Malware Analysis Report

2024-11-16 13:25

Sample ID 241014-q2dpsayamg
Target fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN
SHA256 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1cc
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1cc

Threat Level: Known bad

The file fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 13:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 13:45

Reported

2024-10-14 13:47

Platform

win7-20240729-en

Max time kernel

119s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dowaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buavn.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dowaj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\buavn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2532 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Users\Admin\AppData\Local\Temp\dowaj.exe
PID 2532 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Users\Admin\AppData\Local\Temp\dowaj.exe
PID 2532 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Users\Admin\AppData\Local\Temp\dowaj.exe
PID 2532 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Users\Admin\AppData\Local\Temp\dowaj.exe
PID 2532 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\dowaj.exe C:\Users\Admin\AppData\Local\Temp\buavn.exe
PID 2944 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\dowaj.exe C:\Users\Admin\AppData\Local\Temp\buavn.exe
PID 2944 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\dowaj.exe C:\Users\Admin\AppData\Local\Temp\buavn.exe
PID 2944 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\dowaj.exe C:\Users\Admin\AppData\Local\Temp\buavn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe

"C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe"

C:\Users\Admin\AppData\Local\Temp\dowaj.exe

"C:\Users\Admin\AppData\Local\Temp\dowaj.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\buavn.exe

"C:\Users\Admin\AppData\Local\Temp\buavn.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2532-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2532-0-0x0000000000100000-0x0000000000181000-memory.dmp

\Users\Admin\AppData\Local\Temp\dowaj.exe

MD5 30bd55c13cb99c809549d8f348fcde10
SHA1 8e6301976adc559c45b1a7d33b3dd794cfb8c120
SHA256 e5172814f8f5ee0477cf7637b929ba8285781c5cf0b7a7fb371ce8daa425c2f8
SHA512 f45ebd4b6f6dd94b1e39fd6aa3645617a60815dddee8c58e0f555a63afc6ab81c1a4e6a6bbb3fd82865cd2179f3b19119a4103ad121d7fdf28b9f7e6c30164aa

memory/2532-9-0x0000000002530000-0x00000000025B1000-memory.dmp

memory/2944-18-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 46f754e37aed4155b704844ac14dde1b
SHA1 39ba3199c5734d7d2c9d9b7475526e8c06146ffe
SHA256 e137a91ddc3844d3f273edf27fa13093274d6ea601263be48f42585844712a4c
SHA512 bd5bbfacd8e5d254deff9f1735e652946ed1aba345ff4ec83ca0e1d5f25bafcf34a24d8eaf90b673ea43b4aa3872696afa93992517ea727d9652e716eb9d4e20

memory/2944-12-0x0000000000370000-0x00000000003F1000-memory.dmp

memory/2532-21-0x0000000000100000-0x0000000000181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 16ab143ed7dd398a20dc775e3091f8e9
SHA1 8ad1becf8c6221d2ca7ee7746afecc5f881ed852
SHA256 6e0d46da33c958c91d4d381a04b29e89ec5b2a4353e774c3fbe5e03632b3e046
SHA512 affcaa5d3c4070ec9bce17daba3060ae8ab6d1da595cf9c650681274530d0135e8ff66283031f4b00d9e4e22b514b74dff1d180aa7aad11297aa23b8522169ee

memory/2944-24-0x0000000000370000-0x00000000003F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\buavn.exe

MD5 1203e18f7af9de1d2ebb7b09e32a36c5
SHA1 a7a94447bd0b9cc055b3406f94343ada2cd221da
SHA256 9b77026b87f1a10132df14cd55547a3546447d7640fcf88b486c0d0ed5d5c04f
SHA512 18c62a418a23641dc2db80dc5e848ce672a0de02202ede9799143ac3bf396064e79c5515b12097abdb37b220f13ef87e9be668052b811f1d22eda29b327d3034

memory/2944-38-0x0000000004230000-0x00000000042C9000-memory.dmp

memory/2944-42-0x0000000000370000-0x00000000003F1000-memory.dmp

memory/2876-40-0x0000000001380000-0x0000000001419000-memory.dmp

memory/2876-43-0x0000000001380000-0x0000000001419000-memory.dmp

memory/2876-47-0x0000000001380000-0x0000000001419000-memory.dmp

memory/2876-48-0x0000000001380000-0x0000000001419000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 13:45

Reported

2024-10-14 13:47

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gohuc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gohuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gohuc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sopok.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Users\Admin\AppData\Local\Temp\gohuc.exe
PID 4244 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Users\Admin\AppData\Local\Temp\gohuc.exe
PID 4244 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Users\Admin\AppData\Local\Temp\gohuc.exe
PID 4244 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\gohuc.exe C:\Users\Admin\AppData\Local\Temp\sopok.exe
PID 1832 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\gohuc.exe C:\Users\Admin\AppData\Local\Temp\sopok.exe
PID 1832 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\gohuc.exe C:\Users\Admin\AppData\Local\Temp\sopok.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe

"C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe"

C:\Users\Admin\AppData\Local\Temp\gohuc.exe

"C:\Users\Admin\AppData\Local\Temp\gohuc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\sopok.exe

"C:\Users\Admin\AppData\Local\Temp\sopok.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/4244-0-0x0000000000DE0000-0x0000000000E61000-memory.dmp

memory/4244-1-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gohuc.exe

MD5 b3fe83129e5e09a5f64fa12afdaf8a41
SHA1 35fb58cbc11838e1740e0ea0516c9d46cb0298e7
SHA256 43d5750fe26407e0b622f5068f5caa4951dc96f2c4b116512247c296470be9e3
SHA512 cd1693d992c0401bdc76b04b319d1901da162884c2cfdfadd80861fb1094905d9d60c24ea13ab9f936c41a3a13c6ec062699e22f0f01e8f1b71a71e3943e7b05

memory/1832-11-0x0000000000260000-0x00000000002E1000-memory.dmp

memory/1832-14-0x0000000001310000-0x0000000001311000-memory.dmp

memory/4244-17-0x0000000000DE0000-0x0000000000E61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 46f754e37aed4155b704844ac14dde1b
SHA1 39ba3199c5734d7d2c9d9b7475526e8c06146ffe
SHA256 e137a91ddc3844d3f273edf27fa13093274d6ea601263be48f42585844712a4c
SHA512 bd5bbfacd8e5d254deff9f1735e652946ed1aba345ff4ec83ca0e1d5f25bafcf34a24d8eaf90b673ea43b4aa3872696afa93992517ea727d9652e716eb9d4e20

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 47269b675bccf3b135256f651d8841d9
SHA1 99e6619106a13a811151c58ca69da78437cb9ffc
SHA256 d5d47d78a44814bba4c9e8f34a5d001929c44bff2f6c0db60ffb9eccf0923e35
SHA512 288b2743a02898fbfec1cfd6dd3c14b5b497681d5370f193f956a43a346643be37cf811fe67e670cc0fcaaf2271f6be3207c29ba6d7a3f584a53513f003b4ceb

memory/1832-21-0x0000000001310000-0x0000000001311000-memory.dmp

memory/1832-20-0x0000000000260000-0x00000000002E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sopok.exe

MD5 0b908004debbda24e0a6707b2f27844b
SHA1 8dd70fd7e665b75eeb223658cbfa16749037b370
SHA256 84cdf43d3be720a60b1af2d52d4db76e36625cd661b98907f8fab3c979eb2e19
SHA512 6594d49cb0b3dee7d4cb5c251651e1b9493fa70e2810ba5c3dfec4cbb2a5ab4416d933ef63b785e36605bb9d2612d42413ed398b8c5b12856f8f3ddb2d524c67

memory/2136-39-0x00000000009A0000-0x00000000009A2000-memory.dmp

memory/2136-38-0x0000000000D20000-0x0000000000DB9000-memory.dmp

memory/1832-41-0x0000000000260000-0x00000000002E1000-memory.dmp

memory/2136-42-0x0000000000D20000-0x0000000000DB9000-memory.dmp

memory/2136-46-0x00000000009A0000-0x00000000009A2000-memory.dmp

memory/2136-47-0x0000000000D20000-0x0000000000DB9000-memory.dmp

memory/2136-48-0x0000000000D20000-0x0000000000DB9000-memory.dmp