Analysis Overview
SHA256
1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05
Threat Level: Known bad
The file NA_1ed33d760f151b33b3d20bf9e_JC.exe was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Themida packer
Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
GoLang User-Agent
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-26 13:08
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-26 13:08
Reported
2023-07-26 13:11
Platform
win7-20230712-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2076 set thread context of 240 | N/A | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rcam25.tuktuk.ug | udp |
| NL | 85.209.3.9:11290 | rcam25.tuktuk.ug | tcp |
Files
memory/2076-54-0x0000000001210000-0x00000000018C2000-memory.dmp
memory/2076-58-0x0000000075800000-0x0000000075910000-memory.dmp
memory/2076-59-0x0000000074FD0000-0x0000000075017000-memory.dmp
memory/2076-60-0x0000000075800000-0x0000000075910000-memory.dmp
memory/2076-61-0x0000000075800000-0x0000000075910000-memory.dmp
memory/2076-62-0x0000000074FD0000-0x0000000075017000-memory.dmp
memory/2076-63-0x00000000772F0000-0x00000000772F2000-memory.dmp
memory/2076-64-0x0000000001210000-0x00000000018C2000-memory.dmp
memory/2076-65-0x0000000001210000-0x00000000018C2000-memory.dmp
memory/2076-67-0x0000000074FD0000-0x0000000075017000-memory.dmp
memory/2076-68-0x0000000075800000-0x0000000075910000-memory.dmp
memory/2076-69-0x0000000075800000-0x0000000075910000-memory.dmp
memory/2076-70-0x0000000075800000-0x0000000075910000-memory.dmp
memory/2076-71-0x0000000075800000-0x0000000075910000-memory.dmp
memory/2076-72-0x0000000000570000-0x000000000058C000-memory.dmp
memory/2076-73-0x0000000000570000-0x0000000000585000-memory.dmp
memory/2076-74-0x0000000000570000-0x0000000000585000-memory.dmp
memory/2076-76-0x0000000000570000-0x0000000000585000-memory.dmp
memory/2076-78-0x0000000000570000-0x0000000000585000-memory.dmp
memory/2076-80-0x0000000000570000-0x0000000000585000-memory.dmp
memory/2076-84-0x0000000000570000-0x0000000000585000-memory.dmp
memory/2076-82-0x0000000000570000-0x0000000000585000-memory.dmp
memory/2076-88-0x0000000000570000-0x0000000000585000-memory.dmp
memory/2076-86-0x0000000000570000-0x0000000000585000-memory.dmp
memory/2076-90-0x0000000000570000-0x0000000000585000-memory.dmp
memory/2076-92-0x0000000000570000-0x0000000000585000-memory.dmp
memory/2076-96-0x0000000000570000-0x0000000000585000-memory.dmp
memory/2076-94-0x0000000000570000-0x0000000000585000-memory.dmp
memory/240-97-0x0000000000400000-0x0000000000430000-memory.dmp
memory/240-99-0x0000000000400000-0x0000000000430000-memory.dmp
memory/240-101-0x0000000000400000-0x0000000000430000-memory.dmp
memory/240-103-0x0000000000400000-0x0000000000430000-memory.dmp
memory/240-105-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/240-106-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2076-111-0x0000000075800000-0x0000000075910000-memory.dmp
memory/240-113-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2076-112-0x0000000074FD0000-0x0000000075017000-memory.dmp
memory/240-109-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2076-114-0x0000000001210000-0x00000000018C2000-memory.dmp
memory/240-116-0x0000000074290000-0x000000007497E000-memory.dmp
memory/240-115-0x0000000000290000-0x0000000000296000-memory.dmp
memory/240-117-0x0000000004B50000-0x0000000004B90000-memory.dmp
memory/240-118-0x0000000074290000-0x000000007497E000-memory.dmp
memory/240-119-0x0000000004B50000-0x0000000004B90000-memory.dmp
memory/240-120-0x0000000074290000-0x000000007497E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-26 13:08
Reported
2023-07-26 13:11
Platform
win10v2004-20230703-en
Max time kernel
153s
Max time network
158s
Command Line
Signatures
Laplas Clipper
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3332 set thread context of 4320 | N/A | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rcam25.tuktuk.ug | udp |
| NL | 85.209.3.9:11290 | rcam25.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 9.3.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| NL | 45.66.230.149:80 | 45.66.230.149 | tcp |
| US | 8.8.8.8:53 | 149.230.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/3332-134-0x0000000000DD0000-0x0000000001482000-memory.dmp
memory/3332-135-0x0000000075480000-0x0000000075570000-memory.dmp
memory/3332-136-0x0000000075480000-0x0000000075570000-memory.dmp
memory/3332-137-0x0000000075480000-0x0000000075570000-memory.dmp
memory/3332-138-0x0000000075480000-0x0000000075570000-memory.dmp
memory/3332-139-0x0000000075480000-0x0000000075570000-memory.dmp
memory/3332-140-0x0000000077174000-0x0000000077176000-memory.dmp
memory/3332-144-0x0000000000DD0000-0x0000000001482000-memory.dmp
memory/3332-145-0x00000000053F0000-0x000000000548C000-memory.dmp
memory/3332-146-0x0000000000DD0000-0x0000000001482000-memory.dmp
memory/3332-147-0x0000000075480000-0x0000000075570000-memory.dmp
memory/3332-148-0x0000000075480000-0x0000000075570000-memory.dmp
memory/3332-149-0x0000000075480000-0x0000000075570000-memory.dmp
memory/3332-150-0x0000000075480000-0x0000000075570000-memory.dmp
memory/3332-152-0x0000000003040000-0x0000000003055000-memory.dmp
memory/3332-153-0x0000000003040000-0x0000000003055000-memory.dmp
memory/3332-155-0x0000000003040000-0x0000000003055000-memory.dmp
memory/3332-157-0x0000000003040000-0x0000000003055000-memory.dmp
memory/3332-159-0x0000000003040000-0x0000000003055000-memory.dmp
memory/3332-161-0x0000000003040000-0x0000000003055000-memory.dmp
memory/3332-163-0x0000000003040000-0x0000000003055000-memory.dmp
memory/3332-165-0x0000000003040000-0x0000000003055000-memory.dmp
memory/3332-167-0x0000000003040000-0x0000000003055000-memory.dmp
memory/3332-169-0x0000000003040000-0x0000000003055000-memory.dmp
memory/3332-171-0x0000000003040000-0x0000000003055000-memory.dmp
memory/3332-173-0x0000000003040000-0x0000000003055000-memory.dmp
memory/3332-175-0x0000000003040000-0x0000000003055000-memory.dmp
memory/4320-176-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4320-179-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/3332-180-0x0000000000DD0000-0x0000000001482000-memory.dmp
memory/3332-181-0x0000000075480000-0x0000000075570000-memory.dmp
memory/4320-182-0x0000000005DF0000-0x0000000006408000-memory.dmp
memory/4320-183-0x00000000058E0000-0x00000000059EA000-memory.dmp
memory/4320-184-0x0000000005820000-0x0000000005832000-memory.dmp
memory/4320-185-0x00000000057C0000-0x00000000057D0000-memory.dmp
memory/4320-186-0x0000000005880000-0x00000000058BC000-memory.dmp
memory/4320-187-0x0000000005BB0000-0x0000000005C26000-memory.dmp
memory/4320-188-0x0000000005CD0000-0x0000000005D62000-memory.dmp
memory/4320-189-0x0000000006EB0000-0x0000000007454000-memory.dmp
memory/4320-190-0x0000000005D70000-0x0000000005DD6000-memory.dmp
memory/4320-191-0x0000000006CD0000-0x0000000006E92000-memory.dmp
memory/4320-192-0x0000000009080000-0x00000000095AC000-memory.dmp
memory/4320-193-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/4320-194-0x00000000057C0000-0x00000000057D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | 18658dec7775fa53f081b892d6a2b027 |
| SHA1 | fa8d901c7aac70e2c37544883ce087e48c6302d1 |
| SHA256 | 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554 |
| SHA512 | cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d |
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | 18658dec7775fa53f081b892d6a2b027 |
| SHA1 | fa8d901c7aac70e2c37544883ce087e48c6302d1 |
| SHA256 | 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554 |
| SHA512 | cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d |
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | 18658dec7775fa53f081b892d6a2b027 |
| SHA1 | fa8d901c7aac70e2c37544883ce087e48c6302d1 |
| SHA256 | 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554 |
| SHA512 | cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d |
memory/2960-206-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/4320-208-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/2960-209-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2960-210-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2960-211-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2960-212-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2960-213-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2960-214-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2960-215-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2960-216-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2960-217-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2960-218-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2960-219-0x00007FF90B750000-0x00007FF90B945000-memory.dmp
memory/2960-221-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2960-222-0x0000000000310000-0x0000000000A95000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 9f0befb01d77d751bfb27fd520cbffea |
| SHA1 | c49489a5780f9315aefe698f801b78f114e9bd69 |
| SHA256 | cebc9aef1a03d8b4d6ae39651f5e2d4eabfccaf5d514a0f633bb00ca24e3b3e9 |
| SHA512 | 856132bb5d65583dc92ba15081a7187b50eabda21c598fa6a97ab0f2a83137300777e6da7fc33c4dec15c5420250854b2a6f076fcda706895146ce8ba377550f |
memory/2960-225-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2960-227-0x00007FF90B750000-0x00007FF90B945000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 62b4664f8063c068e052fa5766605dd4 |
| SHA1 | 882236f7263d971659481cf7987d443007389721 |
| SHA256 | c359022559dde1cce30733ab1940e7fdbfa240e3bc179f4a137668c317066109 |
| SHA512 | c482cce7fe4cbac458cbf3590544cf83379a3b0818206747958b46db8cbe6ed9cf7a7ecb69b370bd1f77ce6141ee21deae43efa2d574216cf6569d2f5b3f870c |
memory/2452-228-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-229-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-230-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-231-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-233-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-234-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-235-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-236-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-237-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-238-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-239-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-240-0x00007FF90B750000-0x00007FF90B945000-memory.dmp
memory/2452-241-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-242-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-243-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-244-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-245-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-246-0x00007FF90B750000-0x00007FF90B945000-memory.dmp
memory/2452-247-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-249-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-250-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-251-0x0000000000660000-0x0000000000DE5000-memory.dmp
memory/2452-252-0x0000000000660000-0x0000000000DE5000-memory.dmp