Malware Analysis Report

2024-11-30 21:29

Sample ID 231230-m86glahae4
Target 16cfe99a149193f8a8446449359c4947
SHA256 a63534972496645805cedaac9ade46d47213ae8a0e5389d79379a896a4a4f34a
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a63534972496645805cedaac9ade46d47213ae8a0e5389d79379a896a4a4f34a

Threat Level: Known bad

The file 16cfe99a149193f8a8446449359c4947 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 11:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 11:09

Reported

2024-01-03 07:07

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16cfe99a149193f8a8446449359c4947.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ziE8aWex8\OptionalFeatures.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Kco\dpapimig.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ZeNvxA\Magnify.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\co4CCvTjTu9\\dpapimig.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ziE8aWex8\OptionalFeatures.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Kco\dpapimig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZeNvxA\Magnify.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 468 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1240 wrote to memory of 468 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1240 wrote to memory of 468 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1240 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\ziE8aWex8\OptionalFeatures.exe
PID 1240 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\ziE8aWex8\OptionalFeatures.exe
PID 1240 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\ziE8aWex8\OptionalFeatures.exe
PID 1240 wrote to memory of 2200 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1240 wrote to memory of 2200 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1240 wrote to memory of 2200 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1240 wrote to memory of 308 N/A N/A C:\Users\Admin\AppData\Local\Kco\dpapimig.exe
PID 1240 wrote to memory of 308 N/A N/A C:\Users\Admin\AppData\Local\Kco\dpapimig.exe
PID 1240 wrote to memory of 308 N/A N/A C:\Users\Admin\AppData\Local\Kco\dpapimig.exe
PID 1240 wrote to memory of 2472 N/A N/A C:\Windows\system32\Magnify.exe
PID 1240 wrote to memory of 2472 N/A N/A C:\Windows\system32\Magnify.exe
PID 1240 wrote to memory of 2472 N/A N/A C:\Windows\system32\Magnify.exe
PID 1240 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\ZeNvxA\Magnify.exe
PID 1240 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\ZeNvxA\Magnify.exe
PID 1240 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\ZeNvxA\Magnify.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16cfe99a149193f8a8446449359c4947.dll,#1

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\ziE8aWex8\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\ziE8aWex8\OptionalFeatures.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\Kco\dpapimig.exe

C:\Users\Admin\AppData\Local\Kco\dpapimig.exe

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\ZeNvxA\Magnify.exe

C:\Users\Admin\AppData\Local\ZeNvxA\Magnify.exe

Network

N/A

Files

memory/2880-1-0x0000000000230000-0x0000000000237000-memory.dmp

memory/2880-0-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-4-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

memory/1240-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2880-8-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-14-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-13-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-12-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-11-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-10-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-9-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-7-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-17-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-16-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-15-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-19-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-18-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-21-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-20-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-25-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-26-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-24-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-23-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-22-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-29-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-30-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-31-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-32-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-28-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-27-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-33-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-35-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-34-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-36-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-37-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-38-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-39-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-40-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-42-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-41-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-44-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-43-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-46-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-45-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-48-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-47-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-49-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-51-0x00000000021E0000-0x00000000021E7000-memory.dmp

memory/1240-57-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-58-0x0000000076EC1000-0x0000000076EC2000-memory.dmp

memory/1240-59-0x0000000077020000-0x0000000077022000-memory.dmp

memory/1240-68-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-72-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-74-0x0000000140000000-0x0000000140215000-memory.dmp

C:\Users\Admin\AppData\Local\ziE8aWex8\OptionalFeatures.exe

MD5 eae7af6084667c8f05412ddf096167fc
SHA1 0dbe8aba001447030e48e8ad5466fd23481e6140
SHA256 01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512 172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

C:\Users\Admin\AppData\Local\ziE8aWex8\appwiz.cpl

MD5 370f6b47eec008ae39afeab22675b19a
SHA1 60b24fcb495a1087f00aac95d984df0fb63da7f0
SHA256 6676f2273d0b1d99ba832f1c67072e7ac31ea02565cf5aaf7f998fc9a411926b
SHA512 d39e038ae4014a3432c89b65f772196a048e783c40c3e057800724f54768160e34f61c0119de71102d40be298ad07829775e2386bee9f95a7178ba93999b9c99

memory/1728-86-0x0000000000080000-0x0000000000087000-memory.dmp

\Users\Admin\AppData\Local\Kco\dpapimig.exe

MD5 0e8b8abea4e23ddc9a70614f3f651303
SHA1 6d332ba4e7a78039f75b211845514ab35ab467b2
SHA256 66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA512 4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

C:\Users\Admin\AppData\Local\Kco\DUI70.dll

MD5 674c4797625821c018e32eb855640955
SHA1 b8a51157527f712fe6347ea50e466f0b39d27c23
SHA256 92ba004e0517253a70aacf8920e71b80dc33ede8600331f488cbbf7fe4c9c10b
SHA512 fb61aa568bd13c1bc2b6f1a6c4c9a2cfedf6757da988826b2ab0511a5640d9d7de4bc667427b34a94e6d2dab98dd07767e01889e1f96cbf330fdcfba6d409cc4

memory/308-104-0x0000000000180000-0x0000000000187000-memory.dmp

\Users\Admin\AppData\Local\ZeNvxA\Magnify.exe

MD5 233b45ddf77bd45e53872881cff1839b
SHA1 d4b8cafce4664bb339859a90a9dd1506f831756d
SHA256 adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a
SHA512 6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

C:\Users\Admin\AppData\Local\ZeNvxA\OLEACC.dll

MD5 3313184ab8811b218deb9ad5be481569
SHA1 604d5448931fb4951e9b2ee11cb4e2a051eb0631
SHA256 31df09d1a381602a9f1fe1e5b38072dd5045d2fda779386ab23d4b898fe021c3
SHA512 bb44acc3a548b3bc0d119fe03399a4ceb2bded6320a5bdbcd75f41ec706bb7aeb426f57d15a0d20db5edf1cc0fcb4fdbbd48b6937469e31958e47fa3a1d68cc0

memory/2516-123-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1240-144-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 619f78d4dd67227ab595645a2cf97f5d
SHA1 74d92edb55f5cb70e41dab60a47c857e2f1253d7
SHA256 3c081ae36d4eb231006762c3c69313c2b134eb578bf58d368ffb69db9fee5ebd
SHA512 97b81c619428cdb9cb7412aeaa3e56eee6d18c208e147005e45650de0b0beb970d635f86494123e4a7c3fdde2d3025dcbfe86a0a086774ae86719ff802ea7aba

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 11:09

Reported

2024-01-03 07:07

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16cfe99a149193f8a8446449359c4947.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16cfe99a149193f8a8446449359c4947.dll,#1

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\MusNotifyIcon.exe

C:\Windows\system32\MusNotifyIcon.exe

C:\Users\Admin\AppData\Local\vRe\isoburn.exe

C:\Users\Admin\AppData\Local\vRe\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\9BhG\MusNotifyIcon.exe

C:\Users\Admin\AppData\Local\9BhG\MusNotifyIcon.exe

C:\Users\Admin\AppData\Local\wPmhBAHDy\PasswordOnWakeSettingFlyout.exe

C:\Users\Admin\AppData\Local\wPmhBAHDy\PasswordOnWakeSettingFlyout.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp

Files

memory/1240-1-0x0000000140000000-0x0000000140215000-memory.dmp

memory/1240-0-0x000002D39B3F0000-0x000002D39B3F7000-memory.dmp

memory/3456-4-0x0000000002450000-0x0000000002451000-memory.dmp

memory/1240-7-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-6-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-9-0x00007FFB4D05A000-0x00007FFB4D05B000-memory.dmp

memory/3456-11-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-12-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-15-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-21-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-27-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-35-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-40-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-41-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-39-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-46-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-49-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-50-0x0000000000160000-0x0000000000167000-memory.dmp

memory/3456-58-0x00007FFB4D280000-0x00007FFB4D290000-memory.dmp

memory/3456-67-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-69-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-57-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-48-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-47-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-45-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3756-78-0x0000000140000000-0x000000014025B000-memory.dmp

memory/3756-84-0x0000000140000000-0x000000014025B000-memory.dmp

memory/3756-80-0x0000020603A40000-0x0000020603A47000-memory.dmp

memory/3520-95-0x000001F1194A0000-0x000001F1194A7000-memory.dmp

memory/4468-114-0x0000021AB7200000-0x0000021AB7207000-memory.dmp

memory/3456-44-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-43-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-42-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-38-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-37-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-36-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-34-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-33-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-32-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-31-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-30-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-29-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-28-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-26-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-25-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-24-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-23-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-22-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-20-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-19-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-18-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-17-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-16-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-14-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-13-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-8-0x0000000140000000-0x0000000140215000-memory.dmp

memory/3456-10-0x0000000140000000-0x0000000140215000-memory.dmp