Analysis Overview
SHA256
125feebfb2a0a40dabe47bc79cabfc93c575e7a670890ba2aab42f2743ea532f
Threat Level: Known bad
The file SWIFT COPIES.exe was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Credentials from Password Stores: Credentials from Web Browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
AutoIT Executable
Suspicious use of SetThreadContext
Browser Information Discovery
Unsigned PE
System Location Discovery: System Language Discovery
outlook_office_path
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-30 07:15
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-30 07:15
Reported
2024-08-30 07:17
Platform
win10v2004-20240802-en
Max time kernel
135s
Max time network
155s
Command Line
Signatures
VIPKeylogger
Credentials from Password Stores: Credentials from Web Browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4488 set thread context of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4488 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4488 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4488 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4488 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 169.8.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.177.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.humatextiles.com | udp |
| GB | 149.255.62.163:587 | mail.humatextiles.com | tcp |
| US | 8.8.8.8:53 | 163.62.255.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4488-11-0x00000000009E0000-0x00000000009E4000-memory.dmp
memory/1100-12-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1100-13-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1100-16-0x00000000745FE000-0x00000000745FF000-memory.dmp
memory/1100-15-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1100-14-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1100-17-0x0000000005280000-0x00000000052DE000-memory.dmp
memory/1100-19-0x0000000005980000-0x0000000005F24000-memory.dmp
memory/1100-18-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/1100-21-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/1100-20-0x0000000005320000-0x000000000537C000-memory.dmp
memory/1100-22-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/1100-52-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-82-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-80-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-78-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-76-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-74-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-72-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-70-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-68-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-66-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-64-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-62-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-60-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-58-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-56-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-54-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-50-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-48-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-46-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-44-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-42-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-38-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-36-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-34-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-32-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-30-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-26-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-40-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-28-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-24-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-23-0x0000000005320000-0x0000000005377000-memory.dmp
memory/1100-1113-0x0000000005470000-0x000000000550C000-memory.dmp
memory/1100-1114-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/1100-1115-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1100-1116-0x00000000745FE000-0x00000000745FF000-memory.dmp
memory/1100-1117-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/1100-1118-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/1100-1119-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/1100-1120-0x00000000067C0000-0x0000000006982000-memory.dmp
memory/1100-1121-0x0000000006640000-0x0000000006690000-memory.dmp
memory/1100-1122-0x0000000006EC0000-0x00000000073EC000-memory.dmp
memory/1100-1123-0x0000000006A30000-0x0000000006AC2000-memory.dmp
memory/1100-1124-0x0000000006990000-0x000000000699A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 07:15
Reported
2024-08-30 07:17
Platform
win7-20240708-en
Max time kernel
68s
Max time network
147s
Command Line
Signatures
VIPKeylogger
Credentials from Password Stores: Credentials from Web Browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2640 set thread context of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | mail.humatextiles.com | udp |
| GB | 149.255.62.163:587 | mail.humatextiles.com | tcp |
Files
memory/2640-11-0x0000000000130000-0x0000000000134000-memory.dmp
memory/2036-12-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2036-14-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2036-15-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2036-16-0x00000000749FE000-0x00000000749FF000-memory.dmp
memory/2036-17-0x0000000000230000-0x000000000028E000-memory.dmp
memory/2036-18-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2036-20-0x0000000000C90000-0x0000000000CEC000-memory.dmp
memory/2036-21-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2036-19-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2036-47-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-81-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-79-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-77-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-73-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-71-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-69-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-67-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-65-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-63-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-61-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-59-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-57-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-55-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-53-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-51-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-45-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-43-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-41-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-39-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-37-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-35-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-33-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-31-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-29-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-27-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-25-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-75-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-23-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-22-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-49-0x0000000000C90000-0x0000000000CE7000-memory.dmp
memory/2036-1112-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2036-1113-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2036-1114-0x00000000749FE000-0x00000000749FF000-memory.dmp
memory/2036-1115-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2036-1116-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2036-1117-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2036-1118-0x00000000749F0000-0x00000000750DE000-memory.dmp