Analysis Overview
SHA256
9d551aa53c203474d393074f3d7bc6459dc53e3bfd862a08796306b871ab0fc6
Threat Level: Known bad
The file 0f9ecb7c0082c3e76a40c35bb867ebbc was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 05:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 05:08
Reported
2023-12-31 00:14
Platform
win10v2004-20231215-en
Max time kernel
33s
Max time network
153s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\QSB16SkM3\printfilterpipelinesvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\P6zIL\WFS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\lodVhy4rc\EaseOfAccessDialog.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\QSB16SkM3\printfilterpipelinesvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\QSB16SkM3\printfilterpipelinesvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\QSB16SkM3\printfilterpipelinesvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\P6zIL\WFS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\lodVhy4rc\EaseOfAccessDialog.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\WrT\\WFS.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\lodVhy4rc\EaseOfAccessDialog.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\QSB16SkM3\printfilterpipelinesvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\P6zIL\WFS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f9ecb7c0082c3e76a40c35bb867ebbc.dll,#1
C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\QSB16SkM3\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\QSB16SkM3\printfilterpipelinesvc.exe
C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
C:\Users\Admin\AppData\Local\P6zIL\WFS.exe
C:\Users\Admin\AppData\Local\P6zIL\WFS.exe
C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\lodVhy4rc\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\lodVhy4rc\EaseOfAccessDialog.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/2888-0-0x00000185DE280000-0x00000185DE287000-memory.dmp
memory/2888-1-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-4-0x0000000002630000-0x0000000002631000-memory.dmp
memory/3540-7-0x00007FFD0F4DA000-0x00007FFD0F4DB000-memory.dmp
memory/3540-6-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-11-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-14-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-16-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-18-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-21-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-23-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-26-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-28-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-31-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-33-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-34-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-37-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-41-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-43-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-46-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-48-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-51-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-53-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-54-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-55-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-56-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-58-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-61-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-64-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-65-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-63-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-73-0x0000000001FF0000-0x0000000001FF7000-memory.dmp
memory/3540-62-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-60-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-59-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-57-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-52-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-82-0x00007FFD10760000-0x00007FFD10770000-memory.dmp
memory/3540-49-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-50-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-47-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-45-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-44-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-42-0x0000000140000000-0x0000000140342000-memory.dmp
memory/4576-104-0x000001EFE56B0000-0x000001EFE59F3000-memory.dmp
memory/4576-107-0x000001EFE5A00000-0x000001EFE5D43000-memory.dmp
memory/4576-109-0x000001EFE57A0000-0x000001EFE57A7000-memory.dmp
memory/3540-39-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-40-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-38-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-36-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-35-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-32-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-30-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-29-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-27-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-25-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-24-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-22-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-20-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-19-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-17-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-15-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-13-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-12-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-10-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3540-9-0x0000000140000000-0x0000000140342000-memory.dmp
memory/2888-8-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1128-123-0x000002666E540000-0x000002666E547000-memory.dmp
memory/1292-140-0x00000191153E0000-0x00000191153E7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3336304223-2978740688-3645194410-1000\JJAa\XmlLite.dll
| MD5 | 2bdad474bec5f15a8afe128adeaf33bf |
| SHA1 | 34fc365a15beb5d7cf19e11fbb93554f81abd10c |
| SHA256 | 59a9b3e547548d419536e9eccddfb33e7b29b113c4b2ffaccb78ed3b79b919b0 |
| SHA512 | 727ab549011645cbbe80231040669acff327b269440cf144579c78b2fce3f96ba94d63d371ae5173f56da809abd45efb9f8753892eb07cd10ee162c1fdae0594 |
C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\WrT\MFC42u.dll
| MD5 | 1dbe3599a8b63e11367faaaeafb97d12 |
| SHA1 | 8b4177c57de6c94ee09a2fcc5f18b6c7fd74aded |
| SHA256 | 9435b95fdbcacb08fb4af9c7a5104fc1635e0b6b1a8398bd4bc26bc6703137ee |
| SHA512 | fc64a21bdff0fc9c59af80eb908ea4465f9cdffb21da072a4cd13dc4df28da27da16536ce9e9e9845f21dbeec340575d196c4719a92fb36e555c419d7845cd21 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\7hBBYmgIQ\OLEACC.dll
| MD5 | e2b43d2b612f9f5a4de5992d2d2b348c |
| SHA1 | 14070f6b628041b01bfce6853e3275986163b179 |
| SHA256 | 75157155508d95aa9b01ee2482a0c82ec39e66bca043e3bbd3e8301f4eb96db3 |
| SHA512 | d4e29fb39474f074320401b4968d6960133833fb0b8bdc8e4cadf897f3aa03a958c8bc78039ef377df946772cb881f3c7280cf3a0d9a90e626ad1884e7ab62cc |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 05:08
Reported
2023-12-31 00:15
Platform
win7-20231215-en
Max time kernel
4s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f9ecb7c0082c3e76a40c35bb867ebbc.dll,#1
C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
C:\Users\Admin\AppData\Local\2pTu7\SoundRecorder.exe
C:\Users\Admin\AppData\Local\2pTu7\SoundRecorder.exe
C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\tudCJhO\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\tudCJhO\EhStorAuthn.exe
C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
C:\Users\Admin\AppData\Local\TiC\SndVol.exe
C:\Users\Admin\AppData\Local\TiC\SndVol.exe
Network
Files
memory/2052-1-0x0000000000390000-0x0000000000397000-memory.dmp
memory/2052-0-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-4-0x0000000077936000-0x0000000077937000-memory.dmp
memory/1200-5-0x0000000002A20000-0x0000000002A21000-memory.dmp
memory/1200-7-0x0000000140000000-0x0000000140342000-memory.dmp
memory/2052-8-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-9-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-13-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-17-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-21-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-25-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-29-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-33-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-37-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-40-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-39-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-44-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-48-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-58-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-64-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-65-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-74-0x00000000029F0000-0x00000000029F7000-memory.dmp
memory/1200-63-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-62-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-83-0x0000000077BA0000-0x0000000077BA2000-memory.dmp
memory/1200-82-0x0000000077A41000-0x0000000077A42000-memory.dmp
memory/1200-61-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-60-0x0000000140000000-0x0000000140342000-memory.dmp
memory/332-112-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1200-59-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-57-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-56-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-55-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-54-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-53-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-52-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-51-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-50-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-49-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-47-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-46-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-45-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-43-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-42-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-41-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-38-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-36-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-35-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-34-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-32-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-31-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-30-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-28-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-27-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-26-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-24-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-23-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-22-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-20-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-19-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-18-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-16-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-15-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-14-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-12-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-11-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-10-0x0000000140000000-0x0000000140342000-memory.dmp
memory/2236-159-0x0000000000280000-0x0000000000287000-memory.dmp
memory/1200-188-0x0000000077936000-0x0000000077937000-memory.dmp