Analysis Overview
SHA256
b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
Threat Level: Known bad
The file b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106 was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
GoLang User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-27 22:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-27 22:39
Reported
2023-07-27 22:44
Platform
win7-20230712-en
Max time kernel
284s
Max time network
277s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1996 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1996 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1996 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe
"C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 206.189.229.43:80 | 206.189.229.43 | tcp |
Files
memory/1996-53-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-54-0x0000000077250000-0x00000000773F9000-memory.dmp
memory/1996-55-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-56-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-57-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-58-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-59-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-60-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-61-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-62-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-63-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-64-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-65-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-66-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-67-0x0000000077250000-0x00000000773F9000-memory.dmp
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | affafd622aca30d729b62c5e9dfbf889 |
| SHA1 | c87b0aceb012fed20c157ad8c32f0ee495dbc89a |
| SHA256 | 303b2594ea959ada9f8639ca4788230c0898f21ff94c44ea83bf1ad57e2a1a18 |
| SHA512 | c9024d6e6f9989bea70d3ebf5aec24ee756ea729063b25030335ff6532bd2748e1bc119b9cdcaf854dfffcba0ef72c9b60f803ac58e6416dc8fdc72349121f28 |
memory/1996-73-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-72-0x0000000000D40000-0x00000000015AC000-memory.dmp
memory/1996-74-0x0000000028820000-0x000000002908C000-memory.dmp
memory/1568-75-0x0000000000A70000-0x00000000012DC000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | affafd622aca30d729b62c5e9dfbf889 |
| SHA1 | c87b0aceb012fed20c157ad8c32f0ee495dbc89a |
| SHA256 | 303b2594ea959ada9f8639ca4788230c0898f21ff94c44ea83bf1ad57e2a1a18 |
| SHA512 | c9024d6e6f9989bea70d3ebf5aec24ee756ea729063b25030335ff6532bd2748e1bc119b9cdcaf854dfffcba0ef72c9b60f803ac58e6416dc8fdc72349121f28 |
memory/1996-76-0x0000000077250000-0x00000000773F9000-memory.dmp
memory/1568-77-0x0000000077250000-0x00000000773F9000-memory.dmp
memory/1568-78-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-79-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-80-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-81-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-82-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-83-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-84-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-85-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-86-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-87-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-88-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-89-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-90-0x0000000077250000-0x00000000773F9000-memory.dmp
memory/1568-91-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-92-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-93-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-94-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-95-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-96-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-99-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-100-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-101-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-102-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-103-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-104-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-105-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-106-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-107-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-108-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-109-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-110-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-111-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-112-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-113-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-114-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-115-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-116-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-117-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-118-0x0000000000A70000-0x00000000012DC000-memory.dmp
memory/1568-119-0x0000000000A70000-0x00000000012DC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-27 22:39
Reported
2023-07-27 22:44
Platform
win10-20230703-en
Max time kernel
300s
Max time network
189s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 2916 wrote to memory of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe
"C:\Users\Admin\AppData\Local\Temp\b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 206.189.229.43:80 | 206.189.229.43 | tcp |
| US | 8.8.8.8:53 | 43.229.189.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
Files
memory/2916-117-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-118-0x00007FF8AB9E0000-0x00007FF8ABBBB000-memory.dmp
memory/2916-119-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-120-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-121-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-122-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-123-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-124-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-125-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-126-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-127-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-128-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-130-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-131-0x00007FF8AB9E0000-0x00007FF8ABBBB000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 95807536369c822dd6e63a6ef0c5e201 |
| SHA1 | 581648be4bcfe9a4a0b7c0e85c09b6d33c1b5e1b |
| SHA256 | 5be38345f75e129af8b7e6905de5597f3097e77a21d838461b6d390f74caf45c |
| SHA512 | eadf61d57b867d5a612950111730c9823b62910a5cc0d18ca04e895eb1f84c7de89fd37e46f88a584dce7edb04ac47410a82dc46d03374a52fca693365b4bae9 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 95807536369c822dd6e63a6ef0c5e201 |
| SHA1 | 581648be4bcfe9a4a0b7c0e85c09b6d33c1b5e1b |
| SHA256 | 5be38345f75e129af8b7e6905de5597f3097e77a21d838461b6d390f74caf45c |
| SHA512 | eadf61d57b867d5a612950111730c9823b62910a5cc0d18ca04e895eb1f84c7de89fd37e46f88a584dce7edb04ac47410a82dc46d03374a52fca693365b4bae9 |
memory/4396-136-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/2916-134-0x00000000012E0000-0x0000000001B4C000-memory.dmp
memory/2916-137-0x00007FF8AB9E0000-0x00007FF8ABBBB000-memory.dmp
memory/4396-138-0x00007FF8AB9E0000-0x00007FF8ABBBB000-memory.dmp
memory/4396-139-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-140-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-141-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-142-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-143-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-144-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-145-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-146-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-147-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-148-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-149-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-150-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-151-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-152-0x00007FF8AB9E0000-0x00007FF8ABBBB000-memory.dmp
memory/4396-153-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-154-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-155-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-157-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-158-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-159-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-160-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-161-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-162-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-163-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-164-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-165-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-166-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-167-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-168-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-169-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-170-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-171-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-172-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-173-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-174-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-175-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-176-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-177-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-178-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-179-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-180-0x0000000000CC0000-0x000000000152C000-memory.dmp
memory/4396-181-0x0000000000CC0000-0x000000000152C000-memory.dmp