Malware Analysis Report

2025-05-05 21:48

Sample ID 241202-mxbg3s1mdw
Target c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe
SHA256 c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0
Tags
discovery vipkeylogger keylogger stealer collection spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0

Threat Level: Known bad

The file c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe was found to be: Known bad.

Malicious Activity Summary

discovery vipkeylogger keylogger stealer collection spyware

VIPKeylogger

Vipkeylogger family

Reads user/profile data of local email clients

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Program crash

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 10:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-02 10:50

Reported

2024-12-02 10:52

Platform

win7-20240903-en

Max time kernel

37s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-02 10:50

Reported

2024-12-02 10:52

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4928 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4928 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2632 -ip 2632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 10:50

Reported

2024-12-02 10:52

Platform

win7-20240903-en

Max time kernel

48s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\mackle\outsallying.Skn C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe
PID 2148 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe
PID 2148 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe
PID 2148 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe
PID 2148 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe
PID 2148 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe

"C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe"

C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe

"C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.180.14:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.3:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsoC8AE.tmp\System.dll

MD5 3e6bf00b3ac976122f982ae2aadb1c51
SHA1 caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA256 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA512 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

C:\Users\Admin\subacidity.lnk

MD5 4c9e895b394686a7c8f15300bbb74165
SHA1 4489c06047af9423b20df3a5adc19940632ea3ef
SHA256 8a330ab4815b908b5229670bcd3881bcd620311c63d078a4a403662799fd365b
SHA512 bd533ea3d3c1106801a79c203341106416dd577b633c91dcfef2e8447b7e82dd74139e48cd97336c4dfb7e8e49aa859c5f160e7e1e33763a7c47f1368b1d40ac

memory/2148-31-0x0000000077431000-0x0000000077532000-memory.dmp

memory/2148-32-0x0000000077430000-0x00000000775D9000-memory.dmp

memory/2892-33-0x0000000077430000-0x00000000775D9000-memory.dmp

memory/2892-53-0x0000000000460000-0x00000000014C2000-memory.dmp

memory/2892-54-0x0000000000460000-0x00000000014C2000-memory.dmp

memory/2892-55-0x0000000000460000-0x00000000004A8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 10:50

Reported

2024-12-02 10:52

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\mackle\outsallying.Skn C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe

"C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe"

C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe

"C:\Users\Admin\AppData\Local\Temp\c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.180.14:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.3:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\System.dll

MD5 3e6bf00b3ac976122f982ae2aadb1c51
SHA1 caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA256 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA512 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

C:\Users\Admin\subacidity.lnk

MD5 f561c1f4d158ad919486fab3f0919e8f
SHA1 c2c5ec10cd52a3da01c2a94da5247717bcd201e3
SHA256 162ae0870ec561724d8747554e0c55b7a6eb4021ddd8093a3ba7b2a875a703ee
SHA512 8e56f8525e8f0c18c4d1e8b9b80c30112b2b7315cd6d3b877b79a85a46f7bfb4eb52f5de272eb0e70b43054c43e931b584befc858c1db2e053ef557b60513cb3

memory/1136-31-0x00000000779A1000-0x0000000077AC1000-memory.dmp

memory/1136-33-0x0000000010004000-0x0000000010005000-memory.dmp

memory/1136-32-0x00000000779A1000-0x0000000077AC1000-memory.dmp

memory/3920-34-0x0000000077A28000-0x0000000077A29000-memory.dmp

memory/3920-35-0x0000000077A45000-0x0000000077A46000-memory.dmp

memory/3920-48-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3920-50-0x00000000779A1000-0x0000000077AC1000-memory.dmp

memory/3920-49-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3920-51-0x000000007289E000-0x000000007289F000-memory.dmp

memory/3920-52-0x0000000000460000-0x00000000004A8000-memory.dmp

memory/3920-53-0x0000000039D80000-0x000000003A324000-memory.dmp

memory/3920-54-0x000000003A330000-0x000000003A3CC000-memory.dmp

memory/3920-55-0x0000000072890000-0x0000000073040000-memory.dmp

memory/3920-57-0x000000007289E000-0x000000007289F000-memory.dmp

memory/3920-58-0x000000003A910000-0x000000003AAD2000-memory.dmp

memory/3920-59-0x000000003AAE0000-0x000000003AB30000-memory.dmp

memory/3920-60-0x0000000072890000-0x0000000073040000-memory.dmp

memory/3920-62-0x000000003AB60000-0x000000003ABF2000-memory.dmp

memory/3920-63-0x000000003AC50000-0x000000003AC5A000-memory.dmp