Analysis Overview
SHA256
06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8
Threat Level: Known bad
The file 06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Detect ZGRat V1
ZGRat
Adds Run key to start application
AutoIT Executable
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 11:13
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 11:13
Reported
2024-05-09 11:15
Platform
win7-20240508-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctsdvwT = "C:\\Users\\Admin\\AppData\\Roaming\\ctsdvwT\\ctsdvwT.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2588 set thread context of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe
"C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe"
C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe
"C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe"
C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe
"C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 324
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mail.deeptrans.com.tr | udp |
| TR | 93.89.226.88:587 | mail.deeptrans.com.tr | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\emboweling
| MD5 | e89ff9237c86ef826d487a5e74aa43ea |
| SHA1 | a4ecb4a1784bf32f761259b8a3ddd46ab828c91b |
| SHA256 | 402c6803447338a42349e4a5e1474717a2d7d1b294f71e798a28db7f767fc979 |
| SHA512 | 623818ce2be965bfcbf3fbc762e4fe4a3fcd33d5f397bf636a6b0a8c6f3e057b7a440f7b454dd6034658201b3f170620981b8e0daf73aac6789ee638fc5d242d |
memory/1728-11-0x0000000000260000-0x0000000000264000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\emboweling
| MD5 | 7ea1ae654fe55be33ff369b074a8a081 |
| SHA1 | 40ed57b1d1b5fffcc57fd791b31165b3bcd78391 |
| SHA256 | f9f040cdf4c214d0c327e2f05ab04ea7c227e35ebaee748f95d7a29b122f9326 |
| SHA512 | ffba2dd5a9f1f316d59d4b8d1610a6286bcd37cafc30c8b444d89e10b7319c1cb1f84fad58657727b20aa0bc97e6b58df8950e6d444da6a3e0d795362a071770 |
C:\Users\Admin\AppData\Local\Temp\miaoued
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\emboweling
| MD5 | 2c962b7ddd7d9fb160c43ae60acd5564 |
| SHA1 | b5dc68445022b7f4df65a6042f7a4bb6d86ba324 |
| SHA256 | 01837cfcdad79fb17f5c2cde54cf31054b6d35afdc4c9762acad6618fc06eae0 |
| SHA512 | aa0f7fed5e36c00af09dc0120e036d3383a73f13adaf055a6d0b64456cf7c38779da3923e46cb665a334d0fe51c9ca59bdd0a0a2abeece4abc0be1baaaf3005d |
C:\Users\Admin\AppData\Local\Temp\aut1611.tmp
| MD5 | 66213a383a3a95754506ba3862788b6c |
| SHA1 | c5ead0bfdd17bca5835117cc6e0bff72e3c5f423 |
| SHA256 | a324e9769a6761e411d05b7e6d7255a2284e28645dd26844c737471081d3607d |
| SHA512 | 54961defc32c08af243df17f2b6dad3dadf787d69738b48a9ef31edb48a8d3bfa75b9c133e89ef43e3d50891b4de682cc655f9b2846e8d67b8e031e3ae9d5252 |
C:\Users\Admin\AppData\Local\Temp\miaoued
| MD5 | 0abc02469ab76c71984f8f0cdf209c5b |
| SHA1 | 170a4b1e02c04d7b5d12d19f9d11eca3ae7071ed |
| SHA256 | a048e76ea341d1acd7d02c6c91ce8f6d1a50b11caf994d0f105e6d1db7e82698 |
| SHA512 | d3cff68b20dfbb5155bcdf59c425c843cbc401d8a076850766f2b77001b11994fe548e0dbe2ed1e46f75edef07ea71c0be7e9c6890a106803b479fb4b2f3ce4e |
memory/2776-38-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2776-40-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2776-41-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2776-42-0x000000007408E000-0x000000007408F000-memory.dmp
memory/2776-43-0x0000000001E80000-0x0000000001ED6000-memory.dmp
memory/2776-44-0x0000000074080000-0x000000007476E000-memory.dmp
memory/2776-45-0x0000000001EE0000-0x0000000001F34000-memory.dmp
memory/2776-46-0x0000000074080000-0x000000007476E000-memory.dmp
memory/2776-48-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-52-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-58-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-64-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-68-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-80-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-82-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-86-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-90-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-96-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-100-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-104-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-106-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-102-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-98-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-94-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-92-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-88-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-84-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-78-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-76-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-74-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-72-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-70-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-66-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-62-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-60-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-56-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-54-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-50-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-47-0x0000000001EE0000-0x0000000001F2F000-memory.dmp
memory/2776-1143-0x0000000074080000-0x000000007476E000-memory.dmp
memory/2776-1145-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2776-1146-0x000000007408E000-0x000000007408F000-memory.dmp
memory/2776-1147-0x0000000074080000-0x000000007476E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 11:13
Reported
2024-05-09 11:15
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctsdvwT = "C:\\Users\\Admin\\AppData\\Roaming\\ctsdvwT\\ctsdvwT.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4008 set thread context of 3900 | N/A | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4008 wrote to memory of 3900 | N/A | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4008 wrote to memory of 3900 | N/A | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4008 wrote to memory of 3900 | N/A | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4008 wrote to memory of 3900 | N/A | C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe
"C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4008 -ip 4008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 724
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.186:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 186.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.deeptrans.com.tr | udp |
| TR | 93.89.226.88:587 | mail.deeptrans.com.tr | tcp |
| US | 8.8.8.8:53 | 88.226.89.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\aut4343.tmp
| MD5 | e89ff9237c86ef826d487a5e74aa43ea |
| SHA1 | a4ecb4a1784bf32f761259b8a3ddd46ab828c91b |
| SHA256 | 402c6803447338a42349e4a5e1474717a2d7d1b294f71e798a28db7f767fc979 |
| SHA512 | 623818ce2be965bfcbf3fbc762e4fe4a3fcd33d5f397bf636a6b0a8c6f3e057b7a440f7b454dd6034658201b3f170620981b8e0daf73aac6789ee638fc5d242d |
memory/4008-12-0x0000000001820000-0x0000000001824000-memory.dmp
memory/3900-13-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3900-14-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3900-15-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3900-16-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3900-17-0x0000000073B3E000-0x0000000073B3F000-memory.dmp
memory/3900-18-0x0000000003100000-0x0000000003156000-memory.dmp
memory/3900-19-0x0000000073B30000-0x00000000742E0000-memory.dmp
memory/3900-20-0x0000000005D80000-0x0000000006324000-memory.dmp
memory/3900-21-0x0000000005620000-0x0000000005674000-memory.dmp
memory/3900-22-0x0000000073B30000-0x00000000742E0000-memory.dmp
memory/3900-26-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-32-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-30-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-28-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-24-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-23-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-80-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-36-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-82-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-78-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-76-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-75-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-72-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-70-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-69-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-66-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-64-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-62-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-60-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-58-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-56-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-55-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-52-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-50-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-48-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-46-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-44-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-42-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-40-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-38-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-34-0x0000000005620000-0x000000000566F000-memory.dmp
memory/3900-1119-0x0000000073B30000-0x00000000742E0000-memory.dmp
memory/3900-1120-0x0000000005840000-0x00000000058A6000-memory.dmp
memory/3900-1122-0x0000000006780000-0x00000000067D0000-memory.dmp
memory/3900-1123-0x0000000006870000-0x000000000690C000-memory.dmp
memory/3900-1124-0x0000000006BF0000-0x0000000006C82000-memory.dmp
memory/3900-1125-0x0000000006BB0000-0x0000000006BBA000-memory.dmp
memory/3900-1126-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3900-1127-0x0000000073B3E000-0x0000000073B3F000-memory.dmp
memory/3900-1128-0x0000000073B30000-0x00000000742E0000-memory.dmp