Malware Analysis Report

2024-10-19 08:46

Sample ID 220521-pjenpaafaq
Target 83d00e235085eda89e4358f3700260657391df716ad8f77c0bcf37f5a7b81d96
SHA256 83d00e235085eda89e4358f3700260657391df716ad8f77c0bcf37f5a7b81d96
Tags
masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83d00e235085eda89e4358f3700260657391df716ad8f77c0bcf37f5a7b81d96

Threat Level: Known bad

The file 83d00e235085eda89e4358f3700260657391df716ad8f77c0bcf37f5a7b81d96 was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware spyware stealer

MassLogger log file

MassLogger

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 12:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 12:21

Reported

2022-05-21 12:33

Platform

win7-20220414-en

Max time kernel

87s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bank Account.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2024 set thread context of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2024 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2024 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2024 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bank Account.exe

"C:\Users\Admin\AppData\Local\Temp\Bank Account.exe"

C:\Users\Admin\AppData\Local\Temp\Bank Account.exe

"C:\Users\Admin\AppData\Local\Temp\Bank Account.exe"

C:\Users\Admin\AppData\Local\Temp\Bank Account.exe

"C:\Users\Admin\AppData\Local\Temp\Bank Account.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp

Files

memory/2024-54-0x0000000000110000-0x0000000000254000-memory.dmp

memory/2024-55-0x0000000076011000-0x0000000076013000-memory.dmp

memory/2024-56-0x00000000004A0000-0x00000000004A8000-memory.dmp

memory/2024-57-0x0000000007C00000-0x0000000007CE6000-memory.dmp

memory/2024-58-0x00000000072A0000-0x0000000007368000-memory.dmp

memory/1448-59-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1448-60-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1448-63-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1448-62-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1448-64-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1448-65-0x00000000004B341E-mapping.dmp

memory/1448-67-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1448-69-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1448-70-0x00000000021B0000-0x0000000002228000-memory.dmp

memory/1448-72-0x0000000004325000-0x0000000004336000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 12:21

Reported

2022-05-21 12:34

Platform

win10v2004-20220414-en

Max time kernel

162s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bank Account.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2508 set thread context of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2508 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2508 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2508 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2508 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2508 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2508 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2508 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Users\Admin\AppData\Local\Temp\Bank Account.exe
PID 2140 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\Bank Account.exe C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bank Account.exe

"C:\Users\Admin\AppData\Local\Temp\Bank Account.exe"

C:\Users\Admin\AppData\Local\Temp\Bank Account.exe

"C:\Users\Admin\AppData\Local\Temp\Bank Account.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Bank Account.exe' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Bank Account.exe'

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
IE 20.54.110.249:443 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp

Files

memory/2508-130-0x0000000000470000-0x00000000005B4000-memory.dmp

memory/2508-131-0x0000000007420000-0x00000000074BC000-memory.dmp

memory/2508-132-0x0000000007A70000-0x0000000008014000-memory.dmp

memory/2508-133-0x0000000007560000-0x00000000075F2000-memory.dmp

memory/2508-134-0x0000000007410000-0x000000000741A000-memory.dmp

memory/2508-135-0x00000000076F0000-0x0000000007746000-memory.dmp

memory/2140-136-0x0000000000000000-mapping.dmp

memory/2140-137-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bank Account.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/2140-139-0x0000000005970000-0x00000000059D6000-memory.dmp

memory/3784-140-0x0000000000000000-mapping.dmp

memory/1320-141-0x0000000000000000-mapping.dmp

memory/1320-142-0x0000000002240000-0x0000000002276000-memory.dmp

memory/1320-143-0x0000000004D10000-0x0000000005338000-memory.dmp

memory/1320-144-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

memory/1320-145-0x00000000054B0000-0x0000000005516000-memory.dmp

memory/1320-146-0x0000000005B70000-0x0000000005B8E000-memory.dmp

memory/1320-147-0x0000000007400000-0x0000000007A7A000-memory.dmp

memory/1320-148-0x0000000006080000-0x000000000609A000-memory.dmp

memory/1320-149-0x0000000006D80000-0x0000000006E16000-memory.dmp

memory/1320-150-0x0000000006150000-0x0000000006172000-memory.dmp