Malware Analysis Report

2024-11-30 21:29

Sample ID 231230-25mmmsacan
Target 1f84d4f84a27e5673e06f3c2c7293de5
SHA256 b69254940db917b0682de4197c082f8d9902923ff03f82178f3abf2af3cae4bb
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b69254940db917b0682de4197c082f8d9902923ff03f82178f3abf2af3cae4bb

Threat Level: Known bad

The file 1f84d4f84a27e5673e06f3c2c7293de5 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 23:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 23:09

Reported

2024-01-01 11:15

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f84d4f84a27e5673e06f3c2c7293de5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Qx2iEq\SystemPropertiesDataExecutionPrevention.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\UNHGVk\iexpress.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\4T5H\FXSCOVER.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JD2cgJo\\iexpress.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4T5H\FXSCOVER.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Qx2iEq\SystemPropertiesDataExecutionPrevention.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\UNHGVk\iexpress.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 2464 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1272 wrote to memory of 2464 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1272 wrote to memory of 2464 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1272 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Qx2iEq\SystemPropertiesDataExecutionPrevention.exe
PID 1272 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Qx2iEq\SystemPropertiesDataExecutionPrevention.exe
PID 1272 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Qx2iEq\SystemPropertiesDataExecutionPrevention.exe
PID 1272 wrote to memory of 2836 N/A N/A C:\Windows\system32\iexpress.exe
PID 1272 wrote to memory of 2836 N/A N/A C:\Windows\system32\iexpress.exe
PID 1272 wrote to memory of 2836 N/A N/A C:\Windows\system32\iexpress.exe
PID 1272 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\UNHGVk\iexpress.exe
PID 1272 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\UNHGVk\iexpress.exe
PID 1272 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\UNHGVk\iexpress.exe
PID 1272 wrote to memory of 1152 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1272 wrote to memory of 1152 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1272 wrote to memory of 1152 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1272 wrote to memory of 1624 N/A N/A C:\Users\Admin\AppData\Local\4T5H\FXSCOVER.exe
PID 1272 wrote to memory of 1624 N/A N/A C:\Users\Admin\AppData\Local\4T5H\FXSCOVER.exe
PID 1272 wrote to memory of 1624 N/A N/A C:\Users\Admin\AppData\Local\4T5H\FXSCOVER.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f84d4f84a27e5673e06f3c2c7293de5.dll,#1

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\Qx2iEq\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\Qx2iEq\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Users\Admin\AppData\Local\UNHGVk\iexpress.exe

C:\Users\Admin\AppData\Local\UNHGVk\iexpress.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\4T5H\FXSCOVER.exe

C:\Users\Admin\AppData\Local\4T5H\FXSCOVER.exe

Network

N/A

Files

memory/1872-1-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1872-0-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1272-4-0x00000000776C6000-0x00000000776C7000-memory.dmp

memory/1272-5-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/1872-7-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-10-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-14-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-15-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-16-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-17-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-18-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-19-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-25-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-27-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-30-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-32-0x0000000002280000-0x0000000002287000-memory.dmp

memory/1272-31-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-29-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-28-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-26-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-39-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-24-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-23-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-40-0x00000000778D1000-0x00000000778D2000-memory.dmp

memory/1272-41-0x0000000077A30000-0x0000000077A32000-memory.dmp

memory/1272-21-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-22-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-20-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-13-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-12-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-11-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-9-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-8-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-50-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-56-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/1272-57-0x0000000140000000-0x00000001401A7000-memory.dmp

C:\Users\Admin\AppData\Local\Qx2iEq\SYSDM.CPL

MD5 c96e45fc25fac17c5f9035963964cf29
SHA1 1f1639c8535e1021bda4680712209cae6a5a1b4f
SHA256 9a7c81d645868b5648c6475255b290064ff2e9d36f24f15085267b16ad361af1
SHA512 7ce5f8c75a6fa89a8ee044f6b5b578452a4fad55935f443db256c5835899eb6a840746e2d7665ed2e72cc893b8ae7bb3aad382ff8bf0b80765e4d011e5a64d60

\Users\Admin\AppData\Local\Qx2iEq\SYSDM.CPL

MD5 5e77e38053c18b89c0de9649f5238e7b
SHA1 45970d493b9cfc0a762c47b4af520047024da4ed
SHA256 12ec07b8aa1b1623a31578413e6341db119fd321c4c63c556098f29f71a454ac
SHA512 47f99db5129e6aeef29d3b067308027996ab5db530fc51c22dfaca39abd6837824f2475edc4fae9ade40299368ff4edf1e6d6117d4457524c1bd60fa61872d52

C:\Users\Admin\AppData\Local\Qx2iEq\SystemPropertiesDataExecutionPrevention.exe

MD5 e43ff7785fac643093b3b16a9300e133
SHA1 a30688e84c0b0a22669148fe87680b34fcca2fba
SHA256 c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b
SHA512 61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

memory/2612-68-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2612-69-0x0000000140000000-0x00000001401A8000-memory.dmp

memory/2612-74-0x0000000140000000-0x00000001401A8000-memory.dmp

memory/1272-79-0x00000000776C6000-0x00000000776C7000-memory.dmp

\Users\Admin\AppData\Local\UNHGVk\iexpress.exe

MD5 05359cc0a399ddcd99325033b62efd63
SHA1 07a07ca4b7ac41fb65b8d56b1cce0dd9c2a0dd4d
SHA256 c217acf703ff1a13c8cf3f9621e985aa1bb1cf85db8ebc253f83ae0ebf9fbb57
SHA512 4f4dbd813eab70f4cc6b014a106e04dc65a532314735e081a6b4b47f036c6edfcebdf3a80fb591ab58171a9f3d2788e4225ea70c7abad616e0208b8c601dbbca

C:\Users\Admin\AppData\Local\UNHGVk\VERSION.dll

MD5 b54ff45498334066f7b86a67d2e381a0
SHA1 f6d862ee9e9b672e0328296b6accc56d705214b4
SHA256 c897fc0130015a9ca9a4bfceaa62303f03204bdd0219131a1b9e4074cac37661
SHA512 6fe33b4f9c42706281e4c39cdff18aba63c27c37a64f6b33d8b16da3c3a4d19d1973a3c573ebaf918af5ea5d69f6c50bde3a471397e4eec9cb0dc84362924342

C:\Users\Admin\AppData\Local\UNHGVk\iexpress.exe

MD5 46fd16f9b1924a2ea8cd5c6716cc654f
SHA1 99284bc91cf829e9602b4b95811c1d72977700b6
SHA256 9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3
SHA512 52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

\Users\Admin\AppData\Local\UNHGVk\VERSION.dll

MD5 8ca85227ecb5dcfafaabea99d78e6b55
SHA1 c2d614453d793a2a2ad4900b0b373560c2fb61fc
SHA256 fa3c56cb7ff365d8bf67b4dd51aa117769b491243c4149a820aeaa49d8c44b6f
SHA512 cdbfcfd58c025d28e91be6d15b39fbc5a517fc5cbbaa62c27cde84f7a699cb8714629a03edda42f6ab05ec62a82e210c30f3d40f9f3d805f2b0913674a211929

memory/2840-88-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/2840-93-0x0000000140000000-0x00000001401A8000-memory.dmp

\Users\Admin\AppData\Local\4T5H\FXSCOVER.exe

MD5 5e2c61be8e093dbfe7fc37585be42869
SHA1 ed46cda4ece3ef187b0cf29ca843a6c6735af6c0
SHA256 3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121
SHA512 90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

C:\Users\Admin\AppData\Local\4T5H\MFC42u.dll

MD5 c11c7bdc55611a206d8ba0afd77162d2
SHA1 99bcb28136496c284286baa8a135920f67bcdbee
SHA256 ac40896c096614963c7f2e5f7f1cb9129d8dd155e5083427681f3e2fc0dbdad3
SHA512 87aee9a14f0cc39a7e3a4a8487649eefa9b032372ab842e9c3027beac641fc16fb426feb9819897747c27c48a408b7b99526ed77420c4c093ae6cf8290a7de7e

memory/1624-105-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1624-110-0x0000000140000000-0x00000001401AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 4bc82386f4feeeb09c115f7a5d182b91
SHA1 fda30d007d2b50643a765e6c310e543feb3e65d6
SHA256 f482b1245f844fec82409ef31d5246fe28ad7aaa66626d4d166caa49d25fd449
SHA512 d2f66b0ad9b51e382c16ea86f26719d1ed525a653539af24b284f7ed7331384c1adafeedd3b6042053ac016878614eafbffa6e5f7a42c02f97534fc462116158

C:\Users\Admin\AppData\Roaming\Mozilla\q7\SYSDM.CPL

MD5 9eedc0d78ba6854907cdcefb37ea0d74
SHA1 c935a57a235e256507422a674d9068f52e619439
SHA256 bfe54e19be6d2cb1e9b92ffa8f9eeeebc1f5d7277c285827a74901ef69001bf0
SHA512 0ab68742fd329a93657d4d7c7a6d95c29c3c82b7f47286148f10c87ebe9ef443fe658d073b38268f8c491386d47fc5bce116af560bf3d1f4611ceefc8a15e3b7

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 23:09

Reported

2024-01-01 11:16

Platform

win10v2004-20231222-en

Max time kernel

3s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f84d4f84a27e5673e06f3c2c7293de5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f84d4f84a27e5673e06f3c2c7293de5.dll,#1

C:\Windows\system32\bdechangepin.exe

C:\Windows\system32\bdechangepin.exe

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe

C:\Users\Admin\AppData\Local\Pftiwv\bdechangepin.exe

C:\Users\Admin\AppData\Local\Pftiwv\bdechangepin.exe

C:\Windows\system32\SysResetErr.exe

C:\Windows\system32\SysResetErr.exe

C:\Users\Admin\AppData\Local\Xyt7\PasswordOnWakeSettingFlyout.exe

C:\Users\Admin\AppData\Local\Xyt7\PasswordOnWakeSettingFlyout.exe

C:\Users\Admin\AppData\Local\cg2gZpO\SysResetErr.exe

C:\Users\Admin\AppData\Local\cg2gZpO\SysResetErr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 20.86.201.138:443 tcp
NL 20.86.201.138:443 tcp
NL 20.86.201.138:443 tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp

Files

memory/3968-0-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/3968-2-0x000002D35D090000-0x000002D35D097000-memory.dmp

memory/2640-9-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-10-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-17-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-24-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-30-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-32-0x0000000002C60000-0x0000000002C67000-memory.dmp

memory/2640-39-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-40-0x00007FFC35940000-0x00007FFC35950000-memory.dmp

memory/2640-51-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-49-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-31-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-29-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-28-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-27-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-26-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-25-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2188-66-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2188-60-0x0000015779FD0000-0x0000015779FD7000-memory.dmp

memory/2188-61-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2640-23-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/3976-83-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3976-80-0x0000020527B90000-0x0000020527B97000-memory.dmp

memory/2640-22-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-21-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-20-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-19-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-18-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/4152-100-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/4152-97-0x000002A852C20000-0x000002A852C27000-memory.dmp

memory/2640-16-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-15-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-14-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-13-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-12-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-11-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/3968-8-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-7-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/2640-5-0x00007FFC33AAA000-0x00007FFC33AAB000-memory.dmp

memory/2640-4-0x0000000003200000-0x0000000003201000-memory.dmp