Malware Analysis Report

2024-10-18 23:41

Sample ID 240812-frj4ps1cre
Target a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd
SHA256 a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd
Tags
amadey 0657d1 discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd

Threat Level: Known bad

The file a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd was found to be: Known bad.

Malicious Activity Summary

amadey 0657d1 discovery evasion trojan

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 05:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 05:06

Reported

2024-08-12 05:11

Platform

win10-20240611-en

Max time kernel

293s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe

"C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1972-0-0x0000000001070000-0x0000000001535000-memory.dmp

memory/1972-1-0x0000000077074000-0x0000000077075000-memory.dmp

memory/1972-2-0x0000000001071000-0x000000000109F000-memory.dmp

memory/1972-3-0x0000000001070000-0x0000000001535000-memory.dmp

memory/1972-4-0x0000000001070000-0x0000000001535000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 541a410ec2e96f6ce14befd4312b3478
SHA1 69824f49bb7b180904632f865652429a5762c290
SHA256 a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd
SHA512 3f2fed505a34b92c40251c2d66838e92ae0d9f8323f9a7ad3edf0103c46dffa086b5574713a92dd4f23088faedd151ed959cd70e2a609f3add39f090f03cd046

memory/1972-13-0x0000000001070000-0x0000000001535000-memory.dmp

memory/4524-14-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-15-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-16-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-18-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-17-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-19-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-20-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-21-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-22-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-23-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/3948-25-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/3948-27-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-28-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-29-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-30-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-31-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-32-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-33-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/2964-36-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-37-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-38-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-39-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-40-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-41-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-42-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4392-44-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-45-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-46-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-47-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-48-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-49-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-50-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4220-53-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-54-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-55-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-56-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-57-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-58-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-59-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/1700-62-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-63-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-64-0x0000000000F10000-0x00000000013D5000-memory.dmp

memory/4524-65-0x0000000000F10000-0x00000000013D5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 05:06

Reported

2024-08-12 05:11

Platform

win7-20240705-en

Max time kernel

292s

Max time network

262s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe

"C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.19:80 185.215.113.19 tcp

Files

memory/2148-0-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/2148-1-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/2148-2-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/2148-4-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/2148-8-0x0000000000E20000-0x00000000012E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 541a410ec2e96f6ce14befd4312b3478
SHA1 69824f49bb7b180904632f865652429a5762c290
SHA256 a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd
SHA512 3f2fed505a34b92c40251c2d66838e92ae0d9f8323f9a7ad3edf0103c46dffa086b5574713a92dd4f23088faedd151ed959cd70e2a609f3add39f090f03cd046

memory/2148-15-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/2804-16-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-20-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-19-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-18-0x0000000000F41000-0x0000000000F6F000-memory.dmp

memory/2804-17-0x0000000077D80000-0x0000000077D82000-memory.dmp

memory/2804-22-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-23-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-24-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-25-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-26-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-27-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-28-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-29-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-30-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-31-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-32-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-33-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-34-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-35-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-36-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-37-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-38-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-39-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-40-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-41-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-42-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-43-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-44-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-45-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-46-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-47-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-48-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-49-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-50-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-51-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-52-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-53-0x0000000000F40000-0x0000000001405000-memory.dmp

memory/2804-54-0x0000000000F40000-0x0000000001405000-memory.dmp