Malware Analysis Report

2024-09-22 23:53

Sample ID 240429-yl22fabc24
Target Client.exe
SHA256 2977e0b05594746088bff548f75d614c92c1f0ba9ecc321f5350388271deec4c
Tags
stormkitty collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2977e0b05594746088bff548f75d614c92c1f0ba9ecc321f5350388271deec4c

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty collection discovery spyware stealer

StormKitty

Stormkitty family

StormKitty payload

Reads user/profile data of web browsers

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

outlook_win_path

outlook_office_path

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-29 19:53

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 19:53

Reported

2024-04-29 19:55

Platform

win7-20240221-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File created C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File created C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File created C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 172.67.160.84:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 172.67.209.71:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2212-0-0x0000000000BE0000-0x0000000000C36000-memory.dmp

memory/2212-1-0x00000000745D0000-0x0000000074CBE000-memory.dmp

memory/2212-2-0x0000000005120000-0x0000000005160000-memory.dmp

C:\Users\Admin\AppData\Roaming\IZKCKOTP\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\RegisterDisable.docx

MD5 29cf334cabb5f105c0d4abeac4507b61
SHA1 cf46f9e572436e6e59db8b3deb03f488a0bb0648
SHA256 b7e37e718395f43486bf33ef945f1e83549fa0cc5df7705dbed43fc10f073e55
SHA512 b068921abd2e04cc3f38b57f556232b8534d1cd635cb5e9ba87b47bd385a40d23a5e34034410b5d8ee0b79209020dde1607c82f040b6c03bd876ebe14933aaf9

C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\RepairWait.docx

MD5 9840b8f362f66b4c9eddcdd642223383
SHA1 2ac2f8389bbd3ec2857b985fece8ebb6991ee42e
SHA256 f44d3ec573dedb4da4c44664f99435b5ff9d0c0dc5a5f716f55cee215d0c01f9
SHA512 b53522ef02bbac5817d6f9f010a653ea19bf6a96d6da8e3b9ae704dca4ef740241697014a0ef6d8ca560a2e8e13682133ac0067841336e081a7a0759c66781b1

C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\SkipUndo.xls

MD5 476f0b542a2bc62381aab59c1a4edf82
SHA1 2f8138347e4af234e329332ef8b3fc8e5531b21b
SHA256 02b3575871061734d6b8c61f69ad35423e1150fc4e8a4eed588e32f04e5a67cb
SHA512 477eb5c96fafbfc535d1489c019b1444e4ef704603cfa34acd3e7cbd8d25e679ae88cf4de4882df6c69b8eabfd577a62ddae8ee630b012e256ff914ab7ee236a

C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Documents\StepUninstall.rtf

MD5 47ed7393f4d0e04983474eeac905c4a5
SHA1 09881e90a4636b18e917e3176a8c2ac2aad45212
SHA256 f6e4c21006a2b3fdd5c14b2a3e0fd6390d4481bad7a24d5bed5aea1cd00d6207
SHA512 03375de8d9c915015f04e0a673c82f7097912f8d169e7240f3bd561de27db63c32fc4e7da21b2012f44fac114393b2c92cdf759b7617fa89dbb05e45cfe2a5af

C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\ImportDismount.svg

MD5 a04cdb0c3f9de5a30e64a10522acd98e
SHA1 caba55395fed4baa76c3edae5ba342096096f276
SHA256 455147fff36279df31f9e8397a74a6e8fe22446411690e9875006a68bd6f6c64
SHA512 c9288401029588cf3a007e27b98c4d6b376ed805b643abacf13f63846714be02c4b593fda51f4414582455b9d993e489d7d29c10cdf5afc8f7682e520bb07804

C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\InstallRepair.sql

MD5 b1c27499ccf7b1f24461bb43a67a90d3
SHA1 776c274e38d00e507faf543cbf7f474f81e15abe
SHA256 4357c7e84ae174883b9e4c891559850c5f50e51e45a3c82afa4969b027e10ce6
SHA512 98840ec2248e53ef0dfab7df4bed36448ec5a38f0779eeb8ed4a53a6d28ed838395ef06c2c6215240c1247978d648b250807ea0e56442cc5f2dd58af5fb3252c

C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\InvokeRepair.xlsx

MD5 7f31a5545b2aae8d9f14972261cf6320
SHA1 90626d9850fe8f8d33ecdba2eb74cb3acdebd4b4
SHA256 0ce6de551926ceab3912ca06df8ddce9de2120631c34f0af10f5c644a5e3f46c
SHA512 febf36c131c4af4f67799b4bdb284c2990311224275dcef43ae903097a952a702116b1d0c85fd064c40108b1d68b4da3162f47c3f8a16971d7b9e32398c97279

C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\OpenRepair.docx

MD5 05c7541a2798121f303a7815e06dcec3
SHA1 01488c70247a35835f67dd6405796e84d1fd0c00
SHA256 23c115a65cc3dbaa7673f32afc38e4ebd190195c64317011adf7cae0b8105efa
SHA512 dc34fe7ac09a4c5f4e4938b0203b6c3a60037ed91c97e3795dff30b41ae3ff4fe785e8651d5dc5d4a2a94a7ac11671993078c496a50e691a9a1f3364618ce8f5

C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Pictures\DenyMount.png

MD5 97a922a1658950903eead6955c314cc7
SHA1 ea1caecabd131a1d9b17ee1bc1addfbe04e40a48
SHA256 a4f840bf3b13d5271e1d54943b500a6564a366ac8bd73ff9e1973699a3ce9a78
SHA512 a02ba7a9d21f6d18bac4e9886bcb47285723c39d85db9b41f5fd21bd64fa00e4cccab482c5961372fb2bc94da8b59152c0bbf1b3a9cf322f710efd79872d956c

memory/2212-164-0x00000000745D0000-0x0000000074CBE000-memory.dmp

memory/2212-190-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 19:53

Reported

2024-04-29 19:55

Platform

win10v2004-20240419-en

Max time kernel

55s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\PYDWGGUE\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File created C:\Users\Admin\AppData\Roaming\PYDWGGUE\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File created C:\Users\Admin\AppData\Roaming\PYDWGGUE\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File created C:\Users\Admin\AppData\Roaming\PYDWGGUE\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp C:\Windows\System32\svchost.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Client.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Windows\system32\mspaint.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 660 -ip 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 1204

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InitializeNew.png" /ForceBootstrapPaint3D

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp

Files

memory/660-0-0x00000000009F0000-0x0000000000A46000-memory.dmp

memory/660-1-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/660-2-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/660-32-0x00000000064A0000-0x0000000006532000-memory.dmp

memory/660-33-0x0000000006AF0000-0x0000000007094000-memory.dmp

memory/660-35-0x0000000006960000-0x00000000069C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\PYDWGGUE\Process.txt

MD5 fd81a473e0682a3f6d16613c710bd48f
SHA1 a133204dd2a0f81afb10c79c96183600d0aff03c
SHA256 5ba227a8e00023a1f711680437082a67d4a078bf1d8973e6e0200763fa072d42
SHA512 144300702bf2a7ef17a3f22efbf63cca8e62ef85738f61317352eca4f4728f79987e32d64b85461928f2f0c25561b0edfaf4b32aadca7f8b57c4c3f1881558ff

memory/660-120-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/660-121-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/660-156-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/4388-161-0x0000024823C60000-0x0000024823C70000-memory.dmp

memory/4388-168-0x000002482BF40000-0x000002482BF41000-memory.dmp

memory/4388-170-0x000002482BFC0000-0x000002482BFC1000-memory.dmp

memory/4388-172-0x000002482BFC0000-0x000002482BFC1000-memory.dmp

memory/4388-173-0x000002482C050000-0x000002482C051000-memory.dmp

memory/4388-174-0x000002482C050000-0x000002482C051000-memory.dmp

memory/4388-175-0x000002482C060000-0x000002482C061000-memory.dmp

memory/4388-176-0x000002482C060000-0x000002482C061000-memory.dmp