Malware Analysis Report

2025-04-03 09:18

Sample ID 250308-pvdkrsxlv9
Target b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
Tags
a4d2cd amadey systembc defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

Threat Level: Known bad

The file b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe was found to be: Known bad.

Malicious Activity Summary

a4d2cd amadey systembc defense_evasion discovery trojan

SystemBC

Amadey family

Amadey

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Checks BIOS information in registry

Loads dropped DLL

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-08 12:38

Signatures

Amadey family

amadey

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-08 12:38

Reported

2025-03-08 12:41

Platform

win7-20250207-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\rtwcfx\slgcrmb.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\rtwcfx\slgcrmb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\rtwcfx\slgcrmb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\ProgramData\rtwcfx\slgcrmb.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
N/A N/A C:\ProgramData\rtwcfx\slgcrmb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\rtwcfx\slgcrmb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
N/A N/A C:\ProgramData\rtwcfx\slgcrmb.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1644 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1644 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1644 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2616 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe
PID 2616 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe
PID 2616 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe
PID 2616 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe
PID 2860 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\rtwcfx\slgcrmb.exe
PID 2860 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\rtwcfx\slgcrmb.exe
PID 2860 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\rtwcfx\slgcrmb.exe
PID 2860 wrote to memory of 2148 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\rtwcfx\slgcrmb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe

"C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe

"C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {AE5A1B07-084D-4254-B03B-CA926ACE4294} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]

C:\ProgramData\rtwcfx\slgcrmb.exe

C:\ProgramData\rtwcfx\slgcrmb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp

Files

memory/1644-1-0x00000000004C0000-0x00000000004C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe

MD5 190272ebd2e82a80b242b1bdd442b859
SHA1 fceb12a205c28c30b2049c55924a9872a1a3eb71
SHA256 c13d59dc2e8ee1cbdb8016de0fb3b374f827406fa5d2d1aa4a2820170816d131
SHA512 f3b30d8ea2dd2c451a042b4ed7a9e98d2bcfbb86a88bec2d672a3e1ae6ab3932daf8987eef872e6adb11144f92b9954ac6f6ce67e24a2bc391d7b34ebef876ae

memory/2616-26-0x0000000004380000-0x00000000047C0000-memory.dmp

memory/2616-28-0x0000000004380000-0x00000000047C0000-memory.dmp

memory/2700-27-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2700-29-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2700-32-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-36-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 2a5e89c8452d2f29269fb61df8cc2289
SHA1 3acc1ddf78c34338c3c8d4e85c19a9167ba5a113
SHA256 230e088bc7a8f1b39b5db3255c7e5f344030821680a0261649f0452419d8ca02
SHA512 2a08f71f3ab17134531da1a3f549d042612c4278281ae542a10253f6ead1f64dc8a4444328565c56a1c2720839b60592f1fe36b56d5298857f653923f0e5718b

memory/2616-38-0x0000000004380000-0x00000000047C0000-memory.dmp

memory/2700-39-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2700-40-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2700-41-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-42-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-43-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2700-44-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-45-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2700-46-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-47-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2700-48-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-49-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2700-50-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-51-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2700-52-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2700-53-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-54-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-55-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-56-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-57-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-58-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-59-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-60-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2148-61-0x0000000000400000-0x0000000000840000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-08 12:38

Reported

2025-03-08 12:41

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\mcrjdx\kjkdn.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\mcrjdx\kjkdn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\mcrjdx\kjkdn.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\ProgramData\mcrjdx\kjkdn.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
N/A N/A C:\ProgramData\mcrjdx\kjkdn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\mcrjdx\kjkdn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe

"C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe

"C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\mcrjdx\kjkdn.exe

C:\ProgramData\mcrjdx\kjkdn.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4151 towerbingobongoboom.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe

MD5 190272ebd2e82a80b242b1bdd442b859
SHA1 fceb12a205c28c30b2049c55924a9872a1a3eb71
SHA256 c13d59dc2e8ee1cbdb8016de0fb3b374f827406fa5d2d1aa4a2820170816d131
SHA512 f3b30d8ea2dd2c451a042b4ed7a9e98d2bcfbb86a88bec2d672a3e1ae6ab3932daf8987eef872e6adb11144f92b9954ac6f6ce67e24a2bc391d7b34ebef876ae

memory/4396-25-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4396-26-0x0000000077C24000-0x0000000077C26000-memory.dmp

memory/4396-27-0x0000000000401000-0x0000000000403000-memory.dmp

memory/4396-29-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4396-32-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4396-33-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4396-34-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4396-35-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4396-36-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4396-37-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4396-38-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4396-39-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4396-40-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4396-42-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1048-45-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 71f464e5b740c4741ee2f47f89b3d421
SHA1 bd873a4c7b894727f04816dfe420c23dac4bbbde
SHA256 e8e69e5e44718e05cbbff8d9c6b56c68446974d66c6007f83258fa6d8ec16f1d
SHA512 068296a6e5df69f49f7778b57df187f7802c7e2a12fcd11363a0443532514ffefcb1111335b6b19bd6b35f335f70d303f3d755a726b28a8e0fde9c79be484b92

memory/1048-48-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1048-49-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1048-50-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1048-51-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1048-52-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1048-54-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1048-55-0x0000000000400000-0x0000000000840000-memory.dmp