Analysis Overview
SHA256
26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc
Threat Level: Known bad
The file 26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Loads dropped DLL
Checks BIOS information in registry
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
GoLang User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-30 23:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-30 23:19
Reported
2023-07-30 23:25
Platform
win7-20230712-en
Max time kernel
299s
Max time network
335s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 484 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 484 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 484 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe
"C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| NL | 185.209.161.89:80 | 185.209.161.89 | tcp |
Files
memory/484-54-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-55-0x0000000077920000-0x0000000077AC9000-memory.dmp
memory/484-56-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-57-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-58-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-59-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-60-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-61-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-62-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-63-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-65-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-64-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-66-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-67-0x0000000077920000-0x0000000077AC9000-memory.dmp
memory/484-68-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-69-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-70-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/484-71-0x0000000000C10000-0x00000000013FD000-memory.dmp
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 83928261525456d29f59dca1ed2d2d3e |
| SHA1 | 24380f35a6d9ad7ad10f30c88add55cb50e4745f |
| SHA256 | 14a8205709b18a3d40c4526a84fd01786a8703000c92077450ceca3840f293ad |
| SHA512 | fd25adc24cc9c68c77fbbc26f4e427ab8002203cba30a0db7416c70e400a411fb1aa730c60c6988cc290d575d0624ce78b2856f3ea5e35db3380f11528b30a20 |
memory/484-76-0x00000000287F0000-0x0000000028FDD000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 83928261525456d29f59dca1ed2d2d3e |
| SHA1 | 24380f35a6d9ad7ad10f30c88add55cb50e4745f |
| SHA256 | 14a8205709b18a3d40c4526a84fd01786a8703000c92077450ceca3840f293ad |
| SHA512 | fd25adc24cc9c68c77fbbc26f4e427ab8002203cba30a0db7416c70e400a411fb1aa730c60c6988cc290d575d0624ce78b2856f3ea5e35db3380f11528b30a20 |
memory/2640-78-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/484-79-0x0000000077920000-0x0000000077AC9000-memory.dmp
memory/484-77-0x0000000000C10000-0x00000000013FD000-memory.dmp
memory/2640-80-0x0000000077920000-0x0000000077AC9000-memory.dmp
memory/2640-81-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-82-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-83-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-84-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-85-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-86-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-87-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-88-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-89-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-90-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-91-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-92-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-93-0x0000000077920000-0x0000000077AC9000-memory.dmp
memory/2640-94-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-95-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-96-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-99-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-100-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-101-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-102-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-103-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-104-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-105-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-106-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-107-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-108-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-109-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-110-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-111-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-112-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-113-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-114-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-115-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-116-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-117-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-118-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-119-0x00000000001F0000-0x00000000009DD000-memory.dmp
memory/2640-120-0x00000000001F0000-0x00000000009DD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-30 23:19
Reported
2023-07-30 23:24
Platform
win10-20230703-en
Max time kernel
291s
Max time network
248s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 380 wrote to memory of 3308 | N/A | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 380 wrote to memory of 3308 | N/A | C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe
"C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| NL | 185.209.161.89:80 | 185.209.161.89 | tcp |
| US | 8.8.8.8:53 | 89.161.209.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.0.0.0.0.f.6.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
memory/380-117-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/380-118-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp
memory/380-119-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/380-120-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/380-121-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/380-122-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/380-123-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/380-124-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/380-125-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/380-126-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/380-127-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/380-128-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/380-130-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/380-131-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | af330f0b7212163246bec30474a8a35a |
| SHA1 | 5209d326bf5ba18b7606296f27697fc3b78bc4cc |
| SHA256 | d8bf3d35bc23529b1605dc8bcaedbae47e4b3f3c8ef8fb41ca1fbf867846bb5b |
| SHA512 | 90d2f1a358624b80ef88af0264bd99ccb99d1e015c83296359320b973f0f52475cf81aa340f5b9fcb469aeacbf8e6dc0860c6c24d86823e9b71dc4facaabaf4a |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | af330f0b7212163246bec30474a8a35a |
| SHA1 | 5209d326bf5ba18b7606296f27697fc3b78bc4cc |
| SHA256 | d8bf3d35bc23529b1605dc8bcaedbae47e4b3f3c8ef8fb41ca1fbf867846bb5b |
| SHA512 | 90d2f1a358624b80ef88af0264bd99ccb99d1e015c83296359320b973f0f52475cf81aa340f5b9fcb469aeacbf8e6dc0860c6c24d86823e9b71dc4facaabaf4a |
memory/380-135-0x0000000000E60000-0x000000000164D000-memory.dmp
memory/3308-137-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/380-136-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp
memory/3308-138-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp
memory/3308-139-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-140-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-141-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-142-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-143-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-144-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-145-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-147-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-148-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-149-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-150-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-151-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-152-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-153-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp
memory/3308-154-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-155-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-157-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-158-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-159-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-160-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-161-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-162-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-163-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-164-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-165-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-166-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-167-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-168-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-169-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-170-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-171-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-172-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-173-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-174-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-175-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-176-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-177-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-178-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-179-0x0000000000DB0000-0x000000000159D000-memory.dmp
memory/3308-180-0x0000000000DB0000-0x000000000159D000-memory.dmp