Malware Analysis Report

2024-11-30 21:19

Sample ID 231230-cnkz2shgal
Target 0b44d3630f3bde3a89adb3dbfcd83a68
SHA256 fb75c71c3a6a1f8d9bcc680521b053e2d6b9b3fbcf29ed86ac5cf01c7ce74d02
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb75c71c3a6a1f8d9bcc680521b053e2d6b9b3fbcf29ed86ac5cf01c7ce74d02

Threat Level: Known bad

The file 0b44d3630f3bde3a89adb3dbfcd83a68 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 02:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 02:13

Reported

2023-12-30 15:49

Platform

win7-20231215-en

Max time kernel

7s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b44d3630f3bde3a89adb3dbfcd83a68.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b44d3630f3bde3a89adb3dbfcd83a68.dll,#1

C:\Windows\system32\dccw.exe

C:\Windows\system32\dccw.exe

C:\Users\Admin\AppData\Local\kWz\dccw.exe

C:\Users\Admin\AppData\Local\kWz\dccw.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\4X9mdPGr\WFS.exe

C:\Users\Admin\AppData\Local\4X9mdPGr\WFS.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\IK0Ju\shrpubw.exe

C:\Users\Admin\AppData\Local\IK0Ju\shrpubw.exe

Network

N/A

Files

memory/2156-0-0x0000000140000000-0x0000000140233000-memory.dmp

memory/2156-1-0x0000000000210000-0x0000000000217000-memory.dmp

memory/1236-4-0x0000000077826000-0x0000000077827000-memory.dmp

memory/1236-5-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/1236-7-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-14-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-17-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-22-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-26-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-27-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-28-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-29-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-31-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-32-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-33-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-34-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-35-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-36-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-37-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-39-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-40-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-43-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-44-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-45-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-47-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-49-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

memory/1236-48-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-46-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-42-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-56-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-41-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-57-0x0000000077A31000-0x0000000077A32000-memory.dmp

memory/1236-58-0x0000000077B90000-0x0000000077B92000-memory.dmp

memory/1236-38-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-30-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-24-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-25-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-23-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-21-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-20-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-19-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-67-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-18-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-16-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-71-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-15-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-13-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-76-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-12-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-11-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-10-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1236-9-0x0000000140000000-0x0000000140233000-memory.dmp

C:\Users\Admin\AppData\Local\kWz\dccw.exe

MD5 acc928c260140cfb6f3d5620bad197ff
SHA1 9f3ef01962e9f7d44052584270d935ce2235aa63
SHA256 1c3b4d6f3520b9f49a28653385eabb7e07f991faaf55522047a5d239724d2abd
SHA512 5a1db503b3a376ac81f4a73605b4294b27af01ada7d4725eb69e495d4572596bc8ea032778106d71ce6e360ee0660c7f985f19055234ca6ce60dc4f86405ecd5

\Users\Admin\AppData\Local\kWz\mscms.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2116-85-0x00000000001F0000-0x00000000001F7000-memory.dmp

C:\Users\Admin\AppData\Local\kWz\mscms.dll

MD5 10c744ddd5b038896b79402fc56a09a5
SHA1 bd0913e5aed77e2b46b224d07ef2081a0053edf2
SHA256 72bb7bebc86f78c2c811bf450387202579ff2a05fbfb046390a4e65645e892fb
SHA512 cc3cc0128cdc85be4c1ed18e4b15cafb1e20bc3fc2dfdcf5960e7fd22327a68e4d7b14e7674a496077ab16cc6cb2fbd394358e53b95f896ffb50dc45525d4dcc

\Users\Admin\AppData\Local\kWz\dccw.exe

MD5 61901a249f052192c4c6307e3eb63ceb
SHA1 59268d7a45aa13faed6d279e3e615a2608a4c57a
SHA256 2a583a04c619c21efb41217698bfb3b0e7a2797432c28ff7685ef3b5ead2a130
SHA512 06d68a379612e6e5d4acca54fea4ab9426c33aadd377e46b5c1f55a004e5757b0d7d9564a2730510fdbd1a168296451c15d5c5001c0038ce7246f272885fd46d

memory/2156-8-0x0000000140000000-0x0000000140233000-memory.dmp

C:\Users\Admin\AppData\Local\kWz\dccw.exe

MD5 a0b57e20e142e149461653b33e4f6efa
SHA1 5dce0d2061f8bf52997fba285c9f3e87c6c987c5
SHA256 1ab67ff7731c37dae510550eb63eba5a463772464890d07269ef834a928fadc4
SHA512 894ff0ad3850dc7e9a5a0f689499ab4c28da6d08ee1aa21910025be8a6bdd13fe677f9582affa69e4be7b76efc05c16b7e6dbbe5c2640577987f84c78d089fc0

C:\Users\Admin\AppData\Local\4X9mdPGr\MFC42u.dll

MD5 1f9278f703f0345e8dbe8340b613fd4c
SHA1 38c3a08f9b6a0ef5e0be5b4948a6de66adebf151
SHA256 1b64008c331a2ea7ab9c627baa5cd095b0b0c2650c7d04bc08179f0931299a05
SHA512 2a23d48867fe2924f11cb563e5a7d71701b759cdbaaa7d4bc1f08da06a4df3e65a42cbcb2469a3a3e3398cb29c159d53a0bd8c0562c2afb5bb12173f2516656b

memory/2808-109-0x0000000000170000-0x0000000000177000-memory.dmp

C:\Users\Admin\AppData\Local\4X9mdPGr\WFS.exe

MD5 507e23cdd843f648ece60dcd05f85100
SHA1 4b9aaa90f5725f52ac0f96c66d289af6a088c7a6
SHA256 052ed5034f5a71fc0a5a95e9615f6449fd28b33cfb960b123d5e6a6305d23828
SHA512 8d39e0b8227daacf13825ef197623be184ce6c8026e8ceacd443de06455a2cd7dcf80a2d48304e0dba829b1ba90c32e3eba48be4a6930b872c58e0ec072bfe2e

C:\Users\Admin\AppData\Local\4X9mdPGr\WFS.exe

MD5 15200e500fbdc8952e98a107b7caecd4
SHA1 6d4ef781ee7759002eccdbe97a6b1785c408f55e
SHA256 8918fcb9d1e6805b8983eb129c324466f7cd1fe001b414c489775c63e94e168d
SHA512 84e06abecfa4aeb85155357c85137c5b63ffa75c6e4ca1dee0290e267d30598a79d4cbbb75e99f2eff7501e70844ec90c0b7c7a518f54a4542b6e3b0d71e4463

\Users\Admin\AppData\Local\IK0Ju\MFC42u.dll

MD5 caca4cc0c37b895fce4ffe4099c139e8
SHA1 f7f11ed1393f563826f15c82c4eb5ca09bb6ade3
SHA256 1abefafa2e6524573662495891dd65a43461f54c42ec614440b9be931c97d37d
SHA512 16ec616b51953406602e7adabe35303d3b0bc5b80ce96614753f1ce0ec6d6fdf78a2d179fa12c0ed2fb0f1b884be868e24040edfe7643d5f539935b4d54baf27

C:\Users\Admin\AppData\Local\IK0Ju\shrpubw.exe

MD5 77284b7c883e4c8a4c0d5cf48f3b3806
SHA1 d79d04da0501b636ad4c6e5071997ce8e4675725
SHA256 e4c9a8f76416141f1c053d37d0b75d70bb898ee90c42e1da0c736f1aaa12f765
SHA512 ee38ee10f4cf55d4fd3b6cc84369dd1d40325894bcd7e100bcedc48e113477ff868ab05bc90a3199efb72678e5128d2bd1c5aab45b1f9d1cc9dbe7ad027d1a76

memory/2916-133-0x0000000000310000-0x0000000000317000-memory.dmp

C:\Users\Admin\AppData\Local\IK0Ju\MFC42u.dll

MD5 15f90f81a9628056169e97505094d1a7
SHA1 9f82501246ff27539fc93b8ff2fce21bd3b808d9
SHA256 7fc782186913bc7a84e0a8a8627cfabca0117a50f3260ee1194f40e7b38e6bf9
SHA512 04376d47b930273c5c96685647fc555362e6d6589ff7e81e2d89ab1b47d917de99da8a60c26b295cb8a528882386df9a1f59ec9c3d9054f141b810d7b97c2ac7

\Users\Admin\AppData\Local\IK0Ju\shrpubw.exe

MD5 e2e2bf67316a84b985615fd5dc44f5e2
SHA1 5063dc1c08294f5bc651560bfdb47c587cf1e911
SHA256 53225f840310d1115d3d248b74c2382b3235776f9eac9a9f43cc9f54fd20e7bc
SHA512 5696e13fbeceee6fdf51ec2814c78f85709cf370dd992aad70f05b35c3aa3afe39dfdb223804ae9b0640860620e4d7b3cfde7073ff48b47dcfe6cb6353298c88

C:\Users\Admin\AppData\Local\IK0Ju\shrpubw.exe

MD5 765b714a2703db55f63344bb1ec59e00
SHA1 7627c470358e0ef515ac83fbe8a249a3bbda8d2f
SHA256 d21dcc2dc084207532bdb72124c0a1d286ffb161918bfc6240243e526b2924a5
SHA512 0474e254b9e5f018bed4c9b1eab7a519c750b578a7d5c2ecff882b6d57275e0c0c5ed5983a5aa28bea243a15af4efc2ad35b6cf951cdaba38bd31222c6b4f143

\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\Vh9xR78\shrpubw.exe

MD5 9667b029a2817f2a380dbec1c8b8b981
SHA1 6f4ff92e77f69a78ecafa0bd14956584d9daef82
SHA256 e7f48206665a02e29184b0f182cd65708f5973cdb604043901a691a1eae90b6d
SHA512 9848b5636b094f7a4c6e072c00da601386b2440719ab98092fab6535e916d9fdc3bea54e8db012c6a2bbb62c22d94e68ae65394640c6703784ed64b2ac23870c

memory/1236-158-0x0000000077826000-0x0000000077827000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 863991e126203d1b9eed4b7408c261c7
SHA1 16a482dbaebadfae9e16d4744a4fab7ca2a8df63
SHA256 529cec24e1b769833773c9b3763f557fa7b3cc0224b9b5e0e6dd218fffc332a1
SHA512 a652f4c086eee05758d63bf26d6635c00ab0741804cb11c01e2efedcb9dcfc5381bddf8c6de5ecba959f5f98ce45281acbb1e6326e66cc40477044dabf62bf3c

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\oxIs\mscms.dll

MD5 4cb9c5dc9e4d108301e59e799f71c59a
SHA1 7ae1a27d9851ad6cd45f2f7d2a11757738dbde58
SHA256 75a2c17f67346d193a424b0472f581a1b21dd41090e85d1e1c8476ecb64ed794
SHA512 92eeed7132262fc795ac350984cc4e6c6af620c46a7783474d1aa7a501ea5d5a0e462df35b984eda88c9412fd19e7af873b0a95aa8c56d2cb3af202cb41096b5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\8uy\MFC42u.dll

MD5 2e73d6b675b82084a72f55af7ccf3826
SHA1 fcb494eb10dad928647b2c5a23a0b2c1527edc66
SHA256 81d471e90837a9ce87daf6897a6629ad4c295e6b54e61cd8291a3fdc8dc0b54f
SHA512 445823c3c7410d8119492aa251033692a1ee96a9164fe2154334ffc377a2968c0e061d8bf31c78a000e157025be3611e649a485defcf50b6c445e5779463924f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\Vh9xR78\MFC42u.dll

MD5 dcdf037fe878b710408d91ad043e8289
SHA1 939cc5a7338111c1272ec373510e245443a1de4c
SHA256 1c51426c70a03f66721e2212f88c29a97345d73fdae7f4cb2436efca7b674c57
SHA512 feb96d3b66479d44aeb49177f42ecac8201b78486e6fccdc24b94f9353b323dfddbd694ad2b3a0119995884edc859eb821f8aec32529ff7fca4901bcbc1fbd52

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 02:13

Reported

2023-12-30 15:49

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b44d3630f3bde3a89adb3dbfcd83a68.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b44d3630f3bde3a89adb3dbfcd83a68.dll,#1

C:\Windows\system32\bdechangepin.exe

C:\Windows\system32\bdechangepin.exe

C:\Users\Admin\AppData\Local\m4z\bdechangepin.exe

C:\Users\Admin\AppData\Local\m4z\bdechangepin.exe

C:\Windows\system32\LicensingUI.exe

C:\Windows\system32\LicensingUI.exe

C:\Windows\system32\LicensingUI.exe

C:\Windows\system32\LicensingUI.exe

C:\Users\Admin\AppData\Local\HlLZ1AQva\LicensingUI.exe

C:\Users\Admin\AppData\Local\HlLZ1AQva\LicensingUI.exe

C:\Users\Admin\AppData\Local\MRVmZ4\LicensingUI.exe

C:\Users\Admin\AppData\Local\MRVmZ4\LicensingUI.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
IE 20.166.126.56:443 tcp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

memory/4736-0-0x0000022A6D550000-0x0000022A6D557000-memory.dmp

memory/4736-1-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-12-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-18-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-24-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-29-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-34-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-39-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-44-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-48-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-51-0x0000000002010000-0x0000000002017000-memory.dmp

memory/3492-56-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-57-0x00007FFB6BBC0000-0x00007FFB6BBD0000-memory.dmp

memory/3492-68-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-66-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-47-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-46-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-45-0x0000000140000000-0x0000000140233000-memory.dmp

memory/592-77-0x0000000140000000-0x0000000140279000-memory.dmp

memory/592-83-0x0000000140000000-0x0000000140279000-memory.dmp

memory/592-79-0x0000012BB5050000-0x0000012BB5057000-memory.dmp

memory/3492-43-0x0000000140000000-0x0000000140233000-memory.dmp

memory/4068-94-0x00000204586F0000-0x00000204586F7000-memory.dmp

memory/3492-42-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-41-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-40-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3608-111-0x00000235BE230000-0x00000235BE237000-memory.dmp

memory/3492-38-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-37-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-36-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-35-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-33-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-32-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-31-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-30-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-28-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-27-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-26-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-25-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-22-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-23-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-21-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-20-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-19-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-17-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-16-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-15-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-14-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-13-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-11-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-10-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-9-0x00007FFB6AD4A000-0x00007FFB6AD4B000-memory.dmp

memory/3492-7-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-8-0x0000000140000000-0x0000000140233000-memory.dmp

memory/4736-6-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3492-4-0x0000000002400000-0x0000000002401000-memory.dmp