Malware Analysis Report

2024-11-30 21:29

Sample ID 240108-pllj1safb2
Target 4b6e05dcf2f97e22e23ccee43760bb5f
SHA256 a378e9fbc0661da7e27a88d882f90752f4e2a6a59e15aa910a51a67bc92f6c96
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a378e9fbc0661da7e27a88d882f90752f4e2a6a59e15aa910a51a67bc92f6c96

Threat Level: Known bad

The file 4b6e05dcf2f97e22e23ccee43760bb5f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 12:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 12:25

Reported

2024-01-08 12:27

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b6e05dcf2f97e22e23ccee43760bb5f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\7WX\irftp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\nUw1GuQ\irftp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Q98A\rdpclip.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\b5F\\irftp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7WX\irftp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nUw1GuQ\irftp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Q98A\rdpclip.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 1492 N/A N/A C:\Windows\system32\irftp.exe
PID 1260 wrote to memory of 1492 N/A N/A C:\Windows\system32\irftp.exe
PID 1260 wrote to memory of 1492 N/A N/A C:\Windows\system32\irftp.exe
PID 1260 wrote to memory of 568 N/A N/A C:\Users\Admin\AppData\Local\7WX\irftp.exe
PID 1260 wrote to memory of 568 N/A N/A C:\Users\Admin\AppData\Local\7WX\irftp.exe
PID 1260 wrote to memory of 568 N/A N/A C:\Users\Admin\AppData\Local\7WX\irftp.exe
PID 1260 wrote to memory of 2836 N/A N/A C:\Windows\system32\irftp.exe
PID 1260 wrote to memory of 2836 N/A N/A C:\Windows\system32\irftp.exe
PID 1260 wrote to memory of 2836 N/A N/A C:\Windows\system32\irftp.exe
PID 1260 wrote to memory of 880 N/A N/A C:\Users\Admin\AppData\Local\nUw1GuQ\irftp.exe
PID 1260 wrote to memory of 880 N/A N/A C:\Users\Admin\AppData\Local\nUw1GuQ\irftp.exe
PID 1260 wrote to memory of 880 N/A N/A C:\Users\Admin\AppData\Local\nUw1GuQ\irftp.exe
PID 1260 wrote to memory of 1096 N/A N/A C:\Windows\system32\rdpclip.exe
PID 1260 wrote to memory of 1096 N/A N/A C:\Windows\system32\rdpclip.exe
PID 1260 wrote to memory of 1096 N/A N/A C:\Windows\system32\rdpclip.exe
PID 1260 wrote to memory of 1948 N/A N/A C:\Users\Admin\AppData\Local\Q98A\rdpclip.exe
PID 1260 wrote to memory of 1948 N/A N/A C:\Users\Admin\AppData\Local\Q98A\rdpclip.exe
PID 1260 wrote to memory of 1948 N/A N/A C:\Users\Admin\AppData\Local\Q98A\rdpclip.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b6e05dcf2f97e22e23ccee43760bb5f.dll,#1

C:\Windows\system32\irftp.exe

C:\Windows\system32\irftp.exe

C:\Users\Admin\AppData\Local\7WX\irftp.exe

C:\Users\Admin\AppData\Local\7WX\irftp.exe

C:\Windows\system32\irftp.exe

C:\Windows\system32\irftp.exe

C:\Users\Admin\AppData\Local\nUw1GuQ\irftp.exe

C:\Users\Admin\AppData\Local\nUw1GuQ\irftp.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Users\Admin\AppData\Local\Q98A\rdpclip.exe

C:\Users\Admin\AppData\Local\Q98A\rdpclip.exe

Network

N/A

Files

memory/2912-0-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2912-1-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-4-0x00000000775A6000-0x00000000775A7000-memory.dmp

memory/1260-5-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/1260-12-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-13-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-11-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-10-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-9-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/2912-8-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-7-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-14-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-18-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-19-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-17-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-16-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-15-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-20-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-21-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-25-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-24-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-23-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-22-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-27-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-26-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-30-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-31-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-29-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-28-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-33-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-32-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-35-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-36-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-34-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-37-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-38-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-39-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-40-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-41-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-42-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-43-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-44-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-46-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-45-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-47-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-48-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-49-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-51-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-50-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-52-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-53-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-54-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-56-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-55-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-58-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-57-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-60-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-61-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-59-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-62-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-63-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-65-0x0000000001D40000-0x0000000001D47000-memory.dmp

memory/1260-64-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1260-73-0x00000000777B1000-0x00000000777B2000-memory.dmp

memory/1260-74-0x0000000077910000-0x0000000077912000-memory.dmp

\Users\Admin\AppData\Local\7WX\irftp.exe

MD5 0cae1fb725c56d260bfd6feba7ae9a75
SHA1 102ac676a1de3ec3d56401f8efd518c31c8b0b80
SHA256 312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d
SHA512 db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

C:\Users\Admin\AppData\Local\7WX\WTSAPI32.dll

MD5 95529e1cc689134db4ab136586ca6c9b
SHA1 b16dff2252f772bf2ca9bdc86cf6db78e5ce9140
SHA256 47008830dcf098b1126e62456447620fd49b43c4d4d2ee02c9941409c8cc5d1e
SHA512 2a3c01a1d7a10ade4a69d75d6a71410e2598093c801473221e28aa0163c7aa14f5f885dfbff12011a71fc5fbd6997ddc01f5c078fab25b9a8155ed0a6c52aace

memory/568-102-0x0000000000110000-0x0000000000117000-memory.dmp

C:\Users\Admin\AppData\Local\nUw1GuQ\MFC42u.dll

MD5 b448dcaed42b1e467af630e51e373b42
SHA1 c8ac54b5f85136541db10c582c61bb2f9829f81d
SHA256 5793b47e6370eb980125bff8ae501601bcea8798af6aa625b022c7208796d0cf
SHA512 931c7b9f1077ff0455a4ed903204e5c9a164b59cf614a01c9d625a87b5c5b00a2153b369f893a006febd600d955c24f8b1e822483130606d021a7fccda16ff61

memory/880-122-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\Q98A\rdpclip.exe

MD5 25d284eb2f12254c001afe9a82575a81
SHA1 cf131801fdd5ec92278f9e0ae62050e31c6670a5
SHA256 837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b
SHA512 7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

C:\Users\Admin\AppData\Local\Q98A\WINSTA.dll

MD5 8cab513b45502d83267f1058a3e4613e
SHA1 591674df51e9ad5d1caf38323ab8fa8835f7e818
SHA256 268157c65781b412ca91364be373607c3b2c49ef7929cd5f794f1a3427f03da6
SHA512 c6dfc5222fa2af3ba44d1241da7931b5aed4f23b0f88ca90638c981770e29f1eca38b7d17416dcd4dfce1e87e9f0edce20f689012c7511c6812934b2af7d1166

memory/1948-139-0x0000000000080000-0x0000000000087000-memory.dmp

memory/1260-159-0x00000000775A6000-0x00000000775A7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 5e97635219d81b9acfd847fbc29a1f7b
SHA1 9df6999098615d2c79490aff91b4d7495ae39faa
SHA256 31338ddcadcc2ff96174e43f85e17c210d8148c0ae43d2b92ba8e96123261486
SHA512 01f9646cac714adaada6069899bcab15cb5589cf321c2593bc8a1789a4786aa1b05fb4115648f1aed556858cf25ed7bd43c813b5efad2a87504c47df6103bda1

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 12:25

Reported

2024-01-08 12:27

Platform

win10v2004-20231215-en

Max time kernel

4s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b6e05dcf2f97e22e23ccee43760bb5f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b6e05dcf2f97e22e23ccee43760bb5f.dll,#1

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\Ab7\phoneactivate.exe

C:\Users\Admin\AppData\Local\Ab7\phoneactivate.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\5VhYic9n\rdpinit.exe

C:\Users\Admin\AppData\Local\5VhYic9n\rdpinit.exe

C:\Users\Admin\AppData\Local\F0Qro\mspaint.exe

C:\Users\Admin\AppData\Local\F0Qro\mspaint.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

memory/1308-1-0x00000164BE6D0000-0x00000164BE6D7000-memory.dmp

memory/1308-0-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/1308-7-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-12-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-17-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-23-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-28-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-29-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-30-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-33-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-37-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-43-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-47-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-51-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-55-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-58-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-56-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-61-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-63-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-65-0x0000000006D00000-0x0000000006D07000-memory.dmp

memory/3532-64-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-62-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-73-0x00007FFF05520000-0x00007FFF05530000-memory.dmp

memory/3532-59-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-60-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3824-93-0x00000238C5260000-0x00000238C5267000-memory.dmp

memory/3532-57-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-54-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-53-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-52-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-50-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3160-113-0x0000024C39A00000-0x0000024C39A07000-memory.dmp

memory/3928-126-0x0000029C0A460000-0x0000029C0A467000-memory.dmp

memory/3532-49-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-48-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-46-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-45-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-44-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-42-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-41-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-40-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-39-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-38-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-36-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-35-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-34-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-32-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-31-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-27-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-26-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-25-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-24-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-22-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-21-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-20-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-19-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-18-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-16-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-15-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-14-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-13-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-11-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-10-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-9-0x00007FFF042AA000-0x00007FFF042AB000-memory.dmp

memory/3532-8-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-6-0x0000000140000000-0x00000001402F8000-memory.dmp

memory/3532-4-0x0000000006D20000-0x0000000006D21000-memory.dmp