Analysis Overview
SHA256
7451c36c889f034126cbb112409144e10c76c053846ac31d113f90d48ad96c08
Threat Level: Known bad
The file 1d0dfe8cb5ce6985affa09212965265b was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 21:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 21:30
Reported
2024-01-04 11:45
Platform
win7-20231215-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\yn6Ke\wisptis.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\RJpQZXo\mmc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TxkJHFo\sethc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\yn6Ke\wisptis.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\RJpQZXo\mmc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TxkJHFo\sethc.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\15BDD3~1\\mmc.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\yn6Ke\wisptis.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\RJpQZXo\mmc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\TxkJHFo\sethc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 1232 | N/A | N/A | C:\Windows\system32\wisptis.exe |
| PID 1196 wrote to memory of 1232 | N/A | N/A | C:\Windows\system32\wisptis.exe |
| PID 1196 wrote to memory of 1232 | N/A | N/A | C:\Windows\system32\wisptis.exe |
| PID 1196 wrote to memory of 2988 | N/A | N/A | C:\Users\Admin\AppData\Local\yn6Ke\wisptis.exe |
| PID 1196 wrote to memory of 2988 | N/A | N/A | C:\Users\Admin\AppData\Local\yn6Ke\wisptis.exe |
| PID 1196 wrote to memory of 2988 | N/A | N/A | C:\Users\Admin\AppData\Local\yn6Ke\wisptis.exe |
| PID 1196 wrote to memory of 860 | N/A | N/A | C:\Windows\system32\mmc.exe |
| PID 1196 wrote to memory of 860 | N/A | N/A | C:\Windows\system32\mmc.exe |
| PID 1196 wrote to memory of 860 | N/A | N/A | C:\Windows\system32\mmc.exe |
| PID 1196 wrote to memory of 2916 | N/A | N/A | C:\Users\Admin\AppData\Local\RJpQZXo\mmc.exe |
| PID 1196 wrote to memory of 2916 | N/A | N/A | C:\Users\Admin\AppData\Local\RJpQZXo\mmc.exe |
| PID 1196 wrote to memory of 2916 | N/A | N/A | C:\Users\Admin\AppData\Local\RJpQZXo\mmc.exe |
| PID 1196 wrote to memory of 2904 | N/A | N/A | C:\Windows\system32\sethc.exe |
| PID 1196 wrote to memory of 2904 | N/A | N/A | C:\Windows\system32\sethc.exe |
| PID 1196 wrote to memory of 2904 | N/A | N/A | C:\Windows\system32\sethc.exe |
| PID 1196 wrote to memory of 2676 | N/A | N/A | C:\Users\Admin\AppData\Local\TxkJHFo\sethc.exe |
| PID 1196 wrote to memory of 2676 | N/A | N/A | C:\Users\Admin\AppData\Local\TxkJHFo\sethc.exe |
| PID 1196 wrote to memory of 2676 | N/A | N/A | C:\Users\Admin\AppData\Local\TxkJHFo\sethc.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d0dfe8cb5ce6985affa09212965265b.dll,#1
C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
C:\Users\Admin\AppData\Local\yn6Ke\wisptis.exe
C:\Users\Admin\AppData\Local\yn6Ke\wisptis.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
C:\Users\Admin\AppData\Local\RJpQZXo\mmc.exe
C:\Users\Admin\AppData\Local\RJpQZXo\mmc.exe
C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
C:\Users\Admin\AppData\Local\TxkJHFo\sethc.exe
C:\Users\Admin\AppData\Local\TxkJHFo\sethc.exe
Network
Files
memory/2288-0-0x00000000002A0000-0x00000000002A7000-memory.dmp
memory/2288-1-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-4-0x0000000076EB6000-0x0000000076EB7000-memory.dmp
memory/1196-5-0x0000000002520000-0x0000000002521000-memory.dmp
memory/2288-8-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-11-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-19-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-26-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-33-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-40-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-47-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-53-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-58-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-65-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-64-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-63-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-72-0x0000000002500000-0x0000000002507000-memory.dmp
memory/1196-62-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-83-0x0000000077220000-0x0000000077222000-memory.dmp
memory/1196-82-0x00000000770C1000-0x00000000770C2000-memory.dmp
memory/1196-61-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-60-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-59-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-57-0x0000000140000000-0x0000000140386000-memory.dmp
memory/2988-110-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1196-56-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-55-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-54-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-52-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-51-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-50-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-49-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-48-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-46-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-45-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-44-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-43-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-42-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-41-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-39-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-38-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-37-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-36-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-35-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-34-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-32-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-31-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-30-0x0000000140000000-0x0000000140386000-memory.dmp
memory/2916-132-0x0000000000790000-0x0000000000797000-memory.dmp
memory/1196-29-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-28-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-27-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-25-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-24-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-23-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-22-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-21-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-20-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-18-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-17-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-16-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-15-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-14-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-13-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-12-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-10-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-9-0x0000000140000000-0x0000000140386000-memory.dmp
memory/1196-7-0x0000000140000000-0x0000000140386000-memory.dmp
memory/2676-156-0x0000000000330000-0x0000000000337000-memory.dmp
memory/1196-187-0x0000000076EB6000-0x0000000076EB7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 21:30
Reported
2024-01-04 11:45
Platform
win10v2004-20231215-en
Max time kernel
1s
Max time network
135s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d0dfe8cb5ce6985affa09212965265b.dll,#1
C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Users\Admin\AppData\Local\a7l8wG\wermgr.exe
C:\Users\Admin\AppData\Local\a7l8wG\wermgr.exe
C:\Users\Admin\AppData\Local\0lz0vNn\CloudNotifications.exe
C:\Users\Admin\AppData\Local\0lz0vNn\CloudNotifications.exe
C:\Users\Admin\AppData\Local\i3czzLcn\rdpshell.exe
C:\Users\Admin\AppData\Local\i3czzLcn\rdpshell.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 92.123.241.137:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.241.123.92.in-addr.arpa | udp |
| US | 92.123.241.137:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
Files
memory/3224-1-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3224-0-0x000001B22ABE0000-0x000001B22ABE7000-memory.dmp
memory/3560-4-0x0000000002EB0000-0x0000000002EB1000-memory.dmp
memory/3560-12-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-11-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-14-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-17-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-20-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-23-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-27-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-31-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-34-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-37-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-40-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-43-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-44-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-42-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-46-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-48-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-51-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-54-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-57-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-60-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-64-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-65-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-63-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-62-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-72-0x0000000002E60000-0x0000000002E67000-memory.dmp
memory/3560-61-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-80-0x00007FFBEC400000-0x00007FFBEC410000-memory.dmp
memory/3560-59-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-58-0x0000000140000000-0x0000000140386000-memory.dmp
memory/4136-102-0x00000276EC400000-0x00000276EC407000-memory.dmp
memory/2952-119-0x000001DD7D440000-0x000001DD7D447000-memory.dmp
memory/872-134-0x000001D52FAC0000-0x000001D52FAC7000-memory.dmp
memory/3560-56-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-55-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-53-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-52-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-50-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-49-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-47-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-45-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-41-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-39-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-38-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-36-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-35-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-33-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-32-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-29-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-30-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-28-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-26-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-25-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-24-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-22-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-21-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-19-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-18-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-16-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-15-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-13-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-10-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-9-0x00007FFBEB9FA000-0x00007FFBEB9FB000-memory.dmp
memory/3224-7-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-6-0x0000000140000000-0x0000000140386000-memory.dmp
memory/3560-8-0x0000000140000000-0x0000000140386000-memory.dmp