Analysis Overview
SHA256
45fe64048c39ba964359cc11aed7e5da0bcac95115eebfafad445e548246b8fc
Threat Level: Known bad
The file 13d90e1b8ddda68fa897813f073ba521 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 08:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 08:55
Reported
2023-12-31 09:15
Platform
win7-20231215-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\g7V\msra.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\g7V\msra.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\MjFZ\\UI0DET~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\g7V\msra.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1388 wrote to memory of 2524 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 1388 wrote to memory of 2524 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 1388 wrote to memory of 2524 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 1388 wrote to memory of 856 | N/A | N/A | C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe |
| PID 1388 wrote to memory of 856 | N/A | N/A | C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe |
| PID 1388 wrote to memory of 856 | N/A | N/A | C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe |
| PID 1388 wrote to memory of 2300 | N/A | N/A | C:\Windows\system32\UI0Detect.exe |
| PID 1388 wrote to memory of 2300 | N/A | N/A | C:\Windows\system32\UI0Detect.exe |
| PID 1388 wrote to memory of 2300 | N/A | N/A | C:\Windows\system32\UI0Detect.exe |
| PID 1388 wrote to memory of 2420 | N/A | N/A | C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe |
| PID 1388 wrote to memory of 2420 | N/A | N/A | C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe |
| PID 1388 wrote to memory of 2420 | N/A | N/A | C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe |
| PID 1388 wrote to memory of 1524 | N/A | N/A | C:\Windows\system32\msra.exe |
| PID 1388 wrote to memory of 1524 | N/A | N/A | C:\Windows\system32\msra.exe |
| PID 1388 wrote to memory of 1524 | N/A | N/A | C:\Windows\system32\msra.exe |
| PID 1388 wrote to memory of 2448 | N/A | N/A | C:\Users\Admin\AppData\Local\g7V\msra.exe |
| PID 1388 wrote to memory of 2448 | N/A | N/A | C:\Users\Admin\AppData\Local\g7V\msra.exe |
| PID 1388 wrote to memory of 2448 | N/A | N/A | C:\Users\Admin\AppData\Local\g7V\msra.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\13d90e1b8ddda68fa897813f073ba521.dll
C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\UI0Detect.exe
C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe
C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe
C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
C:\Users\Admin\AppData\Local\g7V\msra.exe
C:\Users\Admin\AppData\Local\g7V\msra.exe
Network
Files
memory/2624-0-0x0000000000100000-0x0000000000107000-memory.dmp
memory/2624-1-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-4-0x0000000077656000-0x0000000077657000-memory.dmp
memory/1388-5-0x0000000003920000-0x0000000003921000-memory.dmp
memory/1388-8-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-9-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-10-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-11-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-14-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-12-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-15-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-13-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-17-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-18-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-19-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-20-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-21-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-23-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-25-0x0000000003900000-0x0000000003907000-memory.dmp
memory/1388-22-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-16-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-7-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-31-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-32-0x0000000077761000-0x0000000077762000-memory.dmp
memory/1388-33-0x00000000778F0000-0x00000000778F2000-memory.dmp
memory/1388-42-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1388-44-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/2624-49-0x0000000140000000-0x00000001400B6000-memory.dmp
\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe
| MD5 | eae7af6084667c8f05412ddf096167fc |
| SHA1 | 0dbe8aba001447030e48e8ad5466fd23481e6140 |
| SHA256 | 01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc |
| SHA512 | 172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d |
C:\Users\Admin\AppData\Local\LL0\appwiz.cpl
| MD5 | af09c3c6b446dcb27835fc030c33c08a |
| SHA1 | 58aef224250f191691e6f75c5a58b673feafbe38 |
| SHA256 | 7860aff5f026ab346a3279f480cb2833f06f4b744f509cde494a2bb55da5b314 |
| SHA512 | 2e1919a2517dd48657615987a765088ac1884a2500074c2ed57ac8effa2d5b9d40cbe010d0cc348690e66bbb305183e932f07b1d9cd1d0a54dddedfb131bdf58 |
memory/856-59-0x0000000140000000-0x00000001400B7000-memory.dmp
memory/1388-60-0x0000000077656000-0x0000000077657000-memory.dmp
memory/856-63-0x0000000001B20000-0x0000000001B27000-memory.dmp
memory/856-66-0x0000000140000000-0x00000001400B7000-memory.dmp
\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe
| MD5 | 3cbdec8d06b9968aba702eba076364a1 |
| SHA1 | 6e0fcaccadbdb5e3293aa3523ec1006d92191c58 |
| SHA256 | b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b |
| SHA512 | a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d |
C:\Users\Admin\AppData\Local\xNtFTh5g\VERSION.dll
| MD5 | d361fcc3cf64f0f50757f8e4c684e727 |
| SHA1 | f6243b04b9b75859a2be8690c829a5fb313e99e4 |
| SHA256 | fed2288d70345c496f9009e4cb2a508654569cce2d6e3a32ca764c0a04808ee5 |
| SHA512 | 1cd16fe033b0b6ca3622ec3ed68c9448366250c72f940453b89c8e7b43604b8161caa46c137a59b035d2bae5ae848f7252dffdffd4d66543a341b23c378b95c4 |
memory/2420-80-0x0000000000070000-0x0000000000077000-memory.dmp
memory/2420-84-0x0000000140000000-0x00000001400B7000-memory.dmp
\Users\Admin\AppData\Local\g7V\msra.exe
| MD5 | e79df53bad587e24b3cf965a5746c7b6 |
| SHA1 | 87a97ec159a3fc1db211f3c2c62e4d60810e7a70 |
| SHA256 | 4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d |
| SHA512 | 9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb |
C:\Users\Admin\AppData\Local\g7V\NDFAPI.DLL
| MD5 | ff649db3b51521d9fcf06978b8852a56 |
| SHA1 | d534d877193c61d6693b46f032e3c18b61b2ee26 |
| SHA256 | 3a54f8b70a466437393eb71563e969ae9a29c0c4f6fd75e7e35870c7bfcf7f43 |
| SHA512 | 5189eadaceb89be8a61e012ba1270513a9ccc66eee6a27c41420052b1d04a1c79f54ab22d4def5093e0516d85dcf933d771608d099c195efef0b194fc75f197d |
memory/2448-97-0x0000000000260000-0x0000000000267000-memory.dmp
memory/2448-102-0x0000000140000000-0x00000001400B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk
| MD5 | d8e0da9e370e85d1ade5e9d5b03ebd64 |
| SHA1 | a21e94bc931cbe4e0d92fb97217bbc9b73d3ad3e |
| SHA256 | 617a4ed8c2e2d9bdb85a805dd641bb88939516d23979bef9d1603c50af1e85ec |
| SHA512 | f53c5c25acc1cf90c48ba7f35e20db13903c5a5d907323cc601cb44e004848a4ecfaef518aa7995dc2d3ad07d96594fc32e0d92e253712661707f28232e6c526 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 08:55
Reported
2023-12-31 09:15
Platform
win10v2004-20231215-en
Max time kernel
3s
Max time network
126s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\13d90e1b8ddda68fa897813f073ba521.dll
C:\Users\Admin\AppData\Local\8dDbY7\rstrui.exe
C:\Users\Admin\AppData\Local\8dDbY7\rstrui.exe
C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
C:\Users\Admin\AppData\Local\2xbAwnj5\consent.exe
C:\Users\Admin\AppData\Local\2xbAwnj5\consent.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
C:\Users\Admin\AppData\Local\4UAEZo5\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\4UAEZo5\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\u1m41W0v\wusa.exe
C:\Users\Admin\AppData\Local\u1m41W0v\wusa.exe
C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1208-1-0x00000000011C0000-0x00000000011C7000-memory.dmp
memory/1208-0-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-7-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-8-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-22-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-26-0x0000000008040000-0x0000000008047000-memory.dmp
memory/3492-31-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-32-0x00007FFFD5F70000-0x00007FFFD5F80000-memory.dmp
memory/3492-41-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-23-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-21-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-20-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-19-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-18-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-17-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-16-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-15-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-14-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-13-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-12-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-11-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-10-0x00007FFFD5D1A000-0x00007FFFD5D1B000-memory.dmp
memory/3492-9-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-6-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/3492-4-0x0000000008060000-0x0000000008061000-memory.dmp
memory/1208-44-0x0000000140000000-0x00000001400B6000-memory.dmp
memory/1128-60-0x0000000140000000-0x00000001400B7000-memory.dmp
memory/1128-66-0x0000000140000000-0x00000001400B7000-memory.dmp
memory/1128-63-0x000002BFFD110000-0x000002BFFD117000-memory.dmp
memory/3308-83-0x0000000140000000-0x00000001400B7000-memory.dmp
memory/3308-78-0x000002A358F00000-0x000002A358F07000-memory.dmp
memory/1036-96-0x000001EA7B730000-0x000001EA7B737000-memory.dmp
memory/1036-100-0x0000000140000000-0x00000001400B7000-memory.dmp