Analysis Overview
SHA256
857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
Threat Level: Known bad
The file asdf.EXEkeacgpkh was found to be: Known bad.
Malicious Activity Summary
Oski
Raccoon
Azorult
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-11 02:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-11 02:59
Reported
2022-04-11 03:10
Platform
win7-20220310-en
Max time kernel
4294183s
Max time network
125s
Command Line
Signatures
Oski
Raccoon
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1920 set thread context of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\asdf.exe | C:\Users\Admin\AppData\Local\Temp\asdf.exe |
| PID 2036 set thread context of 1320 | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\asdf.exe
"C:\Users\Admin\AppData\Local\Temp\asdf.exe"
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"
C:\Users\Admin\AppData\Local\Temp\asdf.exe
"C:\Users\Admin\AppData\Local\Temp\asdf.exe"
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 776
Network
| Country | Destination | Domain | Proto |
| RO | 5.252.178.180:80 | tcp | |
| RO | 5.252.178.180:80 | tcp | |
| US | 8.8.8.8:53 | pretorian.ug | udp |
| SC | 185.215.113.77:80 | pretorian.ug | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
Files
memory/1920-56-0x00000000753C1000-0x00000000753C3000-memory.dmp
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
memory/2036-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
memory/1136-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
memory/1644-71-0x0000000000440D8F-mapping.dmp
memory/1920-73-0x00000000024D0000-0x00000000024D6000-memory.dmp
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
memory/1320-76-0x0000000000417A8B-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
memory/1320-79-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1644-80-0x0000000000400000-0x0000000000493000-memory.dmp
memory/1760-81-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-11 02:59
Reported
2022-04-11 03:05
Platform
win10v2004-20220331-en
Max time kernel
133s
Max time network
151s
Command Line
Signatures
Azorult
Oski
Raccoon
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\asdf.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2972 set thread context of 920 | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe |
| PID 1600 set thread context of 216 | N/A | C:\Users\Admin\AppData\Local\Temp\asdf.exe | C:\Users\Admin\AppData\Local\Temp\asdf.exe |
| PID 1288 set thread context of 3736 | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\asdf.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\asdf.exe
"C:\Users\Admin\AppData\Local\Temp\asdf.exe"
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"
C:\Users\Admin\AppData\Local\Temp\asdf.exe
"C:\Users\Admin\AppData\Local\Temp\asdf.exe"
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1204
Network
| Country | Destination | Domain | Proto |
| FI | 62.115.252.112:80 | tcp | |
| NL | 52.109.88.35:443 | tcp | |
| US | 20.189.173.7:443 | tcp | |
| US | 8.8.8.8:53 | pretorian.ug | udp |
| RO | 5.252.178.180:80 | tcp | |
| US | 8.8.8.8:53 | underdohag.ac.ug | udp |
| SC | 185.215.113.77:80 | underdohag.ac.ug | tcp |
| SC | 185.215.113.77:80 | underdohag.ac.ug | tcp |
| RO | 5.252.178.180:80 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 172.104.232.134:80 | 172.104.232.134 | tcp |
Files
memory/2972-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
memory/1288-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
memory/920-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
memory/2972-138-0x0000000002090000-0x0000000002096000-memory.dmp
memory/216-139-0x0000000000000000-mapping.dmp
memory/3736-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
memory/920-142-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3736-143-0x0000000000400000-0x0000000000420000-memory.dmp
memory/216-144-0x0000000000400000-0x0000000000493000-memory.dmp