Analysis Overview
SHA256
9c9f216f78eab96d5168acc4a5a4cf2c5081fdeb4713e74e0b3d21178c086dbe
Threat Level: Known bad
The file 0b292996920f8c4f236b9a7f99e1b792 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 02:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 02:09
Reported
2023-12-30 15:39
Platform
win7-20231215-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\bMKJ3\\mstsc.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1380 wrote to memory of 788 | N/A | N/A | C:\Windows\system32\dccw.exe |
| PID 1380 wrote to memory of 788 | N/A | N/A | C:\Windows\system32\dccw.exe |
| PID 1380 wrote to memory of 788 | N/A | N/A | C:\Windows\system32\dccw.exe |
| PID 1380 wrote to memory of 2884 | N/A | N/A | C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe |
| PID 1380 wrote to memory of 2884 | N/A | N/A | C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe |
| PID 1380 wrote to memory of 2884 | N/A | N/A | C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe |
| PID 1380 wrote to memory of 2632 | N/A | N/A | C:\Windows\system32\mstsc.exe |
| PID 1380 wrote to memory of 2632 | N/A | N/A | C:\Windows\system32\mstsc.exe |
| PID 1380 wrote to memory of 2632 | N/A | N/A | C:\Windows\system32\mstsc.exe |
| PID 1380 wrote to memory of 2964 | N/A | N/A | C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe |
| PID 1380 wrote to memory of 2964 | N/A | N/A | C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe |
| PID 1380 wrote to memory of 2964 | N/A | N/A | C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe |
| PID 1380 wrote to memory of 1580 | N/A | N/A | C:\Windows\system32\SoundRecorder.exe |
| PID 1380 wrote to memory of 1580 | N/A | N/A | C:\Windows\system32\SoundRecorder.exe |
| PID 1380 wrote to memory of 1580 | N/A | N/A | C:\Windows\system32\SoundRecorder.exe |
| PID 1380 wrote to memory of 916 | N/A | N/A | C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe |
| PID 1380 wrote to memory of 916 | N/A | N/A | C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe |
| PID 1380 wrote to memory of 916 | N/A | N/A | C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b292996920f8c4f236b9a7f99e1b792.dll,#1
C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe
C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe
C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe
C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe
C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe
C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe
Network
Files
memory/2400-0-0x0000000000330000-0x0000000000337000-memory.dmp
memory/2400-1-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-4-0x0000000077296000-0x0000000077297000-memory.dmp
memory/1380-5-0x0000000002650000-0x0000000002651000-memory.dmp
memory/1380-7-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/2400-8-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-9-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-10-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-11-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-12-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-14-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-13-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-15-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-16-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-17-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-18-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-19-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-20-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-22-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-23-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-21-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-24-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-25-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-26-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-27-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-28-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-29-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-30-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-31-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-32-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-33-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-34-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-35-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-36-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-37-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-38-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-39-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-40-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-41-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-42-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-43-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-44-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-45-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-46-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-47-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-48-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-49-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-50-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-51-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-52-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-53-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-54-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-56-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-55-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-57-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-59-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-58-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-60-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-61-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-62-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-64-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-63-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-65-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/1380-67-0x0000000002250000-0x0000000002257000-memory.dmp
memory/1380-75-0x00000000774A1000-0x00000000774A2000-memory.dmp
memory/1380-76-0x0000000077600000-0x0000000077602000-memory.dmp
\Users\Admin\AppData\Local\GRA5tbY\dccw.exe
| MD5 | a46cee731351eb4146db8e8a63a5c520 |
| SHA1 | 8ea441e4a77642e12987ac842b36034230edd731 |
| SHA256 | 283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5 |
| SHA512 | 3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc |
C:\Users\Admin\AppData\Local\GRA5tbY\dxva2.dll
| MD5 | 2bbee1768e665bcef08e5c949164b5de |
| SHA1 | b6ccfebbc985556915599ecc291a82fd1ce13ec5 |
| SHA256 | 8c6282475e3cd2c4f4242ecd689093a1dc2ea74d0ee0097e448a1ea4f610b2c1 |
| SHA512 | d26ccf554220426e90875a9d4044bb01b7e0ed1d416b369a45949a8702843ac5e2687b14bba9df2240d69f922a6d61dfb30a940c3273ae52a853e9b61b5eccb3 |
memory/2884-99-0x00000000000F0000-0x00000000000F7000-memory.dmp
\Users\Admin\AppData\Local\uv4ONv\mstsc.exe
| MD5 | 50f739538ef014b2e7ec59431749d838 |
| SHA1 | b439762b8efe8cfb977e7374c11a7e4d8ed05eb3 |
| SHA256 | 85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3 |
| SHA512 | 02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8 |
C:\Users\Admin\AppData\Local\uv4ONv\WINMM.dll
| MD5 | cac9fe4154abc82aba54b283b3883905 |
| SHA1 | 00c91a5cedc87c445d254fa7fb6bfadf5a648567 |
| SHA256 | c94d2cc692941badfd788535d15a3b9493da3bcc428d95fe55a6b9720d637605 |
| SHA512 | 5b6a10e760994d8847668c251181f83bbcad143b45d6f72b26c3b6c055b79114a6d2dda02eec0f50c1e977eb88e91caa8fddfe918b6f4823d2ee223389d3d3fb |
memory/2964-117-0x0000000001B70000-0x0000000001B77000-memory.dmp
\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe
| MD5 | 47f0f526ad4982806c54b845b3289de1 |
| SHA1 | 8420ea488a2e187fe1b7fcfb53040d10d5497236 |
| SHA256 | e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b |
| SHA512 | 4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d |
C:\Users\Admin\AppData\Local\WVR4V\UxTheme.dll
| MD5 | 26f17053bfd670506da877cb501ba9ed |
| SHA1 | ab51714c6622f13d5ae0d5caad57c6f8ae9918a0 |
| SHA256 | 7fc048ba9561bde5a2bb85f9b6c17d49f4bd0ebecc2faedaf1bc2967d8db131b |
| SHA512 | ce4a4992369a7f0ac91a7f471b4863287123e08c9043191ee936c9b4fb3841b1728262ec3a14531e9a5a598bacdfb54218332bccd0b623479dccd17fbd29d7c6 |
memory/916-135-0x0000000000230000-0x0000000000237000-memory.dmp
memory/1380-157-0x0000000077296000-0x0000000077297000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk
| MD5 | 2982129874f68aadbe000ee577b1b5a0 |
| SHA1 | 1dfc53e340958fc7088e8c0fecbb783cc697b2f3 |
| SHA256 | 9ce45a0410b3b34ca13f669bdd273d282fa47bde75ade5381b7e87f1fef9d7d7 |
| SHA512 | 3024286ef58d5f767dc952027173f87163618ccb46cec3e4e6a82b71849b739fb75fd8e2b1b7f772bd6028e0ae9d91059c6812a3d73633e6d5af1726bf61587b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 02:09
Reported
2023-12-30 15:39
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
121s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b292996920f8c4f236b9a7f99e1b792.dll,#1
C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
C:\Windows\system32\MusNotifyIcon.exe
C:\Windows\system32\MusNotifyIcon.exe
C:\Windows\system32\phoneactivate.exe
C:\Windows\system32\phoneactivate.exe
C:\Users\Admin\AppData\Local\qf1\MusNotifyIcon.exe
C:\Users\Admin\AppData\Local\qf1\MusNotifyIcon.exe
C:\Users\Admin\AppData\Local\9cw\dccw.exe
C:\Users\Admin\AppData\Local\9cw\dccw.exe
C:\Users\Admin\AppData\Local\nbCK\phoneactivate.exe
C:\Users\Admin\AppData\Local\nbCK\phoneactivate.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3668-0-0x000001C2E1000000-0x000001C2E1007000-memory.dmp
memory/3668-1-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-9-0x00007FFB96FBA000-0x00007FFB96FBB000-memory.dmp
memory/3452-13-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-16-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-19-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-23-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-27-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-32-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-36-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-41-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-45-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-49-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-52-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-56-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-60-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-63-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-65-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-67-0x0000000003010000-0x0000000003017000-memory.dmp
memory/3452-75-0x00007FFB97F20000-0x00007FFB97F30000-memory.dmp
memory/3452-64-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-62-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/4876-96-0x0000025F39DC0000-0x0000025F39DC7000-memory.dmp
memory/4620-112-0x0000024ADF350000-0x0000024ADF357000-memory.dmp
memory/3452-61-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-59-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/2784-129-0x0000026336870000-0x0000026336877000-memory.dmp
memory/3452-58-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-57-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-55-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-54-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-53-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-51-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-50-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-48-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-46-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-47-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-44-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-43-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-42-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-40-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-39-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-38-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-37-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-35-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-34-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-33-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-31-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-30-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-29-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-28-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-26-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-25-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-24-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-22-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-21-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-20-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-18-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-17-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-15-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-14-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-12-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-11-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-8-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-10-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3668-7-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-6-0x0000000140000000-0x00000001402DE000-memory.dmp
memory/3452-4-0x00000000080A0000-0x00000000080A1000-memory.dmp