc7a062054ce192394976e8de403b10102de4498a3aec97f456fa777ab270879e828451622f112aeb41c6c4

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 113cec4cffb5a6c47c1c53052897e6a2
SHA1 c84947efa0b8290a4baae63ad1d5db98ef88fb1f
SHA256 157f928b0bf79b7cab8f67b5ccaefee6cfd81e8d417eac77ac830b173488f997
SHA512 843af159051e08010ee5bd71c0aa8580149402a65584eb325df304099bcc9149faf29085bb6d81346edd8744a1e8dc3d3cf437f79d53a6feb83d3f59577e9b08

C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\libffi-8.dll

MD5 74d2b5e0120a6faae57042a9894c4430
SHA1 592f115016a964b7eb42860b589ed988e9fff314
SHA256 b982741576a050860c3f3608c7b269dbd35ab296429192b8afa53f1f190069c0
SHA512 f3c62f270488d224e24e29a078439736fa51c9ac7b0378dd8ac1b6987c8b8942a0131062bd117977a37046d4b1488f0f719f355039692bc21418fdfbb182e231

C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\unicodedata.pyd

MD5 ba07111d13d9dcd451b333a9127d4ac6
SHA1 cd50441104257153819b647b2ecf6e7be0f0d802
SHA256 d3dce2bf827156d0b94a78059f1c2504e8337b90b23f758a125fa38e047fe684
SHA512 450f23012b0ef4bf19e3db0ffdf768428bf58bccd262ea1e26346e231d510e4da9201a09d5c3a7f4638f7ffeaf5ed517548f90ba73b77ce69497b33a7a01c8a8

C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\charset_normalizer\md__mypyc.pyd

MD5 ca6309d94f4136c058a244044c890d89
SHA1 49424c3eba17a4675a469326b6a5f10f6c14ba88
SHA256 b65e4644d0cdc01f5076fe9b7548ffd047ae143087b8ab3cbe0a1dc24fdbf00d
SHA512 ec2329db2378350ec27d742ed649df3fb81b1b2dfb24ed4cd8c274852742809c571f28a960f8907f04ec515c1960c2111880fbeecacfd04dea439a4d116f225b

C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\charset_normalizer\md.pyd

MD5 5242622c9818ff5572c08d3f9f96ea07
SHA1 f4c53ef8930a2975335182ad9b6c6a2ab3851362
SHA256 85f6e0b522d54459e7d24746054d26ba35ea4cc8505a3dd74a2bf5590f9f40fc
SHA512 c2ef2a5632eb42b00756bee9ffb00e382cbc1b0c6578243f3f1fe48eff18a1033187a5d7bf8bda4d9cf8d6cb4131ca37c47d8238ff264e1b1c496b16740b79a7

C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\_hashlib.pyd

MD5 d1c86bcaf38f2c155fa04009591de420
SHA1 d5677ffb8bdb48e3690aa33b84c25c9ac76a5051
SHA256 c6cb5b01ac5f2c18d99540960855bef93ef177557c3d73cb8599186d4a08c130
SHA512 9ca6e41d875e87be8ebb71991b7d48831eb1a9b742de834bf779bf7e3e38e11063a94c420151be46a064a59bcb8d55b373ee17a2ad2a14737d9c9d5b3662eb26

C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\zstandard\backend_c.pyd

MD5 85fc4bf48a5131557c86ac1d171ba367
SHA1 22a0432770f274baa6387416211e16610d62f2a2
SHA256 152f92483f12da67df378b1ea8c1b8500dcf600435f763932647352c8fd79724
SHA512 dcc0caeb0efab08f9a86ff1ced0b752f2a4ba885c99e0c3a794862056a63ea03a72c2d8869b19dcc3b0e3b5e3b257bcf7176b59e3700d4f635356defddd32cac

memory/2492-63-0x0000000000FA0000-0x00000000016D3000-memory.dmp

memory/4824-64-0x00000000002B0000-0x0000000000E88000-memory.dmp

memory/4824-66-0x00000000002B0000-0x0000000000E88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.exe

MD5 9fc140cadd49c639ccdc22cd217fbca2
SHA1 b660df2d1919b96c45a16f46deacbdf74d3393cc
SHA256 82eba2779dd22e900353319c02d81b027fd5681419decfeb433f71300618f8b7
SHA512 0d004f815e10398e08bb065e7902dd1a83b45723093058fd0fb2a6bac9698fec193c03e148949b221154c2c604af6f9964e5be613925b5d919ecb1b562da7abf

memory/3340-71-0x0000000000400000-0x000000000103A000-memory.dmp

memory/3340-72-0x0000000076650000-0x0000000076651000-memory.dmp

memory/3340-75-0x0000000076630000-0x0000000076720000-memory.dmp

memory/3340-74-0x0000000076630000-0x0000000076720000-memory.dmp

memory/3340-73-0x0000000076630000-0x0000000076720000-memory.dmp

memory/3340-76-0x0000000076630000-0x0000000076720000-memory.dmp

memory/3340-78-0x0000000076630000-0x0000000076720000-memory.dmp

memory/3340-77-0x0000000076630000-0x0000000076720000-memory.dmp

memory/3340-79-0x0000000076630000-0x0000000076720000-memory.dmp

memory/3340-81-0x0000000000400000-0x000000000103A000-memory.dmp

memory/3340-82-0x0000000000400000-0x000000000103A000-memory.dmp

memory/3340-83-0x0000000005710000-0x0000000005D28000-memory.dmp

memory/4824-85-0x00000000002B0000-0x0000000000E88000-memory.dmp

memory/3340-86-0x00000000055A0000-0x00000000055B2000-memory.dmp

memory/3340-87-0x00000000055C0000-0x00000000055FC000-memory.dmp

memory/3340-88-0x0000000005620000-0x000000000566C000-memory.dmp

memory/3340-89-0x0000000005DE0000-0x0000000005EEA000-memory.dmp

memory/3340-90-0x0000000000400000-0x000000000103A000-memory.dmp

memory/3340-91-0x0000000076650000-0x0000000076651000-memory.dmp

memory/3340-92-0x0000000076630000-0x0000000076720000-memory.dmp

memory/3340-93-0x0000000076630000-0x0000000076720000-memory.dmp

memory/3340-94-0x0000000076630000-0x0000000076720000-memory.dmp

memory/3340-97-0x0000000076630000-0x0000000076720000-memory.dmp