Analysis Overview
SHA256
3314a3bc9f609c398b705045a9640c296ab9f55c6e3405546002ab175ef2ee1d
Threat Level: Known bad
The file 0fb0cad98171f42890b726bd68e74da8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer payload
ISR Stealer
Checks computer location settings
Reads data files stored by FTP clients
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-25 22:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 22:02
Reported
2024-06-25 22:05
Platform
win7-20240221-en
Max time kernel
142s
Max time network
118s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MKPHP.tmp\rar_password_unlocker_trial.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1828 set thread context of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe | C:\Users\Admin\Documents\lshss.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MKPHP.tmp\rar_password_unlocker_trial.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe
"C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe"
C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe
"C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe"
C:\Users\Admin\AppData\Local\Temp\is-MKPHP.tmp\rar_password_unlocker_trial.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MKPHP.tmp\rar_password_unlocker_trial.tmp" /SL5="$6014E,2718139,54272,C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ithrxura.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES207D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC207C.tmp"
C:\Users\Admin\Documents\lshss.exe
C:\Users\Admin\Documents\lshss.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bon3rz.com | udp |
Files
\Users\Admin\AppData\Local\Temp\ayyyyy.exe
| MD5 | 2603a878062e895071741970fb915e04 |
| SHA1 | 3cbe752a21d0d549518bee4873dd2576709379c5 |
| SHA256 | af9af43594a39f022a8b8b54c46dcd368982b2147b603f97034c25d0945dfbb9 |
| SHA512 | 337f4b07fe686fe1d42db1815aa85c3ffa9181a517ae9064bf3022273d3e8d76ace10ea24f2d4211f8ebcbfd557f1e144190b6f7ef08cc817db3103afc3f4ad1 |
\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe
| MD5 | 0fd873c1c20fd49acb187c748944bd11 |
| SHA1 | a40361bdcbcda881c71fcb1a2e1d658ad8978959 |
| SHA256 | 0fa15641d9bfb0b675f55f55b0c10542f6970cc64e5396454d33e662d609d7e1 |
| SHA512 | daf2db3fd95ae6b92c88c56923470ed1eeca30b1dc4ada5b08da771dd5da8089fce9244c88d7394545de77f1fc9f7c8c677037d13feb54cb3f9cf00b8ae426fc |
memory/1504-22-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-MKPHP.tmp\rar_password_unlocker_trial.tmp
| MD5 | c765336f0dcf4efdcc2101eed67cd30c |
| SHA1 | fa0279f59738c5aa3b6b20106e109ccd77f895a7 |
| SHA256 | c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28 |
| SHA512 | 06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891 |
\Users\Admin\AppData\Local\Temp\is-2BHKO.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\??\c:\Users\Admin\AppData\Local\Temp\ithrxura.cmdline
| MD5 | 821a4bf40fa020ea7e7dddf7a18d5e45 |
| SHA1 | 11c3067de90ede239eb52a82d36b3fc5c2d4c95d |
| SHA256 | 036393198a2619d9cec767e466239d6a4e03fd6e1b0d753bb49cda166022d967 |
| SHA512 | f66a2a1971c01de7d639cc64779f1a256b6005c087c7ce6920fe611b4081481c7cd1326c37e388255a40765fa2d35c15e2eff8a3159fe775af0ea02aa70d80cc |
\??\c:\Users\Admin\AppData\Local\Temp\ithrxura.0.cs
| MD5 | 2bc50d88957abf4e0cb6fe9c856c882f |
| SHA1 | 4bd2ec2628c6e7a1acf7eabafaa0a9d6c428207f |
| SHA256 | d3820365da0d704cf8f350c98d4fa69f38a8beb8742560eff178d854160127cc |
| SHA512 | 60285ce9a7eb2366f04a819ddea4d2b383f32c1f99a16009c0d5ca7384cd3290bafd889db87fcf91abca53be365c1e66cacc502d380f95dcaf0b1a87dca7f4a8 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC207C.tmp
| MD5 | 00474ea0d164e35ffcb8a6664eda5684 |
| SHA1 | d4e8f1f67b7eec1de89a61d1c6b0c8785a420eb2 |
| SHA256 | 341d407b593f89493cc00a369d2fef95a8b62a33517d7a1ea53047b4ef0b2e75 |
| SHA512 | 9ec391341d902a61aae9e32afacc8ac34da4d3a815883d9ee7e00cb8636160ec369f0c5a42d69a9d46a5b0f61b062f7746db9f12d269b9eed2732ea9cc0156e3 |
C:\Users\Admin\AppData\Local\Temp\RES207D.tmp
| MD5 | 1d195782b9cf0def23e6e4e8a9b2cd02 |
| SHA1 | efb39a664e9ad18207c3f7d481667886eeb7e6a4 |
| SHA256 | 04fc51a713e18f4f4b5ee891eb9f6b83b95b0449ffd1277e06945746ff36bfcb |
| SHA512 | b6e6daceef78d12958fa8cce7bdf994ac2b3b2e8fd71f55490107f4c01111cd0082ae24ca7947fa6d2c893d28784073a808a9696a260910e133573b1d6162de4 |
C:\Users\Admin\AppData\Local\Temp\ithrxura.dll
| MD5 | 0966a587af328d5bc0db3b89c563e3e9 |
| SHA1 | 53c0fc310a1b409646431a91b9c7d8798f61c8b1 |
| SHA256 | a87cb19fa9f8af14abefe70d1d3fc366c5a20c23b9588f91d9c53b0d46b67748 |
| SHA512 | 9bc2d989dbab6c9aa89ad272c80ca647f528bd7aa1f4fc8401de2e25a0f289b533d615d92d4c28b354de10b7d73709bc70de0a9357dbbaee84f51ae6f29a8dfa |
\Users\Admin\Documents\lshss.exe
| MD5 | 974f0e2644d518ed0507d73c01e45ac3 |
| SHA1 | fc202efa0796f95542ee4b2deadb18fb6e78afa4 |
| SHA256 | 0eaac28e58fc48cb6d74e1f44f93156b225e7e7b0793b223ce75a50fe3fd99b3 |
| SHA512 | bdf645abeb861cb1893e5abbc3697e4947fe91b05ab63b4f2c44ef911a23634da548530e31599a2f7f8203cce4487aa5e258e9606fe0bcd7108e97e24ce6b1b6 |
memory/2840-59-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2840-64-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2840-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2840-57-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2840-61-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2840-73-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1504-75-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2288-76-0x0000000000400000-0x00000000004BC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 22:02
Reported
2024-06-25 22:05
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
100s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-PIRQI.tmp\rar_password_unlocker_trial.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1880 set thread context of 444 | N/A | C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe | C:\Users\Admin\Documents\lshss.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\lshss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe
"C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe"
C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe
"C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe"
C:\Users\Admin\AppData\Local\Temp\is-PIRQI.tmp\rar_password_unlocker_trial.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PIRQI.tmp\rar_password_unlocker_trial.tmp" /SL5="$5011E,2718139,54272,C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i4oy6wvy.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52F3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC52F2.tmp"
C:\Users\Admin\Documents\lshss.exe
C:\Users\Admin\Documents\lshss.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bon3rz.com | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe
| MD5 | 2603a878062e895071741970fb915e04 |
| SHA1 | 3cbe752a21d0d549518bee4873dd2576709379c5 |
| SHA256 | af9af43594a39f022a8b8b54c46dcd368982b2147b603f97034c25d0945dfbb9 |
| SHA512 | 337f4b07fe686fe1d42db1815aa85c3ffa9181a517ae9064bf3022273d3e8d76ace10ea24f2d4211f8ebcbfd557f1e144190b6f7ef08cc817db3103afc3f4ad1 |
C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe
| MD5 | 0fd873c1c20fd49acb187c748944bd11 |
| SHA1 | a40361bdcbcda881c71fcb1a2e1d658ad8978959 |
| SHA256 | 0fa15641d9bfb0b675f55f55b0c10542f6970cc64e5396454d33e662d609d7e1 |
| SHA512 | daf2db3fd95ae6b92c88c56923470ed1eeca30b1dc4ada5b08da771dd5da8089fce9244c88d7394545de77f1fc9f7c8c677037d13feb54cb3f9cf00b8ae426fc |
memory/1444-22-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1880-27-0x0000000073C52000-0x0000000073C54000-memory.dmp
memory/1880-26-0x0000000001240000-0x0000000001250000-memory.dmp
memory/1444-25-0x0000000000401000-0x000000000040B000-memory.dmp
memory/1880-24-0x0000000073C52000-0x0000000073C53000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PIRQI.tmp\rar_password_unlocker_trial.tmp
| MD5 | c765336f0dcf4efdcc2101eed67cd30c |
| SHA1 | fa0279f59738c5aa3b6b20106e109ccd77f895a7 |
| SHA256 | c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28 |
| SHA512 | 06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891 |
memory/4440-33-0x0000000000650000-0x0000000000651000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\i4oy6wvy.cmdline
| MD5 | b747211b5a9260b7abd2b37642c76849 |
| SHA1 | 793e1e2b6bdd663a4626a186cb71593b1dc08752 |
| SHA256 | 8f49a21c39518520c932b3683d2e30c795062c2eacc35d2580a61671369ce58b |
| SHA512 | 163c5e7d48a75ca81c5a0cf9ac866ffa1bfeeccb672bf605e0c96976f5e792a584c36ae1285c35d4ecddbf9766c3cb7d269fb1fe7041e511ac410ce1b9e5f1d6 |
\??\c:\Users\Admin\AppData\Local\Temp\i4oy6wvy.0.cs
| MD5 | 2bc50d88957abf4e0cb6fe9c856c882f |
| SHA1 | 4bd2ec2628c6e7a1acf7eabafaa0a9d6c428207f |
| SHA256 | d3820365da0d704cf8f350c98d4fa69f38a8beb8742560eff178d854160127cc |
| SHA512 | 60285ce9a7eb2366f04a819ddea4d2b383f32c1f99a16009c0d5ca7384cd3290bafd889db87fcf91abca53be365c1e66cacc502d380f95dcaf0b1a87dca7f4a8 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC52F2.tmp
| MD5 | 662a8e0bdd1560e8a9c96212e80f4eaa |
| SHA1 | c49436a7af682221e03e36546020f399b47d9df4 |
| SHA256 | c282ce6e16f42b9e73238c193065f2d12849e898b9df4ab6f7e09caa73303ae8 |
| SHA512 | 5364cc04effb962b2b79a15ee0321b998173e40edf58fdeb8383fc3b46d92ca54a73baca0307554dc714809c63c108e107b5d64ad1a11aee50f7d3ac7b6aa62f |
C:\Users\Admin\AppData\Local\Temp\RES52F3.tmp
| MD5 | c288e6e5abe0eb30e455cfe4e764724e |
| SHA1 | 743742aea77e76e32f3ea05b263c5324e0f81cd4 |
| SHA256 | ea40d063c025191b31a563836e939ab8cd73dff5a820e6070bdbf95759282b3c |
| SHA512 | 9651c248a9df9c6a991863a4cc100ed2d886a0ab07079445eb21e721cee6990a1f3b276595a76cb6afec35f093e7b83fb472fd8da40e4f6a3486fffdd3761ff4 |
C:\Users\Admin\AppData\Local\Temp\i4oy6wvy.dll
| MD5 | 9e17390e3c5029b705a33dcb45938223 |
| SHA1 | e3b29b12d62121aee34940cf5972668ee5421353 |
| SHA256 | 591d159bcd56f64964de28d4b69935b19d281e814d478012afa3a6dfaf048a4c |
| SHA512 | 4ff4e0e7db3340ac10b238574d8ec6e9e626617c687595453267b0cd89743e26d222ceb0c9931ce51c17daafc43dae683b6bc77c65afe915649e4cd7fa878aa1 |
C:\Users\Admin\Documents\lshss.exe
| MD5 | 974f0e2644d518ed0507d73c01e45ac3 |
| SHA1 | fc202efa0796f95542ee4b2deadb18fb6e78afa4 |
| SHA256 | 0eaac28e58fc48cb6d74e1f44f93156b225e7e7b0793b223ce75a50fe3fd99b3 |
| SHA512 | bdf645abeb861cb1893e5abbc3697e4947fe91b05ab63b4f2c44ef911a23634da548530e31599a2f7f8203cce4487aa5e258e9606fe0bcd7108e97e24ce6b1b6 |
memory/444-53-0x0000000000400000-0x0000000000414000-memory.dmp
memory/444-57-0x0000000000400000-0x0000000000414000-memory.dmp
memory/444-60-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1444-62-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4440-63-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/4440-66-0x0000000000650000-0x0000000000651000-memory.dmp