Analysis Overview
SHA256
2d7543bf7a8f258b9d6c0dd4a91e7c49d7cfcb6870a0dd6003ded431c207425a
Threat Level: Known bad
The file 46772ff6c0bbebd8f54cec81c6ea6b32 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-06 14:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-06 14:31
Reported
2024-01-06 14:33
Platform
win7-20231215-en
Max time kernel
108s
Max time network
121s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\tOw\dialer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\7OsAjDhwJ\BdeUISrv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IIlS6NwDK\BitLockerWizard.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\tOw\dialer.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\7OsAjDhwJ\BdeUISrv.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IIlS6NwDK\BitLockerWizard.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Bhk\\BdeUISrv.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\tOw\dialer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\7OsAjDhwJ\BdeUISrv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\IIlS6NwDK\BitLockerWizard.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1200 wrote to memory of 2696 | N/A | N/A | C:\Windows\system32\dialer.exe |
| PID 1200 wrote to memory of 2696 | N/A | N/A | C:\Windows\system32\dialer.exe |
| PID 1200 wrote to memory of 2696 | N/A | N/A | C:\Windows\system32\dialer.exe |
| PID 1200 wrote to memory of 3056 | N/A | N/A | C:\Users\Admin\AppData\Local\tOw\dialer.exe |
| PID 1200 wrote to memory of 3056 | N/A | N/A | C:\Users\Admin\AppData\Local\tOw\dialer.exe |
| PID 1200 wrote to memory of 3056 | N/A | N/A | C:\Users\Admin\AppData\Local\tOw\dialer.exe |
| PID 1200 wrote to memory of 680 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 1200 wrote to memory of 680 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 1200 wrote to memory of 680 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 1200 wrote to memory of 2584 | N/A | N/A | C:\Users\Admin\AppData\Local\7OsAjDhwJ\BdeUISrv.exe |
| PID 1200 wrote to memory of 2584 | N/A | N/A | C:\Users\Admin\AppData\Local\7OsAjDhwJ\BdeUISrv.exe |
| PID 1200 wrote to memory of 2584 | N/A | N/A | C:\Users\Admin\AppData\Local\7OsAjDhwJ\BdeUISrv.exe |
| PID 1200 wrote to memory of 2208 | N/A | N/A | C:\Windows\system32\BitLockerWizard.exe |
| PID 1200 wrote to memory of 2208 | N/A | N/A | C:\Windows\system32\BitLockerWizard.exe |
| PID 1200 wrote to memory of 2208 | N/A | N/A | C:\Windows\system32\BitLockerWizard.exe |
| PID 1200 wrote to memory of 876 | N/A | N/A | C:\Users\Admin\AppData\Local\IIlS6NwDK\BitLockerWizard.exe |
| PID 1200 wrote to memory of 876 | N/A | N/A | C:\Users\Admin\AppData\Local\IIlS6NwDK\BitLockerWizard.exe |
| PID 1200 wrote to memory of 876 | N/A | N/A | C:\Users\Admin\AppData\Local\IIlS6NwDK\BitLockerWizard.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\46772ff6c0bbebd8f54cec81c6ea6b32.dll,#1
C:\Users\Admin\AppData\Local\tOw\dialer.exe
C:\Users\Admin\AppData\Local\tOw\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Users\Admin\AppData\Local\7OsAjDhwJ\BdeUISrv.exe
C:\Users\Admin\AppData\Local\7OsAjDhwJ\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
C:\Users\Admin\AppData\Local\IIlS6NwDK\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\IIlS6NwDK\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
Network
Files
memory/2932-2-0x0000000000110000-0x0000000000117000-memory.dmp
memory/2932-0-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-4-0x0000000077936000-0x0000000077937000-memory.dmp
memory/1200-15-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-16-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-14-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-22-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-33-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-42-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-48-0x00000000029F0000-0x00000000029F7000-memory.dmp
memory/1200-56-0x0000000077A41000-0x0000000077A42000-memory.dmp
memory/1200-57-0x0000000077BA0000-0x0000000077BA2000-memory.dmp
memory/1200-66-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-55-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-72-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3056-85-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1200-75-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-71-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-47-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-46-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-45-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-44-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-43-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-41-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-40-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-39-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-38-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-37-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-36-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-35-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-34-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-32-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-31-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-30-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-29-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-28-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-27-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-26-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-25-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-24-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-23-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-21-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-20-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-19-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-18-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-17-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-13-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-12-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-11-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-10-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-9-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/2932-8-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1200-7-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/876-121-0x0000000000280000-0x0000000000287000-memory.dmp
memory/1200-5-0x0000000002A20000-0x0000000002A21000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-06 14:31
Reported
2024-01-06 14:33
Platform
win10v2004-20231215-en
Max time kernel
72s
Max time network
151s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Ur8NxTEC\SndVol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\sw0iONV1T\AtBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9uQVYNy\SystemPropertiesDataExecutionPrevention.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Ur8NxTEC\SndVol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\sw0iONV1T\AtBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9uQVYNy\SystemPropertiesDataExecutionPrevention.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\kcUisq\\AtBroker.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Ur8NxTEC\SndVol.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\sw0iONV1T\AtBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\9uQVYNy\SystemPropertiesDataExecutionPrevention.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\46772ff6c0bbebd8f54cec81c6ea6b32.dll,#1
C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
C:\Users\Admin\AppData\Local\Ur8NxTEC\SndVol.exe
C:\Users\Admin\AppData\Local\Ur8NxTEC\SndVol.exe
C:\Windows\system32\AtBroker.exe
C:\Windows\system32\AtBroker.exe
C:\Users\Admin\AppData\Local\sw0iONV1T\AtBroker.exe
C:\Users\Admin\AppData\Local\sw0iONV1T\AtBroker.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\9uQVYNy\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\9uQVYNy\SystemPropertiesDataExecutionPrevention.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| IE | 20.54.110.119:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.217:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 173.222.13.185:80 | tcp | |
| GB | 173.222.13.185:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1568-0-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1568-1-0x0000021649420000-0x0000021649427000-memory.dmp
memory/3572-7-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-12-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-17-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-20-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-25-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-29-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-33-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-35-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-40-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-44-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-47-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-46-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-48-0x0000000000B40000-0x0000000000B47000-memory.dmp
memory/3572-45-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-56-0x00007FF9B5300000-0x00007FF9B5310000-memory.dmp
memory/3572-65-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-67-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-55-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-43-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-42-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3660-76-0x000001A2E5A10000-0x000001A2E5A17000-memory.dmp
memory/3660-77-0x0000000140000000-0x00000001401CA000-memory.dmp
memory/3660-81-0x0000000140000000-0x00000001401CA000-memory.dmp
memory/2564-93-0x00000228A13F0000-0x00000228A13F7000-memory.dmp
memory/1360-109-0x0000021AA19C0000-0x0000021AA19C7000-memory.dmp
memory/3572-41-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-39-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-38-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-36-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-37-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-34-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-31-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-32-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-30-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-28-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-27-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-26-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-24-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-23-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-22-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-21-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-19-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-18-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-16-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-15-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-13-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-14-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-11-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-10-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-9-0x00007FF9B35BA000-0x00007FF9B35BB000-memory.dmp
memory/3572-8-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1568-6-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3572-4-0x0000000000B90000-0x0000000000B91000-memory.dmp