Malware Analysis Report

2024-11-30 21:23

Sample ID 231230-fs2p5sbfan
Target 0f9ecb7c0082c3e76a40c35bb867ebbc
SHA256 9d551aa53c203474d393074f3d7bc6459dc53e3bfd862a08796306b871ab0fc6
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d551aa53c203474d393074f3d7bc6459dc53e3bfd862a08796306b871ab0fc6

Threat Level: Known bad

The file 0f9ecb7c0082c3e76a40c35bb867ebbc was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 05:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 05:08

Reported

2023-12-31 00:14

Platform

win10v2004-20231215-en

Max time kernel

33s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f9ecb7c0082c3e76a40c35bb867ebbc.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\WrT\\WFS.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\lodVhy4rc\EaseOfAccessDialog.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QSB16SkM3\printfilterpipelinesvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\P6zIL\WFS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 1040 N/A N/A C:\Windows\system32\printfilterpipelinesvc.exe
PID 3540 wrote to memory of 1040 N/A N/A C:\Windows\system32\printfilterpipelinesvc.exe
PID 3540 wrote to memory of 4576 N/A N/A C:\Users\Admin\AppData\Local\QSB16SkM3\printfilterpipelinesvc.exe
PID 3540 wrote to memory of 4576 N/A N/A C:\Users\Admin\AppData\Local\QSB16SkM3\printfilterpipelinesvc.exe
PID 3540 wrote to memory of 4956 N/A N/A C:\Windows\system32\WFS.exe
PID 3540 wrote to memory of 4956 N/A N/A C:\Windows\system32\WFS.exe
PID 3540 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\P6zIL\WFS.exe
PID 3540 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\P6zIL\WFS.exe
PID 3540 wrote to memory of 3212 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3540 wrote to memory of 3212 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3540 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\lodVhy4rc\EaseOfAccessDialog.exe
PID 3540 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\lodVhy4rc\EaseOfAccessDialog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f9ecb7c0082c3e76a40c35bb867ebbc.dll,#1

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Users\Admin\AppData\Local\QSB16SkM3\printfilterpipelinesvc.exe

C:\Users\Admin\AppData\Local\QSB16SkM3\printfilterpipelinesvc.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\P6zIL\WFS.exe

C:\Users\Admin\AppData\Local\P6zIL\WFS.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\lodVhy4rc\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\lodVhy4rc\EaseOfAccessDialog.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 93.184.221.240:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/2888-0-0x00000185DE280000-0x00000185DE287000-memory.dmp

memory/2888-1-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-4-0x0000000002630000-0x0000000002631000-memory.dmp

memory/3540-7-0x00007FFD0F4DA000-0x00007FFD0F4DB000-memory.dmp

memory/3540-6-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-11-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-14-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-16-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-18-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-21-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-23-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-26-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-28-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-31-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-33-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-34-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-37-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-41-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-43-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-46-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-48-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-51-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-53-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-54-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-55-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-56-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-58-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-61-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-64-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-65-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-63-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-73-0x0000000001FF0000-0x0000000001FF7000-memory.dmp

memory/3540-62-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-60-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-59-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-57-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-52-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-82-0x00007FFD10760000-0x00007FFD10770000-memory.dmp

memory/3540-49-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-50-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-47-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-45-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-44-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-42-0x0000000140000000-0x0000000140342000-memory.dmp

memory/4576-104-0x000001EFE56B0000-0x000001EFE59F3000-memory.dmp

memory/4576-107-0x000001EFE5A00000-0x000001EFE5D43000-memory.dmp

memory/4576-109-0x000001EFE57A0000-0x000001EFE57A7000-memory.dmp

memory/3540-39-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-40-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-38-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-36-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-35-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-32-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-30-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-29-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-27-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-25-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-24-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-22-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-20-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-19-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-17-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-15-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-13-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-12-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-10-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3540-9-0x0000000140000000-0x0000000140342000-memory.dmp

memory/2888-8-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1128-123-0x000002666E540000-0x000002666E547000-memory.dmp

memory/1292-140-0x00000191153E0000-0x00000191153E7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3336304223-2978740688-3645194410-1000\JJAa\XmlLite.dll

MD5 2bdad474bec5f15a8afe128adeaf33bf
SHA1 34fc365a15beb5d7cf19e11fbb93554f81abd10c
SHA256 59a9b3e547548d419536e9eccddfb33e7b29b113c4b2ffaccb78ed3b79b919b0
SHA512 727ab549011645cbbe80231040669acff327b269440cf144579c78b2fce3f96ba94d63d371ae5173f56da809abd45efb9f8753892eb07cd10ee162c1fdae0594

C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\WrT\MFC42u.dll

MD5 1dbe3599a8b63e11367faaaeafb97d12
SHA1 8b4177c57de6c94ee09a2fcc5f18b6c7fd74aded
SHA256 9435b95fdbcacb08fb4af9c7a5104fc1635e0b6b1a8398bd4bc26bc6703137ee
SHA512 fc64a21bdff0fc9c59af80eb908ea4465f9cdffb21da072a4cd13dc4df28da27da16536ce9e9e9845f21dbeec340575d196c4719a92fb36e555c419d7845cd21

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\7hBBYmgIQ\OLEACC.dll

MD5 e2b43d2b612f9f5a4de5992d2d2b348c
SHA1 14070f6b628041b01bfce6853e3275986163b179
SHA256 75157155508d95aa9b01ee2482a0c82ec39e66bca043e3bbd3e8301f4eb96db3
SHA512 d4e29fb39474f074320401b4968d6960133833fb0b8bdc8e4cadf897f3aa03a958c8bc78039ef377df946772cb881f3c7280cf3a0d9a90e626ad1884e7ab62cc

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 05:08

Reported

2023-12-31 00:15

Platform

win7-20231215-en

Max time kernel

4s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f9ecb7c0082c3e76a40c35bb867ebbc.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f9ecb7c0082c3e76a40c35bb867ebbc.dll,#1

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Users\Admin\AppData\Local\2pTu7\SoundRecorder.exe

C:\Users\Admin\AppData\Local\2pTu7\SoundRecorder.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\tudCJhO\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\tudCJhO\EhStorAuthn.exe

C:\Windows\system32\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Users\Admin\AppData\Local\TiC\SndVol.exe

C:\Users\Admin\AppData\Local\TiC\SndVol.exe

Network

N/A

Files

memory/2052-1-0x0000000000390000-0x0000000000397000-memory.dmp

memory/2052-0-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-4-0x0000000077936000-0x0000000077937000-memory.dmp

memory/1200-5-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1200-7-0x0000000140000000-0x0000000140342000-memory.dmp

memory/2052-8-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-9-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-13-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-17-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-21-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-25-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-29-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-33-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-37-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-40-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-39-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-44-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-48-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-58-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-64-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-65-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-74-0x00000000029F0000-0x00000000029F7000-memory.dmp

memory/1200-63-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-62-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-83-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

memory/1200-82-0x0000000077A41000-0x0000000077A42000-memory.dmp

memory/1200-61-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-60-0x0000000140000000-0x0000000140342000-memory.dmp

memory/332-112-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1200-59-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-57-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-56-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-55-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-54-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-53-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-52-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-51-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-50-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-49-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-47-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-46-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-45-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-43-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-42-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-41-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-38-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-36-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-35-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-34-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-32-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-31-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-30-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-28-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-27-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-26-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-24-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-23-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-22-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-20-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-19-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-18-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-16-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-15-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-14-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-12-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-11-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-10-0x0000000140000000-0x0000000140342000-memory.dmp

memory/2236-159-0x0000000000280000-0x0000000000287000-memory.dmp

memory/1200-188-0x0000000077936000-0x0000000077937000-memory.dmp