Malware Analysis Report

2024-10-18 23:41

Sample ID 240812-fsc2sawhnl
Target cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8
SHA256 cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8
Tags
amadey 0657d1 discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8

Threat Level: Known bad

The file cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8 was found to be: Known bad.

Malicious Activity Summary

amadey 0657d1 discovery evasion trojan

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 05:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 05:07

Reported

2024-08-12 05:12

Platform

win10-20240404-en

Max time kernel

292s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe

"C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/420-0-0x0000000000EB0000-0x0000000001386000-memory.dmp

memory/420-1-0x0000000077A34000-0x0000000077A35000-memory.dmp

memory/420-2-0x0000000000EB1000-0x0000000000EDF000-memory.dmp

memory/420-3-0x0000000000EB0000-0x0000000001386000-memory.dmp

memory/420-4-0x0000000000EB0000-0x0000000001386000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 119223dee5bdd531510df36460e06934
SHA1 7fe7814cd8d42c34cdbc684e5eab37172764e0e5
SHA256 cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8
SHA512 3bcab4999eecc857cb0c1103b34e5d3a3a09652cf9e044a8647a22133f38f9e52045df09dc4290989e74c3f4a83a039c337139248ad90e6e0d4f16eaa2ca29dd

memory/3044-15-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/420-14-0x0000000000EB0000-0x0000000001386000-memory.dmp

memory/3044-16-0x0000000000981000-0x00000000009AF000-memory.dmp

memory/3044-17-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-18-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-19-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-21-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/4824-22-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/4824-23-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-24-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-26-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-25-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-27-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-28-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-29-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-30-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-31-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-33-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/1472-34-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/1472-36-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-37-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-38-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-39-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-40-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-41-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-43-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/1580-44-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/1580-45-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-46-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-47-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-48-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-49-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-50-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-52-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/1408-53-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/1408-54-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-55-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-56-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-57-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-58-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-59-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/4704-62-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-61-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/4704-64-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-65-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-66-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-67-0x0000000000980000-0x0000000000E56000-memory.dmp

memory/3044-68-0x0000000000980000-0x0000000000E56000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 05:07

Reported

2024-08-12 05:12

Platform

win7-20240705-en

Max time kernel

292s

Max time network

259s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe

"C:\Users\Admin\AppData\Local\Temp\cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.19:80 185.215.113.19 tcp

Files

memory/2976-0-0x0000000000EE0000-0x00000000013B6000-memory.dmp

memory/2976-1-0x00000000777E0000-0x00000000777E2000-memory.dmp

memory/2976-2-0x0000000000EE1000-0x0000000000F0F000-memory.dmp

memory/2976-3-0x0000000000EE0000-0x00000000013B6000-memory.dmp

memory/2976-4-0x0000000000EE0000-0x00000000013B6000-memory.dmp

memory/2976-6-0x0000000000EE0000-0x00000000013B6000-memory.dmp

memory/2976-11-0x0000000000EE0000-0x00000000013B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 119223dee5bdd531510df36460e06934
SHA1 7fe7814cd8d42c34cdbc684e5eab37172764e0e5
SHA256 cd6d19a01447feaf4de281a8f6d631f3453964a20cc224d41a40c588e7da59e8
SHA512 3bcab4999eecc857cb0c1103b34e5d3a3a09652cf9e044a8647a22133f38f9e52045df09dc4290989e74c3f4a83a039c337139248ad90e6e0d4f16eaa2ca29dd

memory/2976-17-0x0000000000EE0000-0x00000000013B6000-memory.dmp

memory/2312-18-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2976-19-0x0000000006970000-0x0000000006E46000-memory.dmp

memory/2312-20-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-21-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-23-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-24-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-25-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-26-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2976-27-0x0000000006970000-0x0000000006E46000-memory.dmp

memory/2312-28-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-29-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-30-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-31-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-32-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-33-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-34-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-35-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-36-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-37-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-38-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-39-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-40-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-41-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-42-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-43-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-44-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-45-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-46-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-47-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-48-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-49-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-50-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-51-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-52-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-53-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-54-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-55-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-56-0x0000000000DA0000-0x0000000001276000-memory.dmp

memory/2312-57-0x0000000000DA0000-0x0000000001276000-memory.dmp