Malware Analysis Report

2024-11-16 13:03

Sample ID 240909-2eh7javhpf
Target Client-built.exe
SHA256 d07fab9f9877d6292ad8cb4de9fde55f86e702bb622c0d10ebfa93f4f1cb8664
Tags
discordrat defense_evasion persistence rat rootkit stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d07fab9f9877d6292ad8cb4de9fde55f86e702bb622c0d10ebfa93f4f1cb8664

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

discordrat defense_evasion persistence rat rootkit stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Discord RAT

Discordrat family

Indicator Removal: Clear Windows Event Logs

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 22:29

Signatures

Discordrat family

discordrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 22:29

Reported

2024-09-09 22:32

Platform

win11-20240802-en

Max time kernel

157s

Max time network

159s

Command Line

winlogon.exe

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2356 created 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\winlogon.exe

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2356 set thread context of 764 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 2356 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 2356 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 2356 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 2356 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 2356 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 2356 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 2356 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 2356 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 2356 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 2356 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 764 wrote to memory of 644 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 764 wrote to memory of 692 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 764 wrote to memory of 988 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 468 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 764 wrote to memory of 540 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 1072 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 1080 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 1132 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 1144 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 1232 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 1288 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 1392 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 1512 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 1520 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 1624 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 1632 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 1644 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 1760 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 1792 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 1844 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 1912 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 2024 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 2040 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 1956 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 1996 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 2132 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 764 wrote to memory of 2252 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 2388 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 2396 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 2444 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 2496 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 2504 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 2536 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 764 wrote to memory of 2564 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 2592 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 2608 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 3016 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sihost.exe
PID 764 wrote to memory of 3028 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 3112 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\unsecapp.exe
PID 764 wrote to memory of 3280 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 764 wrote to memory of 3432 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 3452 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 3812 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 764 wrote to memory of 3868 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 764 wrote to memory of 3944 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 764 wrote to memory of 3984 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 4176 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 764 wrote to memory of 4372 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 5112 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 4760 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 3328 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 764 wrote to memory of 2272 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 764 wrote to memory of 4348 N/A C:\Windows\System32\dllhost.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{55ae77dd-42e1-4148-b350-b5c22a706f89}

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 162.159.134.234:443 gateway.discord.gg tcp
US 162.159.135.232:443 discord.com tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 162.159.138.232:443 discord.com tcp

Files

memory/2356-0-0x00007FFBD43A3000-0x00007FFBD43A5000-memory.dmp

memory/2356-1-0x000001F5E5130000-0x000001F5E5148000-memory.dmp

memory/2356-2-0x000001F5FF780000-0x000001F5FF942000-memory.dmp

memory/2356-3-0x00007FFBD43A0000-0x00007FFBD4E62000-memory.dmp

memory/2356-4-0x000001F5812B0000-0x000001F5817D8000-memory.dmp

memory/2356-5-0x00007FFBD43A3000-0x00007FFBD43A5000-memory.dmp

memory/2356-6-0x00007FFBD43A0000-0x00007FFBD4E62000-memory.dmp

memory/2356-7-0x000001F580DB0000-0x000001F580DEE000-memory.dmp

memory/2356-9-0x00007FFBF46F0000-0x00007FFBF47AD000-memory.dmp

memory/764-10-0x0000000140000000-0x0000000140040000-memory.dmp

memory/2356-8-0x00007FFBF52C0000-0x00007FFBF54C9000-memory.dmp

memory/764-14-0x00007FFBF46F0000-0x00007FFBF47AD000-memory.dmp

memory/764-13-0x00007FFBF52C0000-0x00007FFBF54C9000-memory.dmp

memory/764-12-0x0000000140000000-0x0000000140040000-memory.dmp

memory/764-15-0x0000000140000000-0x0000000140040000-memory.dmp

memory/3280-67-0x00007FFBB5350000-0x00007FFBB5360000-memory.dmp

memory/3280-66-0x0000000002770000-0x000000000279A000-memory.dmp

memory/764-225-0x00007FFBF52C0000-0x00007FFBF54C9000-memory.dmp

memory/468-251-0x00000210C9610000-0x00000210C963A000-memory.dmp

memory/2356-252-0x00007FFBF46F1000-0x00007FFBF476E000-memory.dmp

memory/692-250-0x00000241F6CB0000-0x00000241F6CDA000-memory.dmp

memory/644-249-0x00007FFBF5364000-0x00007FFBF5365000-memory.dmp

memory/644-248-0x000002B295480000-0x000002B2954AA000-memory.dmp

memory/764-209-0x00007FFBF52C1000-0x00007FFBF53EA000-memory.dmp

memory/2356-184-0x00007FFBD43A0000-0x00007FFBD4E62000-memory.dmp

memory/468-28-0x00007FFBB5350000-0x00007FFBB5360000-memory.dmp

memory/468-27-0x00000210C9610000-0x00000210C963A000-memory.dmp

memory/692-23-0x00007FFBB5350000-0x00007FFBB5360000-memory.dmp

memory/692-22-0x00000241F6CB0000-0x00000241F6CDA000-memory.dmp

memory/644-19-0x00007FFBB5350000-0x00007FFBB5360000-memory.dmp

memory/644-18-0x000002B295480000-0x000002B2954AA000-memory.dmp

memory/644-17-0x000002B295450000-0x000002B295473000-memory.dmp

memory/764-11-0x0000000140000000-0x0000000140040000-memory.dmp