Malware Analysis Report

2024-11-30 21:27

Sample ID 240106-l3h9fadbbm
Target 45958928fbbbf80172f7886aad1a3e8b.exe
SHA256 11bd20582fb4a6a48501ce358c8ca69d6fb7974e611e50882bc4a9f0fcd72b0a
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11bd20582fb4a6a48501ce358c8ca69d6fb7974e611e50882bc4a9f0fcd72b0a

Threat Level: Known bad

The file 45958928fbbbf80172f7886aad1a3e8b.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-06 10:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 10:03

Reported

2024-01-06 10:06

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\45958928fbbbf80172f7886aad1a3e8b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\gDBXekIY\rrinstaller.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\0httg\vmicsvc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\AZsGvA9\xpsrchvw.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\KsyBghY\\vmicsvc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gDBXekIY\rrinstaller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0httg\vmicsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AZsGvA9\xpsrchvw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 2952 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1340 wrote to memory of 2952 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1340 wrote to memory of 2952 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1340 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\gDBXekIY\rrinstaller.exe
PID 1340 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\gDBXekIY\rrinstaller.exe
PID 1340 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\gDBXekIY\rrinstaller.exe
PID 1340 wrote to memory of 832 N/A N/A C:\Windows\system32\vmicsvc.exe
PID 1340 wrote to memory of 832 N/A N/A C:\Windows\system32\vmicsvc.exe
PID 1340 wrote to memory of 832 N/A N/A C:\Windows\system32\vmicsvc.exe
PID 1340 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\0httg\vmicsvc.exe
PID 1340 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\0httg\vmicsvc.exe
PID 1340 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\0httg\vmicsvc.exe
PID 1340 wrote to memory of 2040 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1340 wrote to memory of 2040 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1340 wrote to memory of 2040 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1340 wrote to memory of 1088 N/A N/A C:\Users\Admin\AppData\Local\AZsGvA9\xpsrchvw.exe
PID 1340 wrote to memory of 1088 N/A N/A C:\Users\Admin\AppData\Local\AZsGvA9\xpsrchvw.exe
PID 1340 wrote to memory of 1088 N/A N/A C:\Users\Admin\AppData\Local\AZsGvA9\xpsrchvw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\45958928fbbbf80172f7886aad1a3e8b.dll,#1

C:\Windows\system32\rrinstaller.exe

C:\Windows\system32\rrinstaller.exe

C:\Users\Admin\AppData\Local\gDBXekIY\rrinstaller.exe

C:\Users\Admin\AppData\Local\gDBXekIY\rrinstaller.exe

C:\Windows\system32\vmicsvc.exe

C:\Windows\system32\vmicsvc.exe

C:\Users\Admin\AppData\Local\0httg\vmicsvc.exe

C:\Users\Admin\AppData\Local\0httg\vmicsvc.exe

C:\Windows\system32\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Users\Admin\AppData\Local\AZsGvA9\xpsrchvw.exe

C:\Users\Admin\AppData\Local\AZsGvA9\xpsrchvw.exe

Network

N/A

Files

memory/2656-0-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2656-1-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-4-0x00000000772E6000-0x00000000772E7000-memory.dmp

memory/1340-5-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/1340-7-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/2656-8-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-9-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-10-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-11-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-12-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-13-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-14-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-15-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-16-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-18-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-19-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-17-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-20-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-21-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-22-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-23-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-24-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-25-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-26-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-27-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-28-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-29-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-30-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-31-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-32-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-33-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-34-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-35-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-36-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-37-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-38-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-39-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-40-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-41-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-42-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-43-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-44-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-45-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-46-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-47-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-48-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-49-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-50-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-51-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-52-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-53-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-54-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-55-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-56-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-57-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-58-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-59-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-60-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-61-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-63-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-62-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-64-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-65-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1340-67-0x00000000021A0000-0x00000000021A7000-memory.dmp

memory/1340-75-0x00000000774F1000-0x00000000774F2000-memory.dmp

memory/1340-76-0x0000000077650000-0x0000000077652000-memory.dmp

\Users\Admin\AppData\Local\gDBXekIY\rrinstaller.exe

MD5 0d3a73b0b30252680b383532f1758649
SHA1 9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931
SHA256 fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc
SHA512 a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

C:\Users\Admin\AppData\Local\gDBXekIY\MFPlat.DLL

MD5 095f34017917e634694836d9ccf81726
SHA1 b09761b31ecf29c46cc5bbac2eccf9fba3a7f833
SHA256 22fd299f53c4710aaaba5341f155835a63988fe64bc33351f94bc38e4ba0de71
SHA512 73188b2654e5389c57ae33bd6a2db9173411f91231a9b50e722c49ce5f158515c751782628af04700a6af79eeceb67fc3266b8245f493e2635db88a74654081f

memory/2924-103-0x0000000000190000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Local\0httg\vmicsvc.exe

MD5 79e14b291ca96a02f1eb22bd721deccd
SHA1 4c8dbff611acd8a92cd2280239f78bebd2a9947e
SHA256 d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8
SHA512 f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

C:\Users\Admin\AppData\Local\0httg\ACTIVEDS.dll

MD5 eb62a236203287d46844d2b85b5e6620
SHA1 cb3b9dcfdf9d9fd685dbff5044c4ca7cf75010bc
SHA256 d60cc608a0b44688ee5471b0c1057c0aeeabcc2dc0f49aa4400b837fc93155fa
SHA512 aeb438704a57a3e70e2260300402392a20a5eb73ffedc00f73ac4b25857fae25631b032910660a84c4456649334a4e0ce0855ce5228040af3b3cd1288471628d

memory/1876-121-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\AZsGvA9\xpsrchvw.exe

MD5 800ad8d1e20c52e9bfdf04dfb1bef3ef
SHA1 5c6212b13a83f8770dac07047048da2bd7d87503
SHA256 b5225cfad851a0e41119e53299870c9c6fd1efaf5192780f3631408368f22a75
SHA512 6f86202c36c6c47b04ade9a244c7e475a1e22d7fc7bee69fe0eae5e256ff11bd6f893acbe71f869514f79c4187d8e40b1e6787fe49b60d1f4946ea1cb1027610

C:\Users\Admin\AppData\Local\AZsGvA9\xpsrchvw.exe

MD5 196ccaa3814f331d51e5ae80c85dcc58
SHA1 f9892e6d9eba6f95c755975fa3e2fa85a0d9b1bd
SHA256 ea79d80cd18333b3540f51abab08dfc9d4649dfd03acb88db821657e40f7874b
SHA512 43ccf05cdf3b61a0e894605ade5fa65b938df591f8ce37f70d4fb8839d392e41582c055b0fc68baeb9a17e471d7215c43e5d4574d8f05331dc9257a21976fa75

C:\Users\Admin\AppData\Local\AZsGvA9\WINMM.dll

MD5 95783d04801132c7d64bbe88279c2f42
SHA1 5994ab5fa41d681fbc1ba9c98df7525cdaba625f
SHA256 678532c11e7c35424a73e14107e6db20f3633b63a0247f92ba0ca23924645b89
SHA512 4db6211e57590675489d814aba67869e3bd8d5a99bd632631f23f1b705e0e996cdb91a9d91ee1908cc71d2c0819174297fd9c909ec1a1a2ec2b68fee7dfa416d

\Users\Admin\AppData\Local\AZsGvA9\WINMM.dll

MD5 b45e500080a9059fbd21e9c9a3e92ef9
SHA1 1fe043542475bfe7492ffdd88e43390aece856ba
SHA256 3cf025d3ab68a9f77a13ebd56b67787bce4bb302f9edf34e95ab43e4b181a2c3
SHA512 098cf98ada26ce176c07be23870f391a39a1a0349b1d548e90af312ee61520668352cdbbd0f2ff7cb6a651570bea2e2e87d2f5437149e3d053c40d976375fd07

memory/1088-139-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\AZsGvA9\xpsrchvw.exe

MD5 492cb6a624d5dad73ee0294b5db37dd6
SHA1 e74806af04a5147ccabfb5b167eb95a0177c43b3
SHA256 ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784
SHA512 63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

memory/1340-162-0x00000000772E6000-0x00000000772E7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 60695210f5c76f19b0200036e024e4e5
SHA1 9220c3b404bc3f471db3ac45de5ba48321136404
SHA256 478fcdfbb840fad3c0d85acfe979eb5fff11ec9347462185672ffc99bf3a3669
SHA512 8bc203bb247f973e16472aebffb274573ad42baa9652ec732b82ca2c289adc9e2a10e8bd071dc6439c8031b745e7069f5a591888497b8ecbd584b7d2c1dfa829

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\sOf\WINMM.dll

MD5 b2dc6ca890c82e564c889ad2b7d8b1bb
SHA1 99e627e16dd0189a3be2c383a8fbef1e161ddfe4
SHA256 14e36598b136b8053afbe7e512cbd975a866afa92753e82632fabd8a071a2e14
SHA512 cef251ff8e235c6c9855e7f09bf8debc8f44cefa19b1958039a0f04b74f99379d476382595b20b7b7e752e8c0537e23079f48228a11a84af61303acd35b6597b

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 10:03

Reported

2024-01-06 10:06

Platform

win10v2004-20231222-en

Max time kernel

0s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\45958928fbbbf80172f7886aad1a3e8b.dll,#1

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\45958928fbbbf80172f7886aad1a3e8b.dll,#1

C:\Windows\system32\ie4ushowIE.exe

C:\Windows\system32\ie4ushowIE.exe

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\jUXobDIfU\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\jUXobDIfU\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\4aQ\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\4aQ\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\mujqaCAm8\ie4ushowIE.exe

C:\Users\Admin\AppData\Local\mujqaCAm8\ie4ushowIE.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 20.190.177.22:443 tcp
N/A 20.190.177.22:443 tcp

Files

memory/1920-1-0x0000016075A50000-0x0000016075A57000-memory.dmp

memory/1920-0-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1920-7-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-12-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-14-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-18-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-22-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-26-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-30-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-34-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-39-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-42-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-46-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-50-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-56-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-60-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-63-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-67-0x0000000000850000-0x0000000000857000-memory.dmp

memory/3556-65-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-64-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-75-0x00007FFBE8560000-0x00007FFBE8570000-memory.dmp

memory/3556-62-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1376-97-0x000001CA353F0000-0x000001CA353F7000-memory.dmp

memory/4228-112-0x0000017262130000-0x0000017262137000-memory.dmp

memory/4832-131-0x0000017888660000-0x0000017888667000-memory.dmp

memory/3556-61-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-59-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-58-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-57-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-55-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-54-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-53-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-52-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-51-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-49-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-48-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-47-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-45-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-44-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-43-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-41-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-40-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-38-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-37-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-36-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-35-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-33-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-32-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-31-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-29-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-28-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-27-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-25-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-24-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-23-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-21-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-20-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-19-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-17-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-16-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-15-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-13-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-11-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-8-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-10-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-9-0x00007FFBE6C8A000-0x00007FFBE6C8B000-memory.dmp

memory/3556-6-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3556-4-0x0000000002330000-0x0000000002331000-memory.dmp