Malware Analysis Report

2024-11-30 11:11

Sample ID 241115-wh1cbssmhj
Target Dark_drop_2_pers_lum_clean.exe.bin.exe
SHA256 cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88
Tags
discovery darkgate derry execution persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88

Threat Level: Known bad

The file Dark_drop_2_pers_lum_clean.exe.bin.exe was found to be: Known bad.

Malicious Activity Summary

discovery darkgate derry execution persistence stealer

Detect DarkGate stealer

Darkgate family

DarkGate

Executes dropped EXE

Adds Run key to start application

Command and Scripting Interpreter: AutoIT

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 17:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 17:56

Reported

2024-11-15 17:58

Platform

win7-20241010-en

Max time kernel

14s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe

"C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 172

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 17:56

Reported

2024-11-15 17:58

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe"

Signatures

DarkGate

stealer darkgate

Darkgate family

darkgate

Detect DarkGate stealer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\temp\test\Autoit3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dedeecf = "\"C:\\ProgramData\\aegdgff\\Autoit3.exe\" C:\\ProgramData\\aegdgff\\hkfbdec.a3x" \??\c:\temp\test\Autoit3.exe N/A

Command and Scripting Interpreter: AutoIT

execution
Description Indicator Process Target
N/A N/A \??\c:\temp\test\Autoit3.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2928 set thread context of 224 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\temp\test\Autoit3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\temp\test\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\temp\test\Autoit3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe N/A
N/A N/A \??\c:\temp\test\Autoit3.exe N/A
N/A N/A \??\c:\temp\test\Autoit3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\temp\test\Autoit3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe \??\c:\temp\test\Autoit3.exe
PID 2892 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe \??\c:\temp\test\Autoit3.exe
PID 2892 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe \??\c:\temp\test\Autoit3.exe
PID 2928 wrote to memory of 4324 N/A \??\c:\temp\test\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 4324 N/A \??\c:\temp\test\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 4324 N/A \??\c:\temp\test\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 3584 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4324 wrote to memory of 3584 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4324 wrote to memory of 3584 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2928 wrote to memory of 224 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2928 wrote to memory of 224 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2928 wrote to memory of 224 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2928 wrote to memory of 224 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2928 wrote to memory of 224 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe

"C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe"

\??\c:\temp\test\Autoit3.exe

"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x

\??\c:\windows\SysWOW64\cmd.exe

"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\aegdgff\gadhaah

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic ComputerSystem get domain

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 164.132.5.124:1111 tcp
US 8.8.8.8:53 hard-to-find.cyou udp
US 104.21.29.245:443 hard-to-find.cyou tcp
US 8.8.8.8:53 thicktoys.sbs udp
US 8.8.8.8:53 fleez-inc.sbs udp
US 8.8.8.8:53 124.5.132.164.in-addr.arpa udp
US 8.8.8.8:53 245.29.21.104.in-addr.arpa udp
US 104.21.0.123:443 fleez-inc.sbs tcp
US 8.8.8.8:53 pull-trucker.sbs udp
US 172.67.135.173:443 pull-trucker.sbs tcp
US 8.8.8.8:53 3xc1aimbl0w.sbs udp
US 8.8.8.8:53 bored-light.sbs udp
US 8.8.8.8:53 123.0.21.104.in-addr.arpa udp
US 8.8.8.8:53 173.135.67.172.in-addr.arpa udp
US 172.67.192.57:443 bored-light.sbs tcp
US 8.8.8.8:53 300snails.sbs udp
US 8.8.8.8:53 faintbl0w.sbs udp
US 8.8.8.8:53 crib-endanger.sbs udp
US 172.67.144.50:443 crib-endanger.sbs tcp
US 8.8.8.8:53 57.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 104.21.82.174:443 marshal-zhukov.com tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 8.8.8.8:53 50.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 174.82.21.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 95.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2892-0-0x0000000002860000-0x00000000028E0000-memory.dmp

memory/2892-1-0x0000000077122000-0x0000000077123000-memory.dmp

memory/2892-2-0x0000000001050000-0x00000000010A0000-memory.dmp

C:\temp\test\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2892-10-0x0000000002860000-0x00000000028E0000-memory.dmp

memory/2892-11-0x0000000000400000-0x0000000000A47000-memory.dmp

\??\c:\temp\test\script.a3x

MD5 b06f6dee405e7edbdb66a38c8f466f40
SHA1 20929c94acdf4bcc9f93ffc9d21682e4f5d27579
SHA256 22bbc7aee06585f281643cccfc6f80c360f2ec27e70a300c578e5a8f4bdb2df1
SHA512 fd759d5dd4e711e6dfe29806f25521ccce90d123a9576e3f688fc103c6f06f76d37fad4844107a0ca98e0730e75266ddaeda529513cb92d8ae1c8d210677c4cc

memory/2892-9-0x0000000002BA0000-0x0000000002C90000-memory.dmp

memory/2892-5-0x0000000000400000-0x0000000000A47000-memory.dmp

memory/2928-14-0x0000000001360000-0x0000000001760000-memory.dmp

memory/2928-15-0x0000000004740000-0x0000000004A95000-memory.dmp

C:\ProgramData\aegdgff\gadhaah

MD5 c8bbad190eaaa9755c8dfb1573984d81
SHA1 17ad91294403223fde66f687450545a2bad72af5
SHA256 7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA512 05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

memory/224-26-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2928-33-0x0000000004740000-0x0000000004A95000-memory.dmp

memory/224-34-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2928-30-0x0000000004740000-0x0000000004A95000-memory.dmp

memory/2928-31-0x0000000004740000-0x0000000004A95000-memory.dmp

memory/2928-27-0x0000000004740000-0x0000000004A95000-memory.dmp

memory/224-29-0x0000000000400000-0x0000000000457000-memory.dmp

memory/224-28-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2928-32-0x0000000004740000-0x0000000004A95000-memory.dmp

memory/2928-35-0x0000000001360000-0x0000000001760000-memory.dmp

memory/2928-36-0x0000000004740000-0x0000000004A95000-memory.dmp