Analysis Overview
SHA256
4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc
Threat Level: Known bad
The file 4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Sets file to hidden
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
AutoIT Executable
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Views/modifies file attributes
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-20 15:54
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-20 15:54
Reported
2022-07-20 16:43
Platform
win7-20220718-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe
"C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe"
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\ENU_687FE97C395F5A4E9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\1\*"
C:\Windows\system32\taskeng.exe
taskeng.exe {0DDBAD92-38D0-4C8C-8E6A-CF2DCE0EEDB5} S-1-5-21-3762437355-3468409815-1164039494-1000:TZEOUYSL\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources"
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| UA | 217.147.169.126:80 | tcp | |
| UA | 217.147.169.126:80 | tcp |
Files
memory/880-54-0x00000000762D1000-0x00000000762D3000-memory.dmp
memory/1924-55-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/1924-59-0x0000000061E00000-0x0000000061ED2000-memory.dmp
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1336-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1924-64-0x00000000053B0000-0x000000000542D000-memory.dmp
memory/1336-65-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\1\Information.txt
| MD5 | 51b376c55abb61cb02304f25089b5a0f |
| SHA1 | ad42c74a4d2a1747ea2aae87ed485840d1fbf2c4 |
| SHA256 | 501c10bf94df97ead371cb44cebea8df4c46b24a360515fd0421eb4294c2ec3e |
| SHA512 | d06ba5b0d006776cb3f9cf7f937c1e5dca08f90a35e29c67af85ebce8f8a2c0bc96d4f33dab28beba6070269cd0cebbcd8af6490149d866d0464b338fc4b5c7c |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\1\Screen.jpg
| MD5 | 3fecaeb4fcc595281885752f801a833d |
| SHA1 | d46ac15cb810c154b5a8e92ddb02b583d391f568 |
| SHA256 | 477dc4eba79e2cc6805eb66d1295d3c995da07527d328bf59931194490cfde52 |
| SHA512 | 8cc4c412f01fb38246e081fc13b78a05c65e8274206b3565c35d06cd7db252ca9d4fb25bbb76e7571a81d886c0739ceb96a61c085cd629b37b7a702e0f46a40e |
memory/1336-68-0x0000000000400000-0x000000000047D000-memory.dmp
memory/1924-69-0x00000000053B0000-0x000000000542D000-memory.dmp
memory/1924-70-0x00000000053B0000-0x000000000542D000-memory.dmp
memory/1904-71-0x0000000000000000-mapping.dmp
memory/1944-73-0x0000000000000000-mapping.dmp
memory/1032-74-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-20 15:54
Reported
2022-07-20 16:42
Platform
win10v2004-20220414-en
Max time kernel
123s
Max time network
152s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe
"C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe"
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\ENU_801FE970A758A6AE9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources"
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| UA | 217.147.169.126:80 | tcp | |
| NL | 88.221.144.179:80 | tcp | |
| US | 20.42.73.25:443 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.24.243:80 | tcp |
Files
memory/2976-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/2976-133-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/2976-134-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/2032-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/2032-137-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\1\Information.txt
| MD5 | 94b8a755a7df8c1ebe5ba2ebacca78a4 |
| SHA1 | f57f43cac65be1de8b9c4be542edcabf5e7bb2c9 |
| SHA256 | e794a75c4e3c7be6e12865d54e3c4fac1ea26427e2c40e7a3a2ddef267b91279 |
| SHA512 | 1dfced25c12ef6835f864dfbda7a716b669b629c9530407d78eb74b9e72e65c19ac5607b74ad24bd58a42075bca44302be0855bd71a139fbd1ccf3423bbe5047 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\1\Screen.jpg
| MD5 | c56ba2d80377f1c7e73c237fc620d79f |
| SHA1 | cdd59a6d1a1a4c474c19f1bacc289ca295179088 |
| SHA256 | 3c702a915ec35a6ce85b31316704a6bf55d6c782da0f96754bd04c21194f2767 |
| SHA512 | 50d7c16ac7a0cf5c0104e528771e8853d4c3190f1a8860c30a9c647fe5d0a2e5e9d3178a5b7993e67a7995088778c4e9a129cf35bed228cfebfde48efbe7490a |
memory/2032-141-0x0000000000400000-0x000000000047D000-memory.dmp
memory/2976-142-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/2976-143-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/2484-144-0x0000000000000000-mapping.dmp