Analysis Overview
SHA256
b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
Threat Level: Known bad
The file b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2 was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
GoLang User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-30 23:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-30 23:23
Reported
2023-07-30 23:28
Platform
win7-20230712-en
Max time kernel
273s
Max time network
288s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1136 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1136 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1136 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe
"C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
Files
memory/1136-53-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-54-0x0000000077A20000-0x0000000077BC9000-memory.dmp
memory/1136-55-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-56-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-57-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-58-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-59-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-60-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-61-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-62-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-63-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-64-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-65-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-66-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-67-0x0000000077A20000-0x0000000077BC9000-memory.dmp
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | d5e7c895eb1a32945a5fbf65d41631a7 |
| SHA1 | c7d3c5d94e19ee1f7874546dce7c955b4128a88d |
| SHA256 | 43ae7e474586ff89d3f5bce278418387f9445f52f8badf2975a4103919f6f31e |
| SHA512 | 4dacb73a4e293064feeac85f0585d33c14bcadd97b566cd1dd8957e31643097081faaa0bab29a4b22e96678f774d57ae2cc88f2c82ea24dabd0f6243ce674728 |
memory/1136-72-0x00000000011F0000-0x0000000001A8B000-memory.dmp
memory/1136-73-0x00000000286A0000-0x0000000028F3B000-memory.dmp
memory/1136-74-0x0000000077A20000-0x0000000077BC9000-memory.dmp
memory/2680-75-0x00000000001D0000-0x0000000000A6B000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | d5e7c895eb1a32945a5fbf65d41631a7 |
| SHA1 | c7d3c5d94e19ee1f7874546dce7c955b4128a88d |
| SHA256 | 43ae7e474586ff89d3f5bce278418387f9445f52f8badf2975a4103919f6f31e |
| SHA512 | 4dacb73a4e293064feeac85f0585d33c14bcadd97b566cd1dd8957e31643097081faaa0bab29a4b22e96678f774d57ae2cc88f2c82ea24dabd0f6243ce674728 |
memory/2680-76-0x0000000077A20000-0x0000000077BC9000-memory.dmp
memory/2680-77-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-78-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-79-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-80-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-81-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-83-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-82-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-84-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-85-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-86-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-87-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-88-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-89-0x0000000077A20000-0x0000000077BC9000-memory.dmp
memory/2680-90-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-91-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-92-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-93-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-94-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-95-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-98-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-99-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-100-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-101-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-102-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-103-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-104-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-105-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-106-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-107-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-108-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-109-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-110-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-111-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-112-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-113-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-114-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-115-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-116-0x00000000001D0000-0x0000000000A6B000-memory.dmp
memory/2680-117-0x00000000001D0000-0x0000000000A6B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-30 23:23
Reported
2023-07-30 23:28
Platform
win10-20230703-en
Max time kernel
290s
Max time network
256s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2684 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 2684 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe
"C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 149.230.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/2684-122-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-123-0x00007FFA7F410000-0x00007FFA7F5EB000-memory.dmp
memory/2684-124-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-125-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-126-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-127-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-128-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-129-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-130-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-131-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-132-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-133-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-135-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-136-0x00007FFA7F410000-0x00007FFA7F5EB000-memory.dmp
memory/2684-137-0x0000000000A50000-0x00000000012EB000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | b3deb9b04ab98fd660748cb0eaccd5cc |
| SHA1 | cf89e1affb2361a792a56cddeabb4a96af3f5a78 |
| SHA256 | 2b94cc7c63d0bc8f424f6e13addb0a4af2a178ec2b9daa29ad848ae21213a068 |
| SHA512 | cfb842e12e3d76fa841c62e3ee590969c436d256a9ff97e2066eea117e2a78a100d673391eeaaaebe7b9edf1c2ce373c7ad8dd22115a529525ad9b2fdbf386ed |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | b3deb9b04ab98fd660748cb0eaccd5cc |
| SHA1 | cf89e1affb2361a792a56cddeabb4a96af3f5a78 |
| SHA256 | 2b94cc7c63d0bc8f424f6e13addb0a4af2a178ec2b9daa29ad848ae21213a068 |
| SHA512 | cfb842e12e3d76fa841c62e3ee590969c436d256a9ff97e2066eea117e2a78a100d673391eeaaaebe7b9edf1c2ce373c7ad8dd22115a529525ad9b2fdbf386ed |
memory/1052-141-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/2684-142-0x0000000000A50000-0x00000000012EB000-memory.dmp
memory/2684-143-0x00007FFA7F410000-0x00007FFA7F5EB000-memory.dmp
memory/1052-144-0x00007FFA7F410000-0x00007FFA7F5EB000-memory.dmp
memory/1052-145-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-147-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-146-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-148-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-149-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-150-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-151-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-152-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-153-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-154-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-155-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-156-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-157-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-158-0x00007FFA7F410000-0x00007FFA7F5EB000-memory.dmp
memory/1052-159-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-160-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-161-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-163-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-164-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-165-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-166-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-167-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-168-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-169-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-170-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-171-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-172-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-173-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-174-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-175-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-176-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-177-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-178-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-179-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-180-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-181-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-182-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-183-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-184-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-185-0x0000000000AC0000-0x000000000135B000-memory.dmp
memory/1052-186-0x0000000000AC0000-0x000000000135B000-memory.dmp