Analysis Overview
SHA256
547bf6d6ed5ae181513ed653109514c73e5f50c3ea3a094bcd382fbd3c4b4bb0
Threat Level: Known bad
The file c2a770ca66e4ee54f078afe8a2eb27f7 was found to be: Known bad.
Malicious Activity Summary
Azorult
Raccoon
Oski
Raccoon Stealer V1 payload
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Modifies system certificate store
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-12 06:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-12 06:15
Reported
2024-03-12 06:17
Platform
win7-20240221-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Azorult
Oski
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1284 set thread context of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe |
| PID 1456 set thread context of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe |
| PID 2632 set thread context of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe
"C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe"
C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe
"C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe"
C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe
"C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe"
C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe
"C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe"
C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe
"C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe"
C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe
"C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 768
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | telete.in | udp |
| DE | 185.53.177.54:443 | telete.in | tcp |
| US | 8.8.8.8:53 | gordons.ac.ug | udp |
| US | 8.8.8.8:53 | hsagoi.ac.ug | udp |
| US | 8.8.8.8:53 | gordons.ac.ug | udp |
Files
memory/1284-2-0x00000000001C0000-0x00000000001C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe
| MD5 | 1f52ea06bdd59969bfa0f74cbe3d36e1 |
| SHA1 | 4ed0c4495a502830c46715fdef20033f29df51f8 |
| SHA256 | e6bd46f02b26c3670dbe7af7baa83411c793f7765994bf40ada869a81a4d340a |
| SHA512 | 48c7f339498ee5e07be238cf4ab059639557b27ff98f0d69752047ab83cf512ea13373fd7783e2aa9fd7a6a14ae861baceaa4614500f0647cff07255d892d672 |
C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe
| MD5 | b9924928f4b29aeefeae44164fcb572a |
| SHA1 | a8e5d7154f5692ecb437970fa13b10d5f6459a93 |
| SHA256 | 8a820fde18a110966a32716f5ebc4ca9a991bce2e08a58620f266d5372575bcd |
| SHA512 | 16b2450977d174bf43e8ea344b251469b60d4b5c7bd194637dd6418686766925cf382fdda2db4c57e060ad77b1a4b8d29b3500a07dd2e6ceb6a92b01f54ef5b9 |
memory/1284-23-0x00000000027D0000-0x00000000027D7000-memory.dmp
memory/2528-24-0x0000000000400000-0x0000000000496000-memory.dmp
memory/2644-29-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2644-33-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2528-36-0x0000000000400000-0x0000000000496000-memory.dmp
memory/2724-37-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2528-42-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2724-43-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2724-45-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2724-46-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2644-47-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2644-48-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2528-49-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2724-50-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2528-57-0x0000000000400000-0x0000000000496000-memory.dmp
memory/2724-59-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2724-60-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-12 06:15
Reported
2024-03-12 06:17
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Azorult
Oski
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1920 set thread context of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe |
| PID 4908 set thread context of 4604 | N/A | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe |
| PID 4388 set thread context of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe
"C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe"
C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe
"C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe"
C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe
"C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe"
C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe
"C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe"
C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe
"C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe"
C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe
"C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1212
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| DE | 185.53.177.54:443 | telete.in | tcp |
| US | 8.8.8.8:53 | hsagoi.ac.ug | udp |
| US | 8.8.8.8:53 | gordons.ac.ug | udp |
| US | 8.8.8.8:53 | gordons.ac.ug | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 54.177.53.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
memory/1920-2-0x00000000778B2000-0x00000000778B3000-memory.dmp
memory/1920-3-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe
| MD5 | 1f52ea06bdd59969bfa0f74cbe3d36e1 |
| SHA1 | 4ed0c4495a502830c46715fdef20033f29df51f8 |
| SHA256 | e6bd46f02b26c3670dbe7af7baa83411c793f7765994bf40ada869a81a4d340a |
| SHA512 | 48c7f339498ee5e07be238cf4ab059639557b27ff98f0d69752047ab83cf512ea13373fd7783e2aa9fd7a6a14ae861baceaa4614500f0647cff07255d892d672 |
C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe
| MD5 | b9924928f4b29aeefeae44164fcb572a |
| SHA1 | a8e5d7154f5692ecb437970fa13b10d5f6459a93 |
| SHA256 | 8a820fde18a110966a32716f5ebc4ca9a991bce2e08a58620f266d5372575bcd |
| SHA512 | 16b2450977d174bf43e8ea344b251469b60d4b5c7bd194637dd6418686766925cf382fdda2db4c57e060ad77b1a4b8d29b3500a07dd2e6ceb6a92b01f54ef5b9 |
memory/4388-31-0x00000000007E0000-0x00000000007E1000-memory.dmp
memory/4908-30-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
memory/1920-32-0x0000000003620000-0x0000000003627000-memory.dmp
memory/2108-33-0x0000000000400000-0x0000000000496000-memory.dmp
memory/2108-34-0x0000000000400000-0x0000000000496000-memory.dmp
memory/2108-35-0x0000000000400000-0x0000000000496000-memory.dmp
memory/2108-37-0x00000000778B2000-0x00000000778B3000-memory.dmp
memory/2108-38-0x0000000000630000-0x0000000000631000-memory.dmp
memory/4604-39-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4604-41-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4604-42-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4604-44-0x00000000778B2000-0x00000000778B3000-memory.dmp
memory/4604-45-0x00000000005B0000-0x00000000005B1000-memory.dmp
memory/2360-46-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2360-49-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2360-51-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2360-52-0x00000000778B2000-0x00000000778B3000-memory.dmp
memory/2360-53-0x0000000002040000-0x0000000002041000-memory.dmp
memory/4604-56-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4604-58-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2360-59-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2360-60-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2108-61-0x0000000000400000-0x0000000000496000-memory.dmp
memory/2108-62-0x0000000000400000-0x0000000000492000-memory.dmp