Analysis Overview
SHA256
db14e897b3b268f92bb15f0720d4ec0c191949b660e966027cd6ec656c00cc26
Threat Level: Known bad
The file 298e8a80.exe was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
SmokeLoader
Detect rhadamanthys stealer shellcode
Downloads MZ/PE file
Executes dropped EXE
Accesses Microsoft Outlook profiles
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-19 10:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-19 10:20
Reported
2023-04-19 10:22
Platform
win7-20230220-en
Max time kernel
150s
Max time network
34s
Command Line
Signatures
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\298e8a80.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\298e8a80.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\298e8a80.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\298e8a80.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\298e8a80.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\298e8a80.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\298e8a80.exe
"C:\Users\Admin\AppData\Local\Temp\298e8a80.exe"
Network
Files
memory/1728-55-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1320-56-0x0000000002260000-0x0000000002276000-memory.dmp
memory/1728-57-0x0000000000400000-0x0000000002B94000-memory.dmp
memory/1320-60-0x000007FF5D9E0000-0x000007FF5D9EA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-19 10:20
Reported
2023-04-19 10:22
Platform
win10v2004-20230221-en
Max time kernel
151s
Max time network
146s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33F1.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\298e8a80.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\298e8a80.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\298e8a80.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\dllhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\298e8a80.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\298e8a80.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\298e8a80.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3172 wrote to memory of 2276 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33F1.exe |
| PID 3172 wrote to memory of 2276 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33F1.exe |
| PID 3172 wrote to memory of 2276 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33F1.exe |
| PID 2276 wrote to memory of 4316 | N/A | C:\Users\Admin\AppData\Local\Temp\33F1.exe | C:\Windows\system32\dllhost.exe |
| PID 2276 wrote to memory of 4316 | N/A | C:\Users\Admin\AppData\Local\Temp\33F1.exe | C:\Windows\system32\dllhost.exe |
| PID 2276 wrote to memory of 4316 | N/A | C:\Users\Admin\AppData\Local\Temp\33F1.exe | C:\Windows\system32\dllhost.exe |
| PID 2276 wrote to memory of 4316 | N/A | C:\Users\Admin\AppData\Local\Temp\33F1.exe | C:\Windows\system32\dllhost.exe |
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\298e8a80.exe
"C:\Users\Admin\AppData\Local\Temp\298e8a80.exe"
C:\Users\Admin\AppData\Local\Temp\33F1.exe
C:\Users\Admin\AppData\Local\Temp\33F1.exe
C:\Windows\system32\dllhost.exe
"C:\Windows\system32\dllhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aapu.at | udp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 192.189.235.58.in-addr.arpa | udp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| US | 20.189.173.4:443 | tcp | |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| IT | 179.43.155.247:80 | 179.43.155.247 | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 247.155.43.179.in-addr.arpa | udp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| PA | 179.43.142.201:80 | catalog.s.download.windowsupdate.com | tcp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 201.142.43.179.in-addr.arpa | udp |
| KR | 58.235.189.192:80 | aapu.at | tcp |
| PA | 179.43.142.201:80 | 179.43.142.201 | tcp |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp |
Files
memory/748-134-0x0000000002DF0000-0x0000000002DF9000-memory.dmp
memory/3172-135-0x0000000001570000-0x0000000001586000-memory.dmp
memory/748-136-0x0000000000400000-0x0000000002B94000-memory.dmp
memory/3172-142-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-143-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-144-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-145-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-146-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-147-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-148-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-149-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-150-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-151-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-152-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-153-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-154-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-155-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-156-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-157-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-158-0x00000000032E0000-0x00000000032F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\33F1.exe
| MD5 | 1443c5bbc58a9283df31c026ec145fe8 |
| SHA1 | 0461d42ac46ab778e2b64da3470b5421cef258b4 |
| SHA256 | a865ff24fa16c3e701d9b08ca7309793cb1980eefde88a31e94454c74da90d20 |
| SHA512 | 764d69cb407d7d7cab8ae7bc417df4dfee3465de6fbc29cc311b94e45b1558c147049fff448b8a9bb6a4a164f510105c69d293d358f9b2b89da6aeb26ada242a |
C:\Users\Admin\AppData\Local\Temp\33F1.exe
| MD5 | 1443c5bbc58a9283df31c026ec145fe8 |
| SHA1 | 0461d42ac46ab778e2b64da3470b5421cef258b4 |
| SHA256 | a865ff24fa16c3e701d9b08ca7309793cb1980eefde88a31e94454c74da90d20 |
| SHA512 | 764d69cb407d7d7cab8ae7bc417df4dfee3465de6fbc29cc311b94e45b1558c147049fff448b8a9bb6a4a164f510105c69d293d358f9b2b89da6aeb26ada242a |
memory/2276-164-0x0000000002D10000-0x0000000002D3E000-memory.dmp
memory/2276-165-0x0000000000400000-0x0000000002BA4000-memory.dmp
memory/2276-168-0x0000000002D40000-0x0000000002D5C000-memory.dmp
memory/2276-169-0x0000000002D40000-0x0000000002D5C000-memory.dmp
memory/2276-170-0x0000000002CF0000-0x0000000002CF2000-memory.dmp
memory/2276-171-0x0000000002D40000-0x0000000002D5C000-memory.dmp
memory/4316-172-0x0000019A6C490000-0x0000019A6C491000-memory.dmp
memory/4316-174-0x0000019A6C7A0000-0x0000019A6C7A7000-memory.dmp
memory/2276-173-0x0000000002CF0000-0x0000000002CF3000-memory.dmp
memory/4316-175-0x00007FF429470000-0x00007FF42956A000-memory.dmp
memory/4316-176-0x00007FF429470000-0x00007FF42956A000-memory.dmp
memory/2276-177-0x0000000000400000-0x0000000002BA4000-memory.dmp
memory/2276-178-0x0000000002D40000-0x0000000002D5C000-memory.dmp
memory/4316-179-0x00007FF429470000-0x00007FF42956A000-memory.dmp
memory/4316-180-0x00007FF429470000-0x00007FF42956A000-memory.dmp
memory/4316-181-0x00007FF429470000-0x00007FF42956A000-memory.dmp
memory/4316-182-0x00007FF429470000-0x00007FF42956A000-memory.dmp
memory/4316-183-0x00007FF429470000-0x00007FF42956A000-memory.dmp
memory/3172-184-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-185-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3172-186-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-187-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-188-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-189-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-190-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-191-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-192-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-193-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-194-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-195-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-196-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-197-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-198-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-199-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-200-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/3172-201-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3172-202-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3172-203-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3172-204-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3172-205-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3172-206-0x0000000003280000-0x0000000003290000-memory.dmp