Analysis Overview
SHA256
8eef68e38ffd16167815c1e257779bd65af3accec82cd840905241c197ddcc2c
Threat Level: Known bad
The file a72d5fc2211db435af9ab375f832b3cd.exe was found to be: Known bad.
Malicious Activity Summary
Nirsoft
NirSoft WebBrowserPassView
NirSoft MailPassView
Nirsoft
Executes dropped EXE
UPX packed file
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Loads dropped DLL
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-07 19:38
Signatures
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-07 19:38
Reported
2024-01-07 19:41
Platform
win7-20231215-en
Max time kernel
166s
Max time network
130s
Command Line
Signatures
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mspass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ProduKey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MC.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mspass.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe
"C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe"
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exe
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exe /stext C:\Users\Admin\AppData\Local\Temp\Opera.txt
C:\Users\Admin\AppData\Local\Temp\ProduKey.exe
C:\Users\Admin\AppData\Local\Temp\ProduKey.exe /stext C:\Users\Admin\AppData\Local\Temp\ProduKey.txt
C:\Users\Admin\AppData\Local\Temp\mspass.exe
C:\Users\Admin\AppData\Local\Temp\mspass.exe /stext C:\Users\Admin\AppData\Local\Temp\MS.txt
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F8A1.tmp\TestLunch.bat" "
C:\Windows\system32\java.exe
java -jar "test.jar"
C:\Users\Admin\AppData\Local\Temp\MC.exe
C:\Users\Admin\AppData\Local\Temp\MC.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.root-p4l.hostoi.com | udp |
| US | 153.92.0.100:80 | www.root-p4l.hostoi.com | tcp |
| US | 153.92.0.100:80 | www.root-p4l.hostoi.com | tcp |
| US | 153.92.0.100:80 | www.root-p4l.hostoi.com | tcp |
| US | 153.92.0.100:80 | www.root-p4l.hostoi.com | tcp |
| US | 153.92.0.100:80 | www.root-p4l.hostoi.com | tcp |
| US | 153.92.0.100:80 | www.root-p4l.hostoi.com | tcp |
Files
memory/2668-0-0x00000000749D0000-0x0000000074F7B000-memory.dmp
memory/2668-1-0x00000000749D0000-0x0000000074F7B000-memory.dmp
memory/2668-2-0x00000000000F0000-0x0000000000130000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
\Users\Admin\AppData\Local\Temp\mspass.exe
| MD5 | ffc52f2b4435fcddaca6e15489a88b75 |
| SHA1 | 63ec31a04cf176852344d544ae855da0dac64980 |
| SHA256 | 3f3c8484962b395f304a836ee5e8ee17beaafe982795c9747d8ee98cc6e4ca8f |
| SHA512 | 389694feccfe6ca352705b9481913fece6d1d47083f235ccdd60c05cfda82606be53845fde0dba8ec3f3748f820a828c9be0ce078c8b9cc853285b23f172841c |
memory/2580-23-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2668-24-0x00000000009B0000-0x00000000009D6000-memory.dmp
\Users\Admin\AppData\Local\Temp\ProduKey.exe
| MD5 | 12507d0c4b2963ba229e02ff961ec400 |
| SHA1 | 6a9b296e5b614457f106cfc8ed6fc24bd75ba9aa |
| SHA256 | bbcb52b0538c81d9ced034e2c0435188bcd1d36f09bce76654f494e4d5dcdb0c |
| SHA512 | 1ad84dc8f90fd2342f4136d7594a0e10ea6ceefa0fd1b64a96a9200af260f76e3be22e1e3d6577c8b6b9a4ac655d0a8e2e2615f52114e1b11fd0773ec4e2bf10 |
memory/2244-39-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2244-43-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ProduKey.txt
| MD5 | 280d0cbfe3a26c806d64da5440a96b42 |
| SHA1 | a22bd38174c75b3a1c7a0b8492c7f4cdbbcd1d83 |
| SHA256 | 414ffaf22c19613483164f5b28e5d62816b5321cea6c25dfc32d4074e2b788eb |
| SHA512 | 09540ab38fd7a69c83dc839896e71f2d0637b31a2ddfe05b0a519fc1669dec186fe5535ebffc8668c6082a6ebb4be85fe862c432eba8d3c81c57bf959ec1b9c8 |
memory/2668-40-0x00000000749D0000-0x0000000074F7B000-memory.dmp
memory/2668-38-0x00000000009B0000-0x00000000009C8000-memory.dmp
memory/2668-45-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2668-47-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2668-46-0x00000000749D0000-0x0000000074F7B000-memory.dmp
memory/2668-49-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2668-48-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2668-32-0x00000000009B0000-0x00000000009C8000-memory.dmp
memory/2580-25-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2668-22-0x00000000009B0000-0x00000000009D6000-memory.dmp
memory/2668-50-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2668-65-0x00000000009B0000-0x00000000009C8000-memory.dmp
memory/1648-64-0x0000000140000000-0x0000000140017000-memory.dmp
memory/2668-63-0x00000000009B0000-0x00000000009D6000-memory.dmp
memory/2668-62-0x0000000001150000-0x0000000001167000-memory.dmp
memory/2668-60-0x00000000009B0000-0x00000000009D6000-memory.dmp
memory/2668-55-0x0000000001150000-0x0000000001167000-memory.dmp
memory/564-92-0x0000000002100000-0x0000000005100000-memory.dmp
memory/564-94-0x0000000000130000-0x0000000000131000-memory.dmp
memory/1648-95-0x0000000140000000-0x0000000140017000-memory.dmp
memory/2668-96-0x00000000009B0000-0x00000000009C8000-memory.dmp
memory/2668-98-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2668-99-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2668-100-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2668-101-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2668-102-0x0000000001150000-0x0000000001167000-memory.dmp
memory/2668-103-0x0000000001150000-0x0000000001167000-memory.dmp
memory/564-104-0x0000000002100000-0x0000000005100000-memory.dmp
memory/2668-107-0x0000000007DB0000-0x0000000007EB0000-memory.dmp
memory/2668-117-0x0000000007DB0000-0x0000000007EB0000-memory.dmp
memory/2668-123-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2668-124-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2668-129-0x0000000001150000-0x0000000001153000-memory.dmp
memory/2668-128-0x00000000749D0000-0x0000000074F7B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-07 19:38
Reported
2024-01-07 19:41
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mspass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ProduKey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MC.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mspass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mspass.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mspass.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe
"C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe"
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exe
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exe /stext C:\Users\Admin\AppData\Local\Temp\Opera.txt
C:\Users\Admin\AppData\Local\Temp\mspass.exe
C:\Users\Admin\AppData\Local\Temp\mspass.exe /stext C:\Users\Admin\AppData\Local\Temp\MS.txt
C:\Users\Admin\AppData\Local\Temp\ProduKey.exe
C:\Users\Admin\AppData\Local\Temp\ProduKey.exe /stext C:\Users\Admin\AppData\Local\Temp\ProduKey.txt
C:\Users\Admin\AppData\Local\Temp\MC.exe
C:\Users\Admin\AppData\Local\Temp\MC.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 50.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.root-p4l.hostoi.com | udp |
| US | 153.92.0.100:80 | www.root-p4l.hostoi.com | tcp |
| US | 153.92.0.100:80 | www.root-p4l.hostoi.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 153.92.0.100:80 | www.root-p4l.hostoi.com | tcp |
| US | 153.92.0.100:80 | www.root-p4l.hostoi.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 153.92.0.100:80 | www.root-p4l.hostoi.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.179.17.96.in-addr.arpa | udp |
| GB | 96.17.179.82:80 | tcp | |
| GB | 96.17.179.82:80 | tcp | |
| GB | 96.17.179.82:80 | tcp | |
| GB | 96.17.179.82:80 | tcp | |
| GB | 96.17.179.82:80 | tcp | |
| GB | 96.17.179.82:80 | tcp | |
| GB | 96.17.179.82:80 | tcp | |
| GB | 96.17.179.82:80 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| GB | 96.17.179.82:80 | tcp |
Files
memory/4304-0-0x00000000754C0000-0x0000000075A71000-memory.dmp
memory/4304-1-0x00000000754C0000-0x0000000075A71000-memory.dmp
memory/4304-2-0x0000000001830000-0x0000000001840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exe
| MD5 | 3b6bcf49057ea94968017b3d14cdf72d |
| SHA1 | 41ca649fdc27e352d2f7f8b4e14f84d21d20ab4b |
| SHA256 | 989f90eb63cf2c215d81a9838911f990e1bf4a97660c21a988d74f605abfc6e9 |
| SHA512 | cfe0daaba893458553655b4b30a51fcd25e2be8023c3328f4420dff44909cd66131d41cce39843a1883f56b49a423a821e79fc235b169ff1d2087f72f9a20206 |
C:\Users\Admin\AppData\Local\Temp\Opera.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1584-14-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1584-15-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2332-23-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2332-26-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ProduKey.txt
| MD5 | 29662ec08f5aa491b2733fa5f4dee30d |
| SHA1 | bde21bcab3fc10cd6795a821e4f039fe4ff876e8 |
| SHA256 | 365b0c56b65f24da09586d7cda5f7389666d8ce6585c2deb19c26868f0979d38 |
| SHA512 | a5216d00c9be46d2a3c8119c4dc17d458ecec36ef03e9de7001911ed423024c3b95e5ec665d5d4f6baadcf56d2afd792ae8a9fe133f31574f82973f391255329 |
C:\Users\Admin\AppData\Local\Temp\ProduKey.exe
| MD5 | 12507d0c4b2963ba229e02ff961ec400 |
| SHA1 | 6a9b296e5b614457f106cfc8ed6fc24bd75ba9aa |
| SHA256 | bbcb52b0538c81d9ced034e2c0435188bcd1d36f09bce76654f494e4d5dcdb0c |
| SHA512 | 1ad84dc8f90fd2342f4136d7594a0e10ea6ceefa0fd1b64a96a9200af260f76e3be22e1e3d6577c8b6b9a4ac655d0a8e2e2615f52114e1b11fd0773ec4e2bf10 |
memory/4304-29-0x0000000001830000-0x0000000001840000-memory.dmp
memory/4304-30-0x0000000001830000-0x0000000001840000-memory.dmp
memory/4304-28-0x0000000001830000-0x0000000001840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mspass.exe
| MD5 | ffc52f2b4435fcddaca6e15489a88b75 |
| SHA1 | 63ec31a04cf176852344d544ae855da0dac64980 |
| SHA256 | 3f3c8484962b395f304a836ee5e8ee17beaafe982795c9747d8ee98cc6e4ca8f |
| SHA512 | 389694feccfe6ca352705b9481913fece6d1d47083f235ccdd60c05cfda82606be53845fde0dba8ec3f3748f820a828c9be0ce078c8b9cc853285b23f172841c |
C:\Users\Admin\AppData\Local\Temp\FZ.txt
| MD5 | 81051bcc2cf1bedf378224b0a93e2877 |
| SHA1 | ba8ab5a0280b953aa97435ff8946cbcbb2755a27 |
| SHA256 | 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6 |
| SHA512 | 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d |
memory/2240-37-0x0000000140000000-0x0000000140017000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MC.exe
| MD5 | eba43e8a28297df4146bef07654f4580 |
| SHA1 | a5e96a0e8cd441f48dfcc3b97d45b0b466a864fa |
| SHA256 | 714eb102758c1c0feaf34a7e888026e7c073b893e931ac12ec6f607627b55af9 |
| SHA512 | 2748f1f943767b5f2df5c9bc85f325a85f2d1c55090aa6e2d8e04901777200ba34ea75c4c6c49b473f964280b58f00e591f67a3b56f4e89f958e9f65966825bb |
memory/4304-39-0x0000000001830000-0x0000000001840000-memory.dmp
memory/4304-40-0x00000000754C0000-0x0000000075A71000-memory.dmp
memory/4304-41-0x00000000754C0000-0x0000000075A71000-memory.dmp
memory/4304-42-0x0000000001830000-0x0000000001840000-memory.dmp
memory/4304-43-0x0000000001830000-0x0000000001840000-memory.dmp
memory/4304-44-0x0000000001830000-0x0000000001840000-memory.dmp
memory/4304-45-0x0000000001830000-0x0000000001840000-memory.dmp
memory/4304-46-0x0000000001830000-0x0000000001840000-memory.dmp
memory/4304-47-0x0000000001830000-0x0000000001840000-memory.dmp
memory/4304-59-0x0000000001830000-0x0000000001840000-memory.dmp