Malware Analysis Report

2024-11-30 21:15

Sample ID 231230-ck634shafk
Target 0b292996920f8c4f236b9a7f99e1b792
SHA256 9c9f216f78eab96d5168acc4a5a4cf2c5081fdeb4713e74e0b3d21178c086dbe
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c9f216f78eab96d5168acc4a5a4cf2c5081fdeb4713e74e0b3d21178c086dbe

Threat Level: Known bad

The file 0b292996920f8c4f236b9a7f99e1b792 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 02:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 02:09

Reported

2023-12-30 15:39

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b292996920f8c4f236b9a7f99e1b792.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\bMKJ3\\mstsc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 788 N/A N/A C:\Windows\system32\dccw.exe
PID 1380 wrote to memory of 788 N/A N/A C:\Windows\system32\dccw.exe
PID 1380 wrote to memory of 788 N/A N/A C:\Windows\system32\dccw.exe
PID 1380 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe
PID 1380 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe
PID 1380 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe
PID 1380 wrote to memory of 2632 N/A N/A C:\Windows\system32\mstsc.exe
PID 1380 wrote to memory of 2632 N/A N/A C:\Windows\system32\mstsc.exe
PID 1380 wrote to memory of 2632 N/A N/A C:\Windows\system32\mstsc.exe
PID 1380 wrote to memory of 2964 N/A N/A C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe
PID 1380 wrote to memory of 2964 N/A N/A C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe
PID 1380 wrote to memory of 2964 N/A N/A C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe
PID 1380 wrote to memory of 1580 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1380 wrote to memory of 1580 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1380 wrote to memory of 1580 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1380 wrote to memory of 916 N/A N/A C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe
PID 1380 wrote to memory of 916 N/A N/A C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe
PID 1380 wrote to memory of 916 N/A N/A C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b292996920f8c4f236b9a7f99e1b792.dll,#1

C:\Windows\system32\dccw.exe

C:\Windows\system32\dccw.exe

C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe

C:\Users\Admin\AppData\Local\GRA5tbY\dccw.exe

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe

C:\Users\Admin\AppData\Local\uv4ONv\mstsc.exe

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe

C:\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe

Network

N/A

Files

memory/2400-0-0x0000000000330000-0x0000000000337000-memory.dmp

memory/2400-1-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-4-0x0000000077296000-0x0000000077297000-memory.dmp

memory/1380-5-0x0000000002650000-0x0000000002651000-memory.dmp

memory/1380-7-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/2400-8-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-9-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-10-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-11-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-12-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-14-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-13-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-15-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-16-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-17-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-18-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-19-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-20-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-22-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-23-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-21-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-24-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-25-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-26-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-27-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-28-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-29-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-30-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-31-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-32-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-33-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-34-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-35-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-36-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-37-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-38-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-39-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-40-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-41-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-42-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-43-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-44-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-45-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-46-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-47-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-48-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-49-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-50-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-51-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-52-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-53-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-54-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-56-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-55-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-57-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-59-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-58-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-60-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-61-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-62-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-64-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-63-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-65-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/1380-67-0x0000000002250000-0x0000000002257000-memory.dmp

memory/1380-75-0x00000000774A1000-0x00000000774A2000-memory.dmp

memory/1380-76-0x0000000077600000-0x0000000077602000-memory.dmp

\Users\Admin\AppData\Local\GRA5tbY\dccw.exe

MD5 a46cee731351eb4146db8e8a63a5c520
SHA1 8ea441e4a77642e12987ac842b36034230edd731
SHA256 283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5
SHA512 3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

C:\Users\Admin\AppData\Local\GRA5tbY\dxva2.dll

MD5 2bbee1768e665bcef08e5c949164b5de
SHA1 b6ccfebbc985556915599ecc291a82fd1ce13ec5
SHA256 8c6282475e3cd2c4f4242ecd689093a1dc2ea74d0ee0097e448a1ea4f610b2c1
SHA512 d26ccf554220426e90875a9d4044bb01b7e0ed1d416b369a45949a8702843ac5e2687b14bba9df2240d69f922a6d61dfb30a940c3273ae52a853e9b61b5eccb3

memory/2884-99-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\uv4ONv\mstsc.exe

MD5 50f739538ef014b2e7ec59431749d838
SHA1 b439762b8efe8cfb977e7374c11a7e4d8ed05eb3
SHA256 85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3
SHA512 02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

C:\Users\Admin\AppData\Local\uv4ONv\WINMM.dll

MD5 cac9fe4154abc82aba54b283b3883905
SHA1 00c91a5cedc87c445d254fa7fb6bfadf5a648567
SHA256 c94d2cc692941badfd788535d15a3b9493da3bcc428d95fe55a6b9720d637605
SHA512 5b6a10e760994d8847668c251181f83bbcad143b45d6f72b26c3b6c055b79114a6d2dda02eec0f50c1e977eb88e91caa8fddfe918b6f4823d2ee223389d3d3fb

memory/2964-117-0x0000000001B70000-0x0000000001B77000-memory.dmp

\Users\Admin\AppData\Local\WVR4V\SoundRecorder.exe

MD5 47f0f526ad4982806c54b845b3289de1
SHA1 8420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256 e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA512 4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

C:\Users\Admin\AppData\Local\WVR4V\UxTheme.dll

MD5 26f17053bfd670506da877cb501ba9ed
SHA1 ab51714c6622f13d5ae0d5caad57c6f8ae9918a0
SHA256 7fc048ba9561bde5a2bb85f9b6c17d49f4bd0ebecc2faedaf1bc2967d8db131b
SHA512 ce4a4992369a7f0ac91a7f471b4863287123e08c9043191ee936c9b4fb3841b1728262ec3a14531e9a5a598bacdfb54218332bccd0b623479dccd17fbd29d7c6

memory/916-135-0x0000000000230000-0x0000000000237000-memory.dmp

memory/1380-157-0x0000000077296000-0x0000000077297000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 2982129874f68aadbe000ee577b1b5a0
SHA1 1dfc53e340958fc7088e8c0fecbb783cc697b2f3
SHA256 9ce45a0410b3b34ca13f669bdd273d282fa47bde75ade5381b7e87f1fef9d7d7
SHA512 3024286ef58d5f767dc952027173f87163618ccb46cec3e4e6a82b71849b739fb75fd8e2b1b7f772bd6028e0ae9d91059c6812a3d73633e6d5af1726bf61587b

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 02:09

Reported

2023-12-30 15:39

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b292996920f8c4f236b9a7f99e1b792.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b292996920f8c4f236b9a7f99e1b792.dll,#1

C:\Windows\system32\dccw.exe

C:\Windows\system32\dccw.exe

C:\Windows\system32\MusNotifyIcon.exe

C:\Windows\system32\MusNotifyIcon.exe

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Users\Admin\AppData\Local\qf1\MusNotifyIcon.exe

C:\Users\Admin\AppData\Local\qf1\MusNotifyIcon.exe

C:\Users\Admin\AppData\Local\9cw\dccw.exe

C:\Users\Admin\AppData\Local\9cw\dccw.exe

C:\Users\Admin\AppData\Local\nbCK\phoneactivate.exe

C:\Users\Admin\AppData\Local\nbCK\phoneactivate.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3668-0-0x000001C2E1000000-0x000001C2E1007000-memory.dmp

memory/3668-1-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-9-0x00007FFB96FBA000-0x00007FFB96FBB000-memory.dmp

memory/3452-13-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-16-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-19-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-23-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-27-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-32-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-36-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-41-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-45-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-49-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-52-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-56-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-60-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-63-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-65-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-67-0x0000000003010000-0x0000000003017000-memory.dmp

memory/3452-75-0x00007FFB97F20000-0x00007FFB97F30000-memory.dmp

memory/3452-64-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-62-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/4876-96-0x0000025F39DC0000-0x0000025F39DC7000-memory.dmp

memory/4620-112-0x0000024ADF350000-0x0000024ADF357000-memory.dmp

memory/3452-61-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-59-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/2784-129-0x0000026336870000-0x0000026336877000-memory.dmp

memory/3452-58-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-57-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-55-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-54-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-53-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-51-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-50-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-48-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-46-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-47-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-44-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-43-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-42-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-40-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-39-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-38-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-37-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-35-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-34-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-33-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-31-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-30-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-29-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-28-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-26-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-25-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-24-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-22-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-21-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-20-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-18-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-17-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-15-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-14-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-12-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-11-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-8-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-10-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3668-7-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-6-0x0000000140000000-0x00000001402DE000-memory.dmp

memory/3452-4-0x00000000080A0000-0x00000000080A1000-memory.dmp