Malware Analysis Report

2025-03-15 07:46

Sample ID 240206-qk3mksfhd7
Target 94991507c04f29915d7afeb6a1ce2c0b
SHA256 0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f
Tags
gozi 10030 banker isfb persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f

Threat Level: Known bad

The file 94991507c04f29915d7afeb6a1ce2c0b was found to be: Known bad.

Malicious Activity Summary

gozi 10030 banker isfb persistence trojan

Gozi

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 13:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 13:20

Reported

2024-02-06 13:22

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi

banker trojan gozi

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnstui = "C:\\Users\\Admin\\AppData\\Roaming\\adsltext\\acpphema.exe" C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4712 set thread context of 5040 N/A C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe C:\Windows\system32\svchost.exe
PID 5040 set thread context of 3596 N/A C:\Windows\system32\svchost.exe C:\Windows\Explorer.EXE
PID 3596 set thread context of 1364 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3596 set thread context of 4196 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3596 set thread context of 2868 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe
PID 1636 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe
PID 1636 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe
PID 4712 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe C:\Windows\system32\svchost.exe
PID 4712 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe C:\Windows\system32\svchost.exe
PID 4712 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe C:\Windows\system32\svchost.exe
PID 4712 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe C:\Windows\system32\svchost.exe
PID 4712 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe C:\Windows\system32\svchost.exe
PID 5040 wrote to memory of 3596 N/A C:\Windows\system32\svchost.exe C:\Windows\Explorer.EXE
PID 5040 wrote to memory of 3596 N/A C:\Windows\system32\svchost.exe C:\Windows\Explorer.EXE
PID 5040 wrote to memory of 3596 N/A C:\Windows\system32\svchost.exe C:\Windows\Explorer.EXE
PID 3596 wrote to memory of 1364 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 1364 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 1364 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 4196 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 4196 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 4196 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 2868 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 2868 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 2868 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe

"C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CB9C\65CE.bat" "C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""

C:\Windows\SysWOW64\cmd.exe

cmd /C ""C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""

C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe

"C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/1208-0-0x00000000009B0000-0x0000000000A15000-memory.dmp

memory/1208-1-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1208-7-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1208-8-0x00000000009B0000-0x0000000000A15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CB9C\65CE.bat

MD5 8c817d9cb6d422ccbfd3a55d173dbaef
SHA1 bfe5c99c17e7b16db3cf61d37da61d6aa94eafd4
SHA256 72ac87fcd48ff4ede7cd4c165f71b92ab3389f5b284cd430e7a6b04f7d3cdec2
SHA512 64fa76bd99e8b5cdbe0137c662119ec1668cfaacb3f81013c37f24a80bd9f11e65deeb63ec9be013d6c7b700b815cbc274cbd92f0b29d34c15d80d62bb27f8ed

C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe

MD5 94991507c04f29915d7afeb6a1ce2c0b
SHA1 bb71a4a11a793cd6e4554e6cfa415bc93509599d
SHA256 0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f
SHA512 b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0

memory/4712-14-0x00000000009D0000-0x0000000000A35000-memory.dmp

memory/5040-20-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/4712-21-0x00000000009D0000-0x0000000000A35000-memory.dmp

memory/4712-18-0x0000000000400000-0x0000000000474000-memory.dmp

memory/5040-17-0x00000000007E0000-0x00000000008E1000-memory.dmp

memory/5040-26-0x00000000007E0000-0x00000000008E1000-memory.dmp

memory/5040-29-0x00000000007E0000-0x00000000008E1000-memory.dmp

memory/3596-28-0x0000000000400000-0x0000000000401000-memory.dmp

memory/3596-25-0x0000000002510000-0x0000000002611000-memory.dmp

memory/1364-36-0x00000154410C0000-0x00000154411C1000-memory.dmp

memory/1364-38-0x0000015440490000-0x0000015440491000-memory.dmp

memory/4196-43-0x0000022763430000-0x0000022763431000-memory.dmp

memory/1364-44-0x00000154410C0000-0x00000154411C1000-memory.dmp

memory/4196-42-0x0000022763470000-0x0000022763571000-memory.dmp

memory/2868-49-0x000001E4B4920000-0x000001E4B4A21000-memory.dmp

memory/2868-51-0x000001E4B41D0000-0x000001E4B41D1000-memory.dmp

memory/3596-54-0x0000000002510000-0x0000000002611000-memory.dmp

memory/3596-50-0x0000000002510000-0x0000000002611000-memory.dmp

memory/4196-57-0x0000022763470000-0x0000022763571000-memory.dmp

memory/3596-56-0x0000000002510000-0x0000000002611000-memory.dmp

memory/2868-59-0x000001E4B4920000-0x000001E4B4A21000-memory.dmp

memory/3596-48-0x0000000002510000-0x0000000002611000-memory.dmp

memory/3596-60-0x0000000002510000-0x0000000002611000-memory.dmp

memory/1364-61-0x00000154410C0000-0x00000154411C1000-memory.dmp

memory/4196-62-0x0000022763470000-0x0000022763571000-memory.dmp

memory/2868-63-0x000001E4B4920000-0x000001E4B4A21000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 13:20

Reported

2024-02-06 13:22

Platform

win7-20231215-en

Max time kernel

119s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmdisnap = "C:\\Users\\Admin\\AppData\\Roaming\\Audiedit\\amxrerop.exe" C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2788 set thread context of 2724 N/A C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe C:\Windows\system32\svchost.exe
PID 2724 set thread context of 1244 N/A C:\Windows\system32\svchost.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe
PID 2792 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe
PID 2792 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe
PID 2792 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe
PID 2788 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe C:\Windows\system32\svchost.exe
PID 2724 wrote to memory of 1244 N/A C:\Windows\system32\svchost.exe C:\Windows\Explorer.EXE
PID 2724 wrote to memory of 1244 N/A C:\Windows\system32\svchost.exe C:\Windows\Explorer.EXE
PID 2724 wrote to memory of 1244 N/A C:\Windows\system32\svchost.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe

"C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\85B4\42DA.bat" "C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""

C:\Windows\SysWOW64\cmd.exe

cmd /C ""C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""

C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe

"C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/1688-1-0x0000000000480000-0x00000000004E5000-memory.dmp

memory/1688-0-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85B4\42DA.bat

MD5 25ed7e258d74edf77d9f17725d88ddf8
SHA1 727cc6cfe22b941d45f9aaae9ca49c0f4fdb44fe
SHA256 89de0f0678f1d1d3f924589fbf24c5ef9f517d45db65a922291e553009a19962
SHA512 9fd6cec31f46daccf0a1d3692353803d37a864332e898b0e38f0cf21a4a63cc5537d0001f1d70247f9eaccaa5de6bc98964553fd7065a79b8f827d4e30913db3

memory/1688-12-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1688-13-0x0000000000480000-0x00000000004E5000-memory.dmp

\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe

MD5 94991507c04f29915d7afeb6a1ce2c0b
SHA1 bb71a4a11a793cd6e4554e6cfa415bc93509599d
SHA256 0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f
SHA512 b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0

memory/2788-21-0x0000000000310000-0x0000000000375000-memory.dmp

memory/2788-24-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2724-26-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2724-23-0x0000000000520000-0x0000000000621000-memory.dmp

memory/2724-22-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

memory/1244-29-0x0000000006EC0000-0x0000000006FC1000-memory.dmp

memory/2724-31-0x0000000000520000-0x0000000000621000-memory.dmp

memory/2724-34-0x0000000000520000-0x0000000000621000-memory.dmp

memory/1244-32-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/1244-39-0x0000000006EC0000-0x0000000006FC1000-memory.dmp

memory/1244-40-0x0000000006EC0000-0x0000000006FC1000-memory.dmp

memory/1244-42-0x0000000006EC0000-0x0000000006FC1000-memory.dmp

memory/1244-41-0x0000000006EC0000-0x0000000006FC1000-memory.dmp

memory/1244-43-0x0000000006EC0000-0x0000000006FC1000-memory.dmp