Malware Analysis Report

2025-08-06 04:07

Sample ID 231207-jbtjzshggn
Target Zamówienie.ZD33166.exe
SHA256 d6d400c0847a1893dea669a1c8cfee475cafd9439bc50c694eaccbc04211a0e7
Tags
agenttesla guloader downloader keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6d400c0847a1893dea669a1c8cfee475cafd9439bc50c694eaccbc04211a0e7

Threat Level: Known bad

The file Zamówienie.ZD33166.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla guloader downloader keylogger spyware stealer trojan

AgentTesla

Guloader,Cloudeye

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 07:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 07:30

Reported

2023-12-07 07:32

Platform

win7-20231020-en

Max time kernel

143s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Guloader,Cloudeye

downloader guloader

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Haglskadeforsikring\Miljankenvnet.ini C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2512 set thread context of 2644 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Kldebonnets.kod C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\integraltegnets\substrate.Ski C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A
File created C:\Program Files (x86)\cockling.lnk C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A
File opened for modification C:\Program Files (x86)\cockling.lnk C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bagvognen.lnk C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A
File opened for modification C:\Windows\Calottes.Doo C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A
File opened for modification C:\Windows\bagvognen.lnk C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 2644 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2512 wrote to memory of 2644 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2512 wrote to memory of 2644 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2512 wrote to memory of 2644 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2512 wrote to memory of 2644 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2512 wrote to memory of 2644 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe

"C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Tiljublingens=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Falskspillerens.Ill';$Konferenserne=$Tiljublingens.SubString(48125,3);.$Konferenserne($Tiljublingens)"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kayserialarmuydu.com udp
TR 5.2.84.221:80 kayserialarmuydu.com tcp
TR 5.2.84.221:443 kayserialarmuydu.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Rkkens.ini

MD5 a8ca1db6ae34f5e5c152094f44f92476
SHA1 9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7
SHA256 1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3
SHA512 e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

memory/2512-170-0x0000000074320000-0x00000000748CB000-memory.dmp

memory/2512-171-0x0000000074320000-0x00000000748CB000-memory.dmp

memory/2512-172-0x0000000002500000-0x0000000002540000-memory.dmp

memory/2512-173-0x0000000002500000-0x0000000002540000-memory.dmp

C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Falskspillerens.Ill

MD5 fa2b04b706a4a1a50a3866e1fffb34f7
SHA1 0bf99926ab1aff752fd2325d7dadcf68440cda83
SHA256 d16797d1615df0383dab78a1e90f594439ae34c0f0cc9083e5883f42585718c5
SHA512 58097ca7d6c8145504b41807f2e0aa4b41aa4d5e58943d47455c7e60a5bc4288756503d5a93e3c2c362c5c5aa0c782af3cf30a6a10e206d498eed7e7ae993263

C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Wreathless.You

MD5 a7d050056af386ff8097a7effd1d9f6f
SHA1 008fafc028955c2bdab6508168135e42b1c2d437
SHA256 5270d655c8baee63673cce7a5d4c4bd8130d37dcc5a0688d5589913b96cc6d95
SHA512 7413802fcf4e35e690adef8718dfad2fc73848a3f5e9ea7bc9636795dce7cba8bf28022d28e9323041e2210a2ab413f48d1a990f2bb7b40bf42602b28788870d

memory/2512-177-0x0000000004FC0000-0x0000000004FC4000-memory.dmp

memory/2512-178-0x0000000005FD0000-0x0000000007A92000-memory.dmp

memory/2512-179-0x0000000005FD0000-0x0000000007A92000-memory.dmp

memory/2512-180-0x0000000074320000-0x00000000748CB000-memory.dmp

memory/2512-181-0x0000000002500000-0x0000000002540000-memory.dmp

memory/2512-182-0x0000000077A60000-0x0000000077C09000-memory.dmp

memory/2512-183-0x0000000077C50000-0x0000000077D26000-memory.dmp

memory/2512-185-0x0000000005FD0000-0x0000000007A92000-memory.dmp

memory/2644-186-0x0000000001360000-0x0000000002E22000-memory.dmp

memory/2644-187-0x0000000077A60000-0x0000000077C09000-memory.dmp

memory/2644-188-0x000000006FE10000-0x0000000070E72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFF96.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarE4.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 207588a0b40253d569791830f5571745
SHA1 0b99068c64839ad5ffcdd6b277316983ca13d6a8
SHA256 fae37b926de91b4b79f4d3465c0f12bdcd98e0363b9d078e6443f264a5ec107e
SHA512 0424dffaed77da8745de36b8f04cb129b15c3ef4bfc44277d8c6ea3f9b33c8abcbdbb758d9173c6916372601f060160b2bf8af5b2b53c7ae2bf060570c45a929

memory/2644-269-0x000000006FE10000-0x0000000070E72000-memory.dmp

memory/2644-270-0x0000000001360000-0x0000000002E22000-memory.dmp

memory/2512-271-0x0000000005FD0000-0x0000000007A92000-memory.dmp

memory/2644-272-0x000000006FE10000-0x000000006FE50000-memory.dmp

memory/2644-273-0x000000006F5D0000-0x000000006FCBE000-memory.dmp

memory/2644-275-0x000000001EB00000-0x000000001EB40000-memory.dmp

memory/2644-274-0x0000000001360000-0x0000000002E22000-memory.dmp

memory/2644-278-0x000000006F5D0000-0x000000006FCBE000-memory.dmp

memory/2644-280-0x000000001EB00000-0x000000001EB40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 07:30

Reported

2023-12-07 07:32

Platform

win10v2004-20231127-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Guloader,Cloudeye

downloader guloader

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Haglskadeforsikring\Miljankenvnet.ini C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3924 set thread context of 1800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\cockling.lnk C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A
File opened for modification C:\Program Files (x86)\Kldebonnets.kod C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\integraltegnets\substrate.Ski C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A
File created C:\Program Files (x86)\cockling.lnk C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bagvognen.lnk C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A
File opened for modification C:\Windows\Calottes.Doo C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A
File opened for modification C:\Windows\bagvognen.lnk C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe

"C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Tiljublingens=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Falskspillerens.Ill';$Konferenserne=$Tiljublingens.SubString(48125,3);.$Konferenserne($Tiljublingens)"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 107.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 58.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 kayserialarmuydu.com udp
TR 5.2.84.221:80 kayserialarmuydu.com tcp
TR 5.2.84.221:443 kayserialarmuydu.com tcp
US 8.8.8.8:53 221.84.2.5.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 99.175.53.84.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Rkkens.ini

MD5 a8ca1db6ae34f5e5c152094f44f92476
SHA1 9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7
SHA256 1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3
SHA512 e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

memory/3924-168-0x0000000002D90000-0x0000000002DC6000-memory.dmp

memory/3924-169-0x00000000732B0000-0x0000000073A60000-memory.dmp

memory/3924-170-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/3924-171-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/3924-172-0x0000000005690000-0x0000000005CB8000-memory.dmp

memory/3924-173-0x00000000053C0000-0x00000000053E2000-memory.dmp

memory/3924-174-0x0000000005CC0000-0x0000000005D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1qgcwqct.kqi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3924-175-0x0000000005D30000-0x0000000005D96000-memory.dmp

memory/3924-185-0x0000000005DA0000-0x00000000060F4000-memory.dmp

memory/3924-186-0x0000000006440000-0x000000000645E000-memory.dmp

memory/3924-187-0x0000000006470000-0x00000000064BC000-memory.dmp

memory/3924-188-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/3924-189-0x00000000069A0000-0x0000000006A36000-memory.dmp

memory/3924-191-0x0000000007420000-0x0000000007442000-memory.dmp

memory/3924-190-0x0000000006950000-0x000000000696A000-memory.dmp

memory/3924-192-0x0000000007A00000-0x0000000007FA4000-memory.dmp

C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Falskspillerens.Ill

MD5 fa2b04b706a4a1a50a3866e1fffb34f7
SHA1 0bf99926ab1aff752fd2325d7dadcf68440cda83
SHA256 d16797d1615df0383dab78a1e90f594439ae34c0f0cc9083e5883f42585718c5
SHA512 58097ca7d6c8145504b41807f2e0aa4b41aa4d5e58943d47455c7e60a5bc4288756503d5a93e3c2c362c5c5aa0c782af3cf30a6a10e206d498eed7e7ae993263

memory/3924-194-0x0000000008630000-0x0000000008CAA000-memory.dmp

C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Wreathless.You

MD5 a7d050056af386ff8097a7effd1d9f6f
SHA1 008fafc028955c2bdab6508168135e42b1c2d437
SHA256 5270d655c8baee63673cce7a5d4c4bd8130d37dcc5a0688d5589913b96cc6d95
SHA512 7413802fcf4e35e690adef8718dfad2fc73848a3f5e9ea7bc9636795dce7cba8bf28022d28e9323041e2210a2ab413f48d1a990f2bb7b40bf42602b28788870d

memory/3924-197-0x00000000079A0000-0x00000000079A4000-memory.dmp

memory/3924-198-0x00000000732B0000-0x0000000073A60000-memory.dmp

memory/3924-199-0x0000000008CB0000-0x000000000A772000-memory.dmp

memory/3924-200-0x0000000008CB0000-0x000000000A772000-memory.dmp

memory/3924-202-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/3924-203-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/3924-204-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/3924-205-0x0000000076F11000-0x0000000077031000-memory.dmp

memory/1800-206-0x0000000000900000-0x00000000023C2000-memory.dmp

memory/3924-207-0x0000000008CB0000-0x000000000A772000-memory.dmp

memory/1800-208-0x0000000076F98000-0x0000000076F99000-memory.dmp

memory/1800-209-0x0000000076F11000-0x0000000077031000-memory.dmp

memory/1800-213-0x000000006E0B0000-0x000000006F304000-memory.dmp

memory/1800-214-0x0000000000900000-0x00000000023C2000-memory.dmp

memory/3924-216-0x00000000732B0000-0x0000000073A60000-memory.dmp

memory/1800-218-0x00000000732B0000-0x0000000073A60000-memory.dmp

memory/1800-217-0x000000006E0B0000-0x000000006E0F0000-memory.dmp

memory/3924-219-0x0000000008CB0000-0x000000000A772000-memory.dmp

memory/1800-220-0x000000001E450000-0x000000001E460000-memory.dmp

memory/1800-221-0x0000000000900000-0x00000000023C2000-memory.dmp

memory/1800-222-0x0000000020A60000-0x0000000020AB0000-memory.dmp

memory/1800-223-0x0000000021100000-0x0000000021192000-memory.dmp

memory/1800-224-0x0000000020AC0000-0x0000000020ACA000-memory.dmp

memory/1800-227-0x00000000732B0000-0x0000000073A60000-memory.dmp

memory/1800-228-0x000000001E450000-0x000000001E460000-memory.dmp