Malware Analysis Report

2024-11-30 21:42

Sample ID 231231-caldnabeg4
Target 237197e4b0362983487191d246802ef2
SHA256 1ec45908ab3963572f2a79ddb1bf54f957e39b8a01f30fc54397317db93663f8
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ec45908ab3963572f2a79ddb1bf54f957e39b8a01f30fc54397317db93663f8

Threat Level: Known bad

The file 237197e4b0362983487191d246802ef2 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 01:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 01:52

Reported

2024-01-05 03:07

Platform

win7-20231215-en

Max time kernel

152s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\237197e4b0362983487191d246802ef2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\2DvHy84Rd\Magnify.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\W9zOno7\SndVol.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\gOYlzgk\TpmInit.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\9KUS4V\\SndVol.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\2DvHy84Rd\Magnify.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\W9zOno7\SndVol.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gOYlzgk\TpmInit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 2764 N/A N/A C:\Windows\system32\Magnify.exe
PID 1300 wrote to memory of 2764 N/A N/A C:\Windows\system32\Magnify.exe
PID 1300 wrote to memory of 2764 N/A N/A C:\Windows\system32\Magnify.exe
PID 1300 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\2DvHy84Rd\Magnify.exe
PID 1300 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\2DvHy84Rd\Magnify.exe
PID 1300 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\2DvHy84Rd\Magnify.exe
PID 1300 wrote to memory of 2968 N/A N/A C:\Windows\system32\SndVol.exe
PID 1300 wrote to memory of 2968 N/A N/A C:\Windows\system32\SndVol.exe
PID 1300 wrote to memory of 2968 N/A N/A C:\Windows\system32\SndVol.exe
PID 1300 wrote to memory of 268 N/A N/A C:\Users\Admin\AppData\Local\W9zOno7\SndVol.exe
PID 1300 wrote to memory of 268 N/A N/A C:\Users\Admin\AppData\Local\W9zOno7\SndVol.exe
PID 1300 wrote to memory of 268 N/A N/A C:\Users\Admin\AppData\Local\W9zOno7\SndVol.exe
PID 1300 wrote to memory of 1392 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1300 wrote to memory of 1392 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1300 wrote to memory of 1392 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1300 wrote to memory of 1740 N/A N/A C:\Users\Admin\AppData\Local\gOYlzgk\TpmInit.exe
PID 1300 wrote to memory of 1740 N/A N/A C:\Users\Admin\AppData\Local\gOYlzgk\TpmInit.exe
PID 1300 wrote to memory of 1740 N/A N/A C:\Users\Admin\AppData\Local\gOYlzgk\TpmInit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\237197e4b0362983487191d246802ef2.dll,#1

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\2DvHy84Rd\Magnify.exe

C:\Users\Admin\AppData\Local\2DvHy84Rd\Magnify.exe

C:\Windows\system32\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Users\Admin\AppData\Local\W9zOno7\SndVol.exe

C:\Users\Admin\AppData\Local\W9zOno7\SndVol.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\gOYlzgk\TpmInit.exe

C:\Users\Admin\AppData\Local\gOYlzgk\TpmInit.exe

Network

N/A

Files

memory/2312-0-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2312-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1300-4-0x0000000077986000-0x0000000077987000-memory.dmp

memory/1300-5-0x00000000026B0000-0x00000000026B1000-memory.dmp

memory/2312-7-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-8-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-11-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-13-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-15-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-16-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-21-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-23-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-24-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-26-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-28-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-31-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-30-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-34-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-35-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-33-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-32-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-37-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-38-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-40-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-41-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-42-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-43-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-39-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-44-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-45-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-46-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-36-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-47-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-49-0x0000000002680000-0x0000000002687000-memory.dmp

memory/1300-48-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-29-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-27-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-25-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-22-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-20-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-19-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-56-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-18-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-58-0x0000000077BF0000-0x0000000077BF2000-memory.dmp

memory/1300-57-0x0000000077A91000-0x0000000077A92000-memory.dmp

memory/1300-17-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-14-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-12-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-10-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-9-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-67-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1300-73-0x0000000140000000-0x0000000140278000-memory.dmp

\Users\Admin\AppData\Local\2DvHy84Rd\Magnify.exe

MD5 25670619198b261cc229785ca3645d16
SHA1 0c945cef84e71f77771c124684b73b497397656c
SHA256 ad3c6a600a8bba614f78e2a18070485dadeaece7e1df22cac5c1bb95f95ec66b
SHA512 f6522e50e7b7ac2bbcda98920491f04e4c84593cda798480ec14312bcbba27debc84d0761d59e198737638e351c502bd3855efae23355169a16c083ee1007899

C:\Users\Admin\AppData\Local\2DvHy84Rd\Magnify.exe

MD5 e65470d86d7ca34533c429ed3f8f5740
SHA1 91bc8f58bd13d6af3e354aaa89f2cbe6c99128d7
SHA256 c6a71578158db6f3b2c416b124a6ce9c059361ab855c629a31bf550a3209802e
SHA512 ba51c9e3ed0f4088815ac7a0d4b5158f6cacea13e65c7b00d68a3475ede5fb956558a826a841490c9bbf384c5ea45bce0b56495f9470462d900b2d6331fd91fe

C:\Users\Admin\AppData\Local\2DvHy84Rd\OLEACC.dll

MD5 79f8732c8b33811a8e36f268fe95502b
SHA1 c03bbc3b6841be472d5abb222b021d590ac47d5b
SHA256 3827970e187e0203b57ef4fc7ee363a1cad60c7e7566089b4b3122573c8ddf2a
SHA512 cd53a6fa74177804290901f9c046b4f13b6437f024e3c997b65026955588e9db8c73d4539c9c65c46ff8c95248103617ed0a689f0eb3e37f691f32176923b36c

\Users\Admin\AppData\Local\2DvHy84Rd\OLEACC.dll

MD5 1fc69a5bc8584c5d1bb14a8a3d13fa49
SHA1 91b2a334d46421fac98cea2fc55f92d19750811d
SHA256 5dc9ce7174650a586a3e7c569847d8e31d51a558a016c830bc8d1b89110aa966
SHA512 ee4630962c08706f21e9f61fa7a9486a96577dc85a8f69e34685c87c03cc9dd7d1beb96c7d75d0cbff59214b2225083a842c2e79beacefa768d5ec92fe705064

memory/3004-85-0x0000000000330000-0x0000000000337000-memory.dmp

C:\Users\Admin\AppData\Local\2DvHy84Rd\Magnify.exe

MD5 e4878e2cbd7622f3e9924ecb93fe8ad5
SHA1 cc07cb8e9ac808d4bc10afb3b40fb1059f6e6823
SHA256 dfa4f112cdbf8393f483b4e8e50e73a5c1724bb568727f44c2e38c0d6cb79a16
SHA512 fd5905d33d83cb318a0d17f523bfdd18ccac8305623a990d120d959782ac347aebb2c9a82ffce48e6291a5a140acebf94d7909e7d9ab6c692c86d965dadb618a

memory/1300-96-0x0000000077986000-0x0000000077987000-memory.dmp

\Users\Admin\AppData\Local\W9zOno7\SndVol.exe

MD5 c3489639ec8e181044f6c6bfd3d01ac9
SHA1 e057c90b675a6da19596b0ac458c25d7440b7869
SHA256 a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103
SHA512 63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

C:\Users\Admin\AppData\Local\W9zOno7\dwmapi.dll

MD5 3f0d3e57a5589d004394f3ec7a4a9565
SHA1 d37d326036699debea1abf9cc399472ae0191b0c
SHA256 178c308dc8f04c09f7d8d11d7df9c38af7e54e5b754b3a2c5b1b2f977dd0ddba
SHA512 14dd811cd4e3cc2eabd300e6305e9952b5ee671dd39836cea709d9f5e6db92dc5d4017af1fc753b9951ab4c4e1df7b15150851033630ffb652e32d01cb58f49c

memory/268-104-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\gOYlzgk\TpmInit.exe

MD5 8b5eb38e08a678afa129e23129ca1e6d
SHA1 a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA256 4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512 a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

C:\Users\Admin\AppData\Local\gOYlzgk\Secur32.dll

MD5 3d501a84706e7cb75ac9caa88298d0de
SHA1 177dedc91d44eb2178967ebdae86adcdfe3981e9
SHA256 c0271df3b08b6c90b15a9b8f43ed6e7f2557489568fa1bf325c25c1078630c2c
SHA512 89720227bbc2e08a7475b43938f2b9a5c6034c0dd94f6903f7aead31ffb6030954fdaf7d61565c92c87c0d8906f8a510eb179c036dd695164a74e901e27d73a1

memory/1740-122-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 9ee5d382275967909c130a70ccb50995
SHA1 de08264452dfcfd3e9c83a9d5cbb63ee905cbdc8
SHA256 8f20ef8fead08f94935c702855468e44fce350b1c8f8766b752ed0de10a0a5d1
SHA512 eae9b6f5010fb7cda56df689989651b7f7400319e45a43c5d22b82f17d0d0f3c15e858b523cbc4fe2ef1cbadbc2504d149dfddefe4309d112d18a415bb54f25a

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\AWY\OLEACC.dll

MD5 cc8269f5e41e9c012550d54b509a1a16
SHA1 80b9fd236265df823f32db5f326d44a587590b28
SHA256 1b2c36c9152c2109bf6a1fc67a3f3dbfcbb8056eb5541e359ce6e1630f4e4346
SHA512 81db5010fa8d889c20ac91ee9e1eb5614d3352c90e9fa3eeebddaf08fd512f3416f8b998ca074f3de020a39b5a2f756aa9e0aa8bcf99954812b55e8475f0e03a

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 01:52

Reported

2024-01-05 03:05

Platform

win10v2004-20231222-en

Max time kernel

3s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\237197e4b0362983487191d246802ef2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\237197e4b0362983487191d246802ef2.dll,#1

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\BiPoMJ\Taskmgr.exe

C:\Users\Admin\AppData\Local\BiPoMJ\Taskmgr.exe

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\cEOVxZ\SnippingTool.exe

C:\Users\Admin\AppData\Local\cEOVxZ\SnippingTool.exe

C:\Users\Admin\AppData\Local\NbbiR1JBX\Utilman.exe

C:\Users\Admin\AppData\Local\NbbiR1JBX\Utilman.exe

C:\Users\Admin\AppData\Local\qho\msra.exe

C:\Users\Admin\AppData\Local\qho\msra.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp

Files

memory/2472-1-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2472-0-0x00000174F9AE0000-0x00000174F9AE7000-memory.dmp

memory/3436-7-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-12-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-15-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-20-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-25-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-30-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-34-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-37-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-41-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-45-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-48-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-49-0x0000000000F80000-0x0000000000F87000-memory.dmp

memory/3436-56-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-57-0x00007FFE990E0000-0x00007FFE990F0000-memory.dmp

memory/3436-68-0x0000000140000000-0x0000000140278000-memory.dmp

memory/4020-84-0x0000000140000000-0x0000000140279000-memory.dmp

memory/4020-79-0x0000000140000000-0x0000000140279000-memory.dmp

memory/4020-78-0x000001D824DE0000-0x000001D824DE7000-memory.dmp

memory/3436-66-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-47-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2412-95-0x0000000140000000-0x000000014027A000-memory.dmp

memory/2412-97-0x000001ED5B600000-0x000001ED5B607000-memory.dmp

memory/3436-46-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-44-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-43-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-42-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-40-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-39-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-38-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-36-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-35-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-33-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-32-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-31-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-29-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-28-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-27-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-26-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-24-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-23-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-22-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-21-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-19-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-18-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-17-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-16-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-14-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-13-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-11-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-10-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-9-0x00007FFE98C3A000-0x00007FFE98C3B000-memory.dmp

memory/3436-8-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2472-6-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3436-4-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/3188-124-0x000001F68E6E0000-0x000001F68E6E7000-memory.dmp