Analysis Overview
SHA256
57dc3169be701c4d85f51a5b168e4bfcdf6052661809b35c17d49d7da216ad56
Threat Level: Known bad
The file 0905f3b5aa3ee361ef34c75769c6bf03 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 00:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 00:47
Reported
2023-12-30 22:56
Platform
win7-20231129-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\YpiCVEdn\slui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0zr\sigverif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uvFQDc\SystemPropertiesAdvanced.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\YpiCVEdn\slui.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0zr\sigverif.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uvFQDc\SystemPropertiesAdvanced.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\8bWKK\\sigverif.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\YpiCVEdn\slui.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\0zr\sigverif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\uvFQDc\SystemPropertiesAdvanced.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1248 wrote to memory of 2628 | N/A | N/A | C:\Windows\system32\slui.exe |
| PID 1248 wrote to memory of 2628 | N/A | N/A | C:\Windows\system32\slui.exe |
| PID 1248 wrote to memory of 2628 | N/A | N/A | C:\Windows\system32\slui.exe |
| PID 1248 wrote to memory of 2568 | N/A | N/A | C:\Users\Admin\AppData\Local\YpiCVEdn\slui.exe |
| PID 1248 wrote to memory of 2568 | N/A | N/A | C:\Users\Admin\AppData\Local\YpiCVEdn\slui.exe |
| PID 1248 wrote to memory of 2568 | N/A | N/A | C:\Users\Admin\AppData\Local\YpiCVEdn\slui.exe |
| PID 1248 wrote to memory of 2140 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 1248 wrote to memory of 2140 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 1248 wrote to memory of 2140 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 1248 wrote to memory of 2076 | N/A | N/A | C:\Users\Admin\AppData\Local\0zr\sigverif.exe |
| PID 1248 wrote to memory of 2076 | N/A | N/A | C:\Users\Admin\AppData\Local\0zr\sigverif.exe |
| PID 1248 wrote to memory of 2076 | N/A | N/A | C:\Users\Admin\AppData\Local\0zr\sigverif.exe |
| PID 1248 wrote to memory of 2340 | N/A | N/A | C:\Windows\system32\SystemPropertiesAdvanced.exe |
| PID 1248 wrote to memory of 2340 | N/A | N/A | C:\Windows\system32\SystemPropertiesAdvanced.exe |
| PID 1248 wrote to memory of 2340 | N/A | N/A | C:\Windows\system32\SystemPropertiesAdvanced.exe |
| PID 1248 wrote to memory of 1240 | N/A | N/A | C:\Users\Admin\AppData\Local\uvFQDc\SystemPropertiesAdvanced.exe |
| PID 1248 wrote to memory of 1240 | N/A | N/A | C:\Users\Admin\AppData\Local\uvFQDc\SystemPropertiesAdvanced.exe |
| PID 1248 wrote to memory of 1240 | N/A | N/A | C:\Users\Admin\AppData\Local\uvFQDc\SystemPropertiesAdvanced.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0905f3b5aa3ee361ef34c75769c6bf03.dll,#1
C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
C:\Users\Admin\AppData\Local\YpiCVEdn\slui.exe
C:\Users\Admin\AppData\Local\YpiCVEdn\slui.exe
C:\Users\Admin\AppData\Local\0zr\sigverif.exe
C:\Users\Admin\AppData\Local\0zr\sigverif.exe
C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\uvFQDc\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\uvFQDc\SystemPropertiesAdvanced.exe
Network
Files
memory/2984-0-0x0000000140000000-0x000000014023B000-memory.dmp
memory/2984-2-0x00000000000A0000-0x00000000000A7000-memory.dmp
memory/1248-4-0x0000000077AB6000-0x0000000077AB7000-memory.dmp
memory/1248-12-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-24-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-36-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-35-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-44-0x0000000002500000-0x0000000002507000-memory.dmp
memory/1248-47-0x0000000077E20000-0x0000000077E22000-memory.dmp
memory/1248-46-0x0000000077CC1000-0x0000000077CC2000-memory.dmp
memory/1248-56-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-45-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-37-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-62-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-34-0x0000000140000000-0x000000014023B000-memory.dmp
memory/2568-74-0x0000000140000000-0x000000014023C000-memory.dmp
memory/2568-79-0x0000000140000000-0x000000014023C000-memory.dmp
memory/2568-75-0x0000000001AC0000-0x0000000001AC7000-memory.dmp
memory/1248-65-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-33-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-32-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-31-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-30-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-29-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-28-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-27-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-26-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-25-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-23-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-22-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-21-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-20-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-19-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-18-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-17-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-16-0x0000000140000000-0x000000014023B000-memory.dmp
memory/2076-98-0x0000000000180000-0x0000000000187000-memory.dmp
memory/2076-103-0x0000000140000000-0x000000014023C000-memory.dmp
memory/1248-15-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-14-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-13-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-11-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-10-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-9-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-8-0x0000000140000000-0x000000014023B000-memory.dmp
memory/2984-7-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1248-5-0x0000000002520000-0x0000000002521000-memory.dmp
memory/1240-115-0x0000000000280000-0x0000000000287000-memory.dmp
memory/1248-139-0x0000000077AB6000-0x0000000077AB7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 00:47
Reported
2023-12-30 22:56
Platform
win10v2004-20231215-en
Max time kernel
81s
Max time network
150s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\X5Z\BitLockerWizardElev.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4PdJWr\OptionalFeatures.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\T0b\sessionmsg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\X5Z\BitLockerWizardElev.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4PdJWr\OptionalFeatures.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\T0b\sessionmsg.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\CteMw\\netAdc6C\\OPTION~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\X5Z\BitLockerWizardElev.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\4PdJWr\OptionalFeatures.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\T0b\sessionmsg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0905f3b5aa3ee361ef34c75769c6bf03.dll,#1
C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
C:\Users\Admin\AppData\Local\T0b\sessionmsg.exe
C:\Users\Admin\AppData\Local\T0b\sessionmsg.exe
C:\Users\Admin\AppData\Local\4PdJWr\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\4PdJWr\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\X5Z\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\X5Z\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/1956-1-0x000001D733D90000-0x000001D733D97000-memory.dmp
memory/1956-0-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-14-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-20-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-23-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-29-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-33-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-36-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-38-0x0000000001410000-0x0000000001417000-memory.dmp
memory/3384-45-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-55-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-57-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-46-0x00007FFAFB720000-0x00007FFAFB730000-memory.dmp
memory/3560-68-0x0000021DB0530000-0x0000021DB0537000-memory.dmp
memory/3560-72-0x0000000140000000-0x000000014023C000-memory.dmp
memory/1584-89-0x0000000140000000-0x000000014023C000-memory.dmp
memory/1584-85-0x0000028357F70000-0x0000028357F77000-memory.dmp
memory/1328-106-0x0000000140000000-0x000000014023D000-memory.dmp
memory/1328-101-0x0000000140000000-0x000000014023D000-memory.dmp
memory/1328-100-0x000001200C430000-0x000001200C437000-memory.dmp
memory/3560-66-0x0000000140000000-0x000000014023C000-memory.dmp
memory/3384-37-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-35-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-34-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-32-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-31-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-30-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-28-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-27-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-26-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-25-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-24-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-22-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-21-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-19-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-18-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-17-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-16-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-15-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-13-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-12-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-11-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-10-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-9-0x00007FFAFAC8A000-0x00007FFAFAC8B000-memory.dmp
memory/3384-8-0x0000000140000000-0x000000014023B000-memory.dmp
memory/1956-7-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-6-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3384-4-0x0000000003390000-0x0000000003391000-memory.dmp