Analysis Overview
SHA256
c35efac9d16552df2c7020672b7a1b10f18922aa7c52b1f2b9418a2fa2802570
Threat Level: Known bad
The file c35efac9d16552df2c7020672b7a1b10f18922aa7c52b1f2b9418a2fa2802570 was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger log file
Obfuscated with Agile.Net obfuscator
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-21 11:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 11:16
Reported
2022-05-21 11:35
Platform
win7-20220414-en
Max time kernel
100s
Max time network
106s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1260 set thread context of 1116 | N/A | C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe
"C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| NL | 104.110.191.14:80 | repository.certum.pl | tcp |
Files
memory/1260-54-0x00000000002C0000-0x000000000051E000-memory.dmp
memory/1260-55-0x0000000000540000-0x0000000000554000-memory.dmp
memory/1260-56-0x0000000000560000-0x0000000000568000-memory.dmp
memory/1260-57-0x00000000005E0000-0x00000000005E8000-memory.dmp
memory/1260-58-0x0000000000680000-0x0000000000688000-memory.dmp
memory/1116-59-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-60-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-62-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-64-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-65-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-66-0x00000000004A12AE-mapping.dmp
memory/1116-68-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-70-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-72-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-74-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-76-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-78-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-80-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-82-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-84-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-86-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-88-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-90-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-92-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-94-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-96-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-98-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-100-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-102-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-104-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-106-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-108-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-110-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-112-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-114-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-116-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-118-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-120-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-122-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1116-576-0x0000000000900000-0x0000000000944000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 11:16
Reported
2022-05-21 11:35
Platform
win10v2004-20220414-en
Max time kernel
93s
Max time network
140s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3112 set thread context of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe
"C:\Users\Admin\AppData\Local\Temp\Erenrcompany.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 67.26.105.254:80 | tcp | |
| US | 20.189.173.10:443 | tcp | |
| US | 67.24.25.254:80 | tcp | |
| US | 67.24.25.254:80 | tcp | |
| US | 67.24.25.254:80 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
Files
memory/3112-130-0x0000000000D90000-0x0000000000FEE000-memory.dmp
memory/3112-131-0x0000000005F50000-0x00000000064F4000-memory.dmp
memory/3112-132-0x0000000005AA0000-0x0000000005B32000-memory.dmp
memory/3112-133-0x0000000007250000-0x0000000007294000-memory.dmp
memory/2992-134-0x0000000000000000-mapping.dmp
memory/2992-135-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-137-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-139-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-141-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-143-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-145-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-147-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-149-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-151-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-153-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-155-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-157-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-159-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-161-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-163-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-165-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-167-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-169-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-171-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-173-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-175-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-177-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-179-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-181-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-183-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-185-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-187-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-189-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-191-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-193-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-195-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-197-0x0000000000400000-0x0000000000546000-memory.dmp
memory/2992-640-0x0000000006150000-0x00000000061B6000-memory.dmp
memory/2992-641-0x0000000006970000-0x000000000697A000-memory.dmp
memory/2992-642-0x00000000072F0000-0x0000000007340000-memory.dmp
memory/2992-643-0x00000000078D0000-0x000000000796C000-memory.dmp