Malware Analysis Report

2024-11-30 21:41

Sample ID 240105-cr2f7shba8
Target 4284bc81e9158eb0601f5e1c8867db42
SHA256 abb8faf913b3e17267be4035f29d4b95f674cd1cd2ed669ebe408306ce6ce263
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abb8faf913b3e17267be4035f29d4b95f674cd1cd2ed669ebe408306ce6ce263

Threat Level: Known bad

The file 4284bc81e9158eb0601f5e1c8867db42 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 02:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 02:19

Reported

2024-01-05 02:22

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4284bc81e9158eb0601f5e1c8867db42.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\4J1rcDv\javaws.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\nbfmIi\eudcedit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\502E9\lpksetup.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\L9L\\eudcedit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4J1rcDv\javaws.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nbfmIi\eudcedit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\502E9\lpksetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 840 N/A N/A C:\Windows\system32\javaws.exe
PID 1224 wrote to memory of 840 N/A N/A C:\Windows\system32\javaws.exe
PID 1224 wrote to memory of 840 N/A N/A C:\Windows\system32\javaws.exe
PID 1224 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\4J1rcDv\javaws.exe
PID 1224 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\4J1rcDv\javaws.exe
PID 1224 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\4J1rcDv\javaws.exe
PID 1224 wrote to memory of 1636 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1224 wrote to memory of 1636 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1224 wrote to memory of 1636 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1224 wrote to memory of 1856 N/A N/A C:\Users\Admin\AppData\Local\nbfmIi\eudcedit.exe
PID 1224 wrote to memory of 1856 N/A N/A C:\Users\Admin\AppData\Local\nbfmIi\eudcedit.exe
PID 1224 wrote to memory of 1856 N/A N/A C:\Users\Admin\AppData\Local\nbfmIi\eudcedit.exe
PID 1224 wrote to memory of 2768 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1224 wrote to memory of 2768 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1224 wrote to memory of 2768 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1224 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\502E9\lpksetup.exe
PID 1224 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\502E9\lpksetup.exe
PID 1224 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\502E9\lpksetup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4284bc81e9158eb0601f5e1c8867db42.dll

C:\Windows\system32\javaws.exe

C:\Windows\system32\javaws.exe

C:\Users\Admin\AppData\Local\4J1rcDv\javaws.exe

C:\Users\Admin\AppData\Local\4J1rcDv\javaws.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\nbfmIi\eudcedit.exe

C:\Users\Admin\AppData\Local\nbfmIi\eudcedit.exe

C:\Windows\system32\lpksetup.exe

C:\Windows\system32\lpksetup.exe

C:\Users\Admin\AppData\Local\502E9\lpksetup.exe

C:\Users\Admin\AppData\Local\502E9\lpksetup.exe

Network

N/A

Files

memory/2748-0-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2748-1-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-4-0x0000000077626000-0x0000000077627000-memory.dmp

memory/1224-5-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/1224-17-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-18-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-16-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-15-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-14-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-13-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-12-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-11-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-10-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-9-0x0000000140000000-0x0000000140287000-memory.dmp

memory/2748-8-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-7-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-19-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-20-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-21-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-22-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-26-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-27-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-25-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-24-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-23-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-28-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-29-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-31-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-30-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-33-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-32-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-35-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-34-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-36-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-37-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-38-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-40-0x0000000001CE0000-0x0000000001CE7000-memory.dmp

memory/1224-46-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-47-0x0000000077831000-0x0000000077832000-memory.dmp

memory/1224-48-0x0000000077990000-0x0000000077992000-memory.dmp

memory/1224-57-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-61-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-62-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1224-66-0x0000000140000000-0x0000000140287000-memory.dmp

\Users\Admin\AppData\Local\4J1rcDv\javaws.exe

MD5 f94bc1a70c942621c4279236df284e04
SHA1 8f46d89c7db415a7f48ccd638963028f63df4e4f
SHA256 be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c
SHA512 60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

C:\Users\Admin\AppData\Local\4J1rcDv\VERSION.dll

MD5 00c6b145a57b67485504ac41144cd28a
SHA1 45be2e21fcfcbda7db26ff3b37e94fdac744d2d2
SHA256 54535e44bd5ed0991a36c8845e080034fbe3e0efa005d497599dfdfaf6684797
SHA512 deb18de09553baef628d6fa1c54ef9230dfdf8355c4c7629a90b2a4a41110a80ae9e67106a8e8de98eb081e7161c2891568e746d001f39718bba9aa295b7f926

memory/2540-75-0x0000000000080000-0x0000000000087000-memory.dmp

memory/2540-76-0x0000000140000000-0x0000000140288000-memory.dmp

memory/2540-81-0x0000000140000000-0x0000000140288000-memory.dmp

\Users\Admin\AppData\Local\nbfmIi\eudcedit.exe

MD5 35e397d6ca8407b86d8a7972f0c90711
SHA1 6b39830003906ef82442522d22b80460c03f6082
SHA256 1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde
SHA512 71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

C:\Users\Admin\AppData\Local\nbfmIi\MFC42u.dll

MD5 f3465e4757f35ac3ac639e386173ff58
SHA1 7ed7d355b0164436d6887fe74d2c565ae417b046
SHA256 bbfe0dad9a06d7f1c5768c9cdd45c6563c26a3806119986529073f49c250aba4
SHA512 f712bdf5341521458b05f48de374a7acf6f0aa9ee5ada1fdfad6bd9b3492a03c2e9b1dc8677404489c2d8e3604af900c35a2f5666d09401b2fc2855851443989

memory/1856-94-0x0000000140000000-0x000000014028E000-memory.dmp

memory/1856-93-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\nbfmIi\MFC42u.dll

MD5 f27914b76c56656c0b8568e8841a536f
SHA1 dd5eeb717cd9da9c83588bd8453b25f065666e39
SHA256 df83f79d0d3fc08f8339c768f9e7ccff5aee7f6e2c600f8b4fdfbe5f100c95d1
SHA512 df92727a5fb98fa8d20ffc8cab7eae09645204223aae02f9527712e88d7b796d55fe0b31bf9f6b950c84cac30589156d9f5e4a355b7a3d78be929121cc97cfaa

memory/1856-99-0x0000000140000000-0x000000014028E000-memory.dmp

\Users\Admin\AppData\Local\502E9\lpksetup.exe

MD5 50d28f3f8b7c17056520c80a29efe17c
SHA1 1b1e62be0a0bdc9aec2e91842c35381297d8f01e
SHA256 71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f
SHA512 92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

C:\Users\Admin\AppData\Local\502E9\dpx.dll

MD5 533548cc699f8c25ebb7b76fe2cb1736
SHA1 165474abdf0b991a49aa7c2df304b857f8799c69
SHA256 8c074655d2d6627e8ea8cb831ead2e413d3c5e898f96887a9091667130fe791d
SHA512 8e298d06194fe18b56d5eb7c4361fa61539fce5d29cafc59ff7f05a70374fd046757f947b9e1f2387b39770d0c907e84f5fc6513a6a012255b4dbc69eb977eee

memory/1224-132-0x0000000077626000-0x0000000077627000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 b3dd7ab71af183ac8d94baacd4227ed6
SHA1 7e9b69c3e068d359d04907d47f919ec4cabb6999
SHA256 3c371a94137adc1023593e18d8a962d24647aa469abaa420b12701d99cd9e3e8
SHA512 0e2c1ce7cd0786dea025712a5320f5ff31dba085a3e148a1d79a8515db262f2e114515a816b7703358f06e410bd3d47eaaf87a29d3ea75714e8708836570af8c

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 02:19

Reported

2024-01-05 02:22

Platform

win10v2004-20231222-en

Max time kernel

3s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4284bc81e9158eb0601f5e1c8867db42.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4284bc81e9158eb0601f5e1c8867db42.dll

C:\Windows\system32\SppExtComObj.Exe

C:\Windows\system32\SppExtComObj.Exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\aWlD\SppExtComObj.Exe

C:\Users\Admin\AppData\Local\aWlD\SppExtComObj.Exe

C:\Users\Admin\AppData\Local\kgStv5VA\dpapimig.exe

C:\Users\Admin\AppData\Local\kgStv5VA\dpapimig.exe

C:\Users\Admin\AppData\Local\z7YkPMJ\raserver.exe

C:\Users\Admin\AppData\Local\z7YkPMJ\raserver.exe

C:\Windows\system32\raserver.exe

C:\Windows\system32\raserver.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp
GB 88.221.135.218:80 tcp
GB 88.221.135.218:80 tcp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
GB 88.221.135.218:80 tcp
GB 88.221.135.218:80 tcp
GB 88.221.135.218:80 tcp

Files

memory/4856-0-0x0000000140000000-0x0000000140287000-memory.dmp

memory/4856-1-0x0000000000E10000-0x0000000000E17000-memory.dmp

memory/3436-4-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/4856-7-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-6-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-13-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-17-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-22-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-26-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-30-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-31-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-36-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-38-0x0000000000F80000-0x0000000000F87000-memory.dmp

memory/3436-39-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-47-0x00007FFE990E0000-0x00007FFE990F0000-memory.dmp

memory/3436-46-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-56-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-37-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-35-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-34-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-33-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-32-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-58-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-29-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-28-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-27-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-25-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-24-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-23-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-21-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-20-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-19-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3812-67-0x0000000140000000-0x0000000140288000-memory.dmp

memory/3812-73-0x0000000140000000-0x0000000140288000-memory.dmp

memory/3812-68-0x00000249046C0000-0x00000249046C7000-memory.dmp

memory/3436-18-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-16-0x0000000140000000-0x0000000140287000-memory.dmp

memory/1512-84-0x0000000140000000-0x00000001402CD000-memory.dmp

memory/1512-90-0x0000000140000000-0x00000001402CD000-memory.dmp

memory/1512-85-0x0000024F36940000-0x0000024F36947000-memory.dmp

memory/3532-107-0x0000000140000000-0x0000000140288000-memory.dmp

memory/3532-103-0x0000021A234F0000-0x0000021A234F7000-memory.dmp

memory/3436-15-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-14-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-12-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-11-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-10-0x0000000140000000-0x0000000140287000-memory.dmp

memory/3436-9-0x00007FFE98C3A000-0x00007FFE98C3B000-memory.dmp

memory/3436-8-0x0000000140000000-0x0000000140287000-memory.dmp