Malware Analysis Report

2025-01-18 04:59

Sample ID 220330-jvdb4seedl
Target 04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc
SHA256 04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc
Tags
masslogger collection persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc

Threat Level: Known bad

The file 04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc was found to be: Known bad.

Malicious Activity Summary

masslogger collection persistence spyware stealer

MassLogger

MassLogger Main Payload

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-30 07:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-30 07:59

Reported

2022-04-01 04:39

Platform

win7-20220331-en

Max time kernel

74s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 1168 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 1168 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 1168 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 1168 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 1168 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 1168 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 1168 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 1168 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe

"C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe"

C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe

"C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp

Files

memory/1168-54-0x0000000000CA0000-0x0000000000DE0000-memory.dmp

memory/1168-55-0x00000000043A0000-0x0000000004438000-memory.dmp

memory/1168-56-0x0000000000360000-0x000000000037C000-memory.dmp

memory/1340-57-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1340-58-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1340-60-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1340-61-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1340-62-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1340-63-0x0000000000481BFE-mapping.dmp

memory/1340-65-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1340-67-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1340-68-0x0000000004C65000-0x0000000004C76000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-30 07:59

Reported

2022-04-01 04:38

Platform

win10v2004-20220331-en

Max time kernel

51s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 5116 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 5116 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 5116 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 5116 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 5116 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 5116 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe
PID 5116 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe

"C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe"

C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe

"C:\Users\Admin\AppData\Local\Temp\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe"

Network

Country Destination Domain Proto
US 20.189.173.1:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
FI 62.115.252.81:80 tcp
FI 62.115.252.81:80 tcp
FI 62.115.252.81:80 tcp

Files

memory/5116-124-0x0000000000170000-0x00000000002B0000-memory.dmp

memory/3472-125-0x0000000000000000-mapping.dmp

memory/3472-126-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\04152a0afcecfd0fec39d738d02d64f2ef360a82b9d001c4e25465ec6a44d9cc.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3472-128-0x0000000005BA0000-0x0000000005C32000-memory.dmp

memory/3472-129-0x00000000061F0000-0x0000000006794000-memory.dmp

memory/3472-130-0x0000000006BD0000-0x0000000006C36000-memory.dmp

memory/3472-131-0x0000000007420000-0x0000000007470000-memory.dmp

memory/3472-132-0x0000000007640000-0x00000000076DC000-memory.dmp

memory/3472-133-0x0000000007410000-0x000000000741A000-memory.dmp

memory/3472-134-0x0000000003153000-0x0000000003155000-memory.dmp