Analysis Overview
SHA256
819a81aabd1c014d5f27ba2ba1265dce1f667093279565d43f76a5e82d3ed7a9
Threat Level: Known bad
The file Foriegn Payment_swift.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Formbook
Executes dropped EXE
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-18 11:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-18 11:09
Reported
2022-10-18 11:11
Platform
win7-20220901-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Formbook
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdnTARLxlP.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdnTARLxlP.js | C:\Windows\System32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1320 set thread context of 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 1692 set thread context of 1208 | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Foriegn Payment_swift.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fdnTARLxlP.js"
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NG | 154.120.121.141:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | www.shendaxian.com | udp |
| HK | 164.88.110.29:80 | www.shendaxian.com | tcp |
| US | 8.8.8.8:53 | www.sqlite.org | udp |
| US | 45.33.6.223:80 | www.sqlite.org | tcp |
| US | 45.33.6.223:80 | www.sqlite.org | tcp |
| NG | 154.120.121.141:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | www.entacaoagencia.com | udp |
| US | 162.0.213.190:80 | www.entacaoagencia.com | tcp |
| US | 162.0.213.190:80 | www.entacaoagencia.com | tcp |
| US | 8.8.8.8:53 | www.hudsonbreadcafe.com | udp |
| US | 199.59.243.222:80 | www.hudsonbreadcafe.com | tcp |
| US | 199.59.243.222:80 | www.hudsonbreadcafe.com | tcp |
| US | 8.8.8.8:53 | www.pauloeamanda.com | udp |
| US | 54.85.86.211:80 | www.pauloeamanda.com | tcp |
| US | 54.85.86.211:80 | www.pauloeamanda.com | tcp |
| US | 8.8.8.8:53 | www.emu-o.com | udp |
| JP | 150.95.59.24:80 | www.emu-o.com | tcp |
| NG | 154.120.121.141:5465 | javaautorun.duia.ro | tcp |
| JP | 150.95.59.24:80 | www.emu-o.com | tcp |
| US | 8.8.8.8:53 | www.eyecandybeautysalon.com | udp |
| US | 151.101.1.211:80 | www.eyecandybeautysalon.com | tcp |
| US | 151.101.1.211:80 | www.eyecandybeautysalon.com | tcp |
| US | 8.8.8.8:53 | www.lisakykozla.xyz | udp |
| GB | 109.123.121.243:80 | www.lisakykozla.xyz | tcp |
| GB | 109.123.121.243:80 | www.lisakykozla.xyz | tcp |
| US | 8.8.8.8:53 | www.fansfulig.com | udp |
| HK | 8.212.24.67:80 | www.fansfulig.com | tcp |
| NG | 154.120.121.141:5465 | javaautorun.duia.ro | tcp |
| HK | 8.212.24.67:80 | www.fansfulig.com | tcp |
| US | 8.8.8.8:53 | www.hdfilmizleburada.com | udp |
| HK | 156.241.79.221:80 | www.hdfilmizleburada.com | tcp |
| HK | 156.241.79.221:80 | www.hdfilmizleburada.com | tcp |
| US | 8.8.8.8:53 | www.performance-trader.com | udp |
| DE | 81.169.145.93:80 | www.performance-trader.com | tcp |
| DE | 81.169.145.93:80 | www.performance-trader.com | tcp |
| US | 8.8.8.8:53 | www.citizenlab.tech | udp |
| VN | 103.130.216.151:80 | www.citizenlab.tech | tcp |
| NG | 154.120.121.141:5465 | javaautorun.duia.ro | tcp |
| VN | 103.130.216.151:80 | www.citizenlab.tech | tcp |
| US | 8.8.8.8:53 | www.caffe-italia1990.store | udp |
| IT | 195.110.124.133:80 | www.caffe-italia1990.store | tcp |
| IT | 195.110.124.133:80 | www.caffe-italia1990.store | tcp |
| US | 8.8.8.8:53 | www.alshahira.app | udp |
| US | 99.198.107.166:80 | www.alshahira.app | tcp |
| US | 99.198.107.166:80 | www.alshahira.app | tcp |
Files
memory/1264-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp
memory/1992-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\fdnTARLxlP.js
| MD5 | 6cc1717cad794e25164a2ba358fa22d3 |
| SHA1 | c8fd430bcb92ff060a85ca4fd7a2b829b069a234 |
| SHA256 | 8d17a84d7c1174928e0365e78288e2356c0d99f2194ebb2f4634333d80fc24c9 |
| SHA512 | 2db6675ca2c685b4d7823714bc6b9474184a20b9733d160bf83c88bad419427151c80607fd1c05cc6152fa6d4c30d6204442d6b446421012db34aa0eb7ff7364 |
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | 26db0806c0871f293a77e5d5676e2fd8 |
| SHA1 | 7c17ccce454d81bb999c04d45e9e4913969a73ee |
| SHA256 | 2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66 |
| SHA512 | 0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f |
memory/1320-57-0x0000000000000000-mapping.dmp
memory/1320-60-0x0000000000BC0000-0x0000000000BEF000-memory.dmp
memory/1320-61-0x00000000007C0000-0x0000000000AC3000-memory.dmp
memory/1320-62-0x0000000000110000-0x0000000000120000-memory.dmp
memory/1208-63-0x0000000004A00000-0x0000000004B23000-memory.dmp
memory/1692-64-0x0000000000000000-mapping.dmp
memory/1692-65-0x0000000000CA0000-0x0000000000CC6000-memory.dmp
memory/1692-66-0x0000000000070000-0x000000000009D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | 26db0806c0871f293a77e5d5676e2fd8 |
| SHA1 | 7c17ccce454d81bb999c04d45e9e4913969a73ee |
| SHA256 | 2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66 |
| SHA512 | 0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f |
memory/1692-68-0x00000000020D0000-0x00000000023D3000-memory.dmp
memory/1692-69-0x0000000000560000-0x00000000005EF000-memory.dmp
memory/1208-70-0x00000000064E0000-0x0000000006669000-memory.dmp
memory/1692-71-0x0000000000070000-0x000000000009D000-memory.dmp
memory/1692-72-0x0000000075601000-0x0000000075603000-memory.dmp
\Users\Admin\AppData\Local\Temp\sqlite3.dll
| MD5 | 7fd80b1cc72dc580c02ca4cfbfb2592d |
| SHA1 | 18da905af878b27151b359cf1a7d0a650764e8a1 |
| SHA256 | 1e6dccbdf8527abb53c289da920463b7895300d0d984cc7e91a3ecda4e673190 |
| SHA512 | 13f7f29b5ed31c551aa5f27742557aa4d026a226087d6fcbca094819759ecc753a2c33b7422ae88dc6a4a0a966edb8485a18e59a0283ba2686cae5d78e0190a3 |
memory/1208-74-0x00000000064E0000-0x0000000006669000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-18 11:09
Reported
2022-10-18 11:11
Platform
win10v2004-20220812-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Formbook
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdnTARLxlP.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdnTARLxlP.js | C:\Windows\System32\wscript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2496 set thread context of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 4752 set thread context of 2720 | N/A | C:\Windows\SysWOW64\systray.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Foriegn Payment_swift.js"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fdnTARLxlP.js"
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NG | 154.120.121.141:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | www.shendaxian.com | udp |
| HK | 164.88.110.29:80 | www.shendaxian.com | tcp |
| NG | 154.120.121.141:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | www.entacaoagencia.com | udp |
| US | 162.0.213.190:80 | www.entacaoagencia.com | tcp |
| US | 162.0.213.190:80 | www.entacaoagencia.com | tcp |
| US | 162.0.213.190:80 | www.entacaoagencia.com | tcp |
| US | 162.0.213.190:80 | www.entacaoagencia.com | tcp |
| US | 8.8.8.8:53 | www.hudsonbreadcafe.com | udp |
| US | 199.59.243.222:80 | www.hudsonbreadcafe.com | tcp |
| US | 199.59.243.222:80 | www.hudsonbreadcafe.com | tcp |
| US | 199.59.243.222:80 | www.hudsonbreadcafe.com | tcp |
| US | 199.59.243.222:80 | www.hudsonbreadcafe.com | tcp |
| US | 8.8.8.8:53 | www.pauloeamanda.com | udp |
| US | 54.85.86.211:80 | www.pauloeamanda.com | tcp |
| US | 54.85.86.211:80 | www.pauloeamanda.com | tcp |
| NG | 154.120.121.141:5465 | javaautorun.duia.ro | tcp |
| US | 54.85.86.211:80 | www.pauloeamanda.com | tcp |
| US | 54.85.86.211:80 | www.pauloeamanda.com | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | www.emu-o.com | udp |
| JP | 150.95.59.24:80 | www.emu-o.com | tcp |
| JP | 150.95.59.24:80 | www.emu-o.com | tcp |
| JP | 150.95.59.24:80 | www.emu-o.com | tcp |
| JP | 150.95.59.24:80 | www.emu-o.com | tcp |
| US | 8.8.8.8:53 | www.eyecandybeautysalon.com | udp |
| US | 151.101.1.211:80 | www.eyecandybeautysalon.com | tcp |
| US | 151.101.1.211:80 | www.eyecandybeautysalon.com | tcp |
| US | 151.101.1.211:80 | www.eyecandybeautysalon.com | tcp |
| US | 151.101.1.211:80 | www.eyecandybeautysalon.com | tcp |
| NG | 154.120.121.141:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | www.lisakykozla.xyz | udp |
| GB | 109.123.121.243:80 | www.lisakykozla.xyz | tcp |
| GB | 109.123.121.243:80 | www.lisakykozla.xyz | tcp |
| GB | 109.123.121.243:80 | www.lisakykozla.xyz | tcp |
| GB | 109.123.121.243:80 | www.lisakykozla.xyz | tcp |
| US | 8.8.8.8:53 | www.fansfulig.com | udp |
| HK | 8.212.24.67:80 | www.fansfulig.com | tcp |
| HK | 8.212.24.67:80 | www.fansfulig.com | tcp |
| HK | 8.212.24.67:80 | www.fansfulig.com | tcp |
| HK | 8.212.24.67:80 | www.fansfulig.com | tcp |
| NG | 154.120.121.141:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | www.hdfilmizleburada.com | udp |
| HK | 156.241.79.221:80 | www.hdfilmizleburada.com | tcp |
| HK | 156.241.79.221:80 | www.hdfilmizleburada.com | tcp |
| HK | 156.241.79.221:80 | www.hdfilmizleburada.com | tcp |
| HK | 156.241.79.221:80 | www.hdfilmizleburada.com | tcp |
| US | 8.8.8.8:53 | www.performance-trader.com | udp |
| DE | 81.169.145.93:80 | www.performance-trader.com | tcp |
| DE | 81.169.145.93:80 | www.performance-trader.com | tcp |
| DE | 81.169.145.93:80 | www.performance-trader.com | tcp |
| DE | 81.169.145.93:80 | www.performance-trader.com | tcp |
| US | 8.8.8.8:53 | www.citizenlab.tech | udp |
| VN | 103.130.216.151:80 | www.citizenlab.tech | tcp |
| VN | 103.130.216.151:80 | www.citizenlab.tech | tcp |
| NG | 154.120.121.141:5465 | javaautorun.duia.ro | tcp |
| VN | 103.130.216.151:80 | www.citizenlab.tech | tcp |
| VN | 103.130.216.151:80 | www.citizenlab.tech | tcp |
Files
memory/820-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\fdnTARLxlP.js
| MD5 | 6cc1717cad794e25164a2ba358fa22d3 |
| SHA1 | c8fd430bcb92ff060a85ca4fd7a2b829b069a234 |
| SHA256 | 8d17a84d7c1174928e0365e78288e2356c0d99f2194ebb2f4634333d80fc24c9 |
| SHA512 | 2db6675ca2c685b4d7823714bc6b9474184a20b9733d160bf83c88bad419427151c80607fd1c05cc6152fa6d4c30d6204442d6b446421012db34aa0eb7ff7364 |
memory/2496-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | 26db0806c0871f293a77e5d5676e2fd8 |
| SHA1 | 7c17ccce454d81bb999c04d45e9e4913969a73ee |
| SHA256 | 2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66 |
| SHA512 | 0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f |
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | 26db0806c0871f293a77e5d5676e2fd8 |
| SHA1 | 7c17ccce454d81bb999c04d45e9e4913969a73ee |
| SHA256 | 2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66 |
| SHA512 | 0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f |
memory/2496-137-0x0000000000CA0000-0x0000000000CCF000-memory.dmp
memory/2496-138-0x0000000001670000-0x00000000019BA000-memory.dmp
memory/2496-139-0x00000000011D0000-0x00000000011E0000-memory.dmp
memory/2720-140-0x0000000008570000-0x00000000086FF000-memory.dmp
memory/4752-141-0x0000000000000000-mapping.dmp
memory/4752-142-0x0000000000830000-0x0000000000836000-memory.dmp
memory/4752-143-0x00000000008C0000-0x00000000008ED000-memory.dmp
memory/4752-144-0x00000000027B0000-0x0000000002AFA000-memory.dmp
memory/4752-145-0x0000000002600000-0x000000000268F000-memory.dmp
memory/2720-146-0x0000000003140000-0x0000000003244000-memory.dmp
memory/4752-147-0x00000000008C0000-0x00000000008ED000-memory.dmp
memory/2720-148-0x0000000003140000-0x0000000003244000-memory.dmp