Malware Analysis Report

2024-11-13 18:06

Sample ID 241109-w1mh7azbra
Target 4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N
SHA256 4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363
Tags
bootkit discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363

Threat Level: Likely malicious

The file 4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Adds Run key to start application

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 18:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 18:23

Reported

2024-11-09 18:25

Platform

win7-20240903-en

Max time kernel

112s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\lmapu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\lmapu.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\qbutr\\xgaha.dll\",GetWindowClass" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\lmapu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe N/A
N/A N/A \??\c:\lmapu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1736 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1736 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1736 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1736 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\lmapu.exe
PID 1736 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\lmapu.exe
PID 1736 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\lmapu.exe
PID 1736 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\lmapu.exe
PID 812 wrote to memory of 2092 N/A \??\c:\lmapu.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 812 wrote to memory of 2092 N/A \??\c:\lmapu.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 812 wrote to memory of 2092 N/A \??\c:\lmapu.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 812 wrote to memory of 2092 N/A \??\c:\lmapu.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 812 wrote to memory of 2092 N/A \??\c:\lmapu.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 812 wrote to memory of 2092 N/A \??\c:\lmapu.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 812 wrote to memory of 2092 N/A \??\c:\lmapu.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe

"C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\lmapu.exe "C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\lmapu.exe

c:\lmapu.exe "C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\qbutr\xgaha.dll",GetWindowClass c:\lmapu.exe

Network

Country Destination Domain Proto
US 67.229.62.198:803 tcp
US 67.229.62.198:803 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp

Files

memory/3044-0-0x0000000000400000-0x0000000000425400-memory.dmp

memory/3044-2-0x0000000000400000-0x0000000000425400-memory.dmp

memory/1736-4-0x0000000000210000-0x0000000000236000-memory.dmp

\??\c:\lmapu.exe

MD5 a9c793287647e0c17b2cf2fc927c31af
SHA1 9fe4390c1dc3f1a9c2b588dbc79f9f3b90f5a259
SHA256 ded080287f8842423442964e64ac3b5b0c243443b1c29e92ebedd6e0894b5d08
SHA512 a897b459f67d6f239fa5cbdf3eed7e1c288368e1346f7704f2148e3a6f78728f103b329787a11c0a602e4aff0c383f1f4caa24a64363fa24d1fadcf3f533dabf

memory/812-8-0x0000000000400000-0x0000000000425400-memory.dmp

\??\c:\qbutr\xgaha.dll

MD5 bec93912524f50c6f7c943716c7ef02b
SHA1 69ba8f1dd5a7d6cd94d688c691406cbd54be4486
SHA256 032570414587af2303431e8db5d5f4223e0147f4b63a2160b97d9a6ea531bd81
SHA512 41fb8970e9007c789227740e81a483bda806470ce25476589a3dfceddaaa60b20d890c37b56f8be83defb2a5b774dbd6c2026fc259884e8acf2971b06041f6a6

memory/2092-14-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2092-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2092-16-0x0000000010033000-0x0000000010034000-memory.dmp

memory/2092-17-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2092-18-0x0000000010033000-0x0000000010034000-memory.dmp

memory/2092-19-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2092-23-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2092-24-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2092-25-0x0000000010000000-0x0000000010036000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 18:23

Reported

2024-11-09 18:25

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\swyxl.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\swyxl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\mjkczeb\\infmjdn.dll\",GetWindowClass" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\swyxl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe N/A
N/A N/A \??\c:\swyxl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe

"C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\swyxl.exe "C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\swyxl.exe

c:\swyxl.exe "C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\mjkczeb\infmjdn.dll",GetWindowClass c:\swyxl.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 67.229.62.198:803 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 67.229.62.194:3201 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 67.229.62.197:805 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 67.229.62.194:3201 tcp

Files

memory/900-0-0x0000000000400000-0x0000000000425400-memory.dmp

memory/900-3-0x0000000000400000-0x0000000000425400-memory.dmp

C:\swyxl.exe

MD5 689ab57d641054d7d85554d930b272b0
SHA1 be430d723d7e9e61668055e12dfd00716ed8b774
SHA256 f779e5ba961278c4c63028e72d90addd425d224f8139e28a28f5b7248ae83ec2
SHA512 1e78e42a98584935169d7ba943745c89851f8df84a53d1b36f9a0f5b3bea839d3af5eeef1cd7704ae6b9a962a287ba89c6e971f149f2fcebf504d86730c093fd

memory/1996-9-0x0000000000400000-0x0000000000425400-memory.dmp

\??\c:\mjkczeb\infmjdn.dll

MD5 bec93912524f50c6f7c943716c7ef02b
SHA1 69ba8f1dd5a7d6cd94d688c691406cbd54be4486
SHA256 032570414587af2303431e8db5d5f4223e0147f4b63a2160b97d9a6ea531bd81
SHA512 41fb8970e9007c789227740e81a483bda806470ce25476589a3dfceddaaa60b20d890c37b56f8be83defb2a5b774dbd6c2026fc259884e8acf2971b06041f6a6

memory/5020-12-0x0000000010000000-0x0000000010036000-memory.dmp

memory/5020-13-0x0000000000CD0000-0x0000000000CD2000-memory.dmp

memory/5020-14-0x0000000010000000-0x0000000010036000-memory.dmp

memory/5020-15-0x0000000000CD0000-0x0000000000CD2000-memory.dmp

memory/5020-17-0x0000000010000000-0x0000000010036000-memory.dmp

memory/5020-18-0x0000000010000000-0x0000000010036000-memory.dmp

memory/5020-19-0x0000000010000000-0x0000000010036000-memory.dmp

memory/5020-20-0x0000000010000000-0x0000000010036000-memory.dmp