Malware Analysis Report

2024-11-15 08:44

Sample ID 240510-hv64rahc6v
Target 9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics
SHA256 32656c10bc36086f55c102ca3aecb8150780ce69a06328cb2dcec9740525fad2
Tags
agenttesla zgrat keylogger rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32656c10bc36086f55c102ca3aecb8150780ce69a06328cb2dcec9740525fad2

Threat Level: Known bad

The file 9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

agenttesla zgrat keylogger rat spyware stealer trojan

Detect ZGRat V1

AgentTesla

ZGRat

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-10 07:04

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 07:04

Reported

2024-05-10 07:07

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2836 set thread context of 2660 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2980 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2980 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2980 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2980 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2980 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2980 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2980 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe
PID 2980 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe
PID 2980 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe
PID 2980 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe
PID 2836 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2836 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2836 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2836 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2836 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2836 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2836 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2836 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\parachronistic

MD5 573d440d12a2bd22c2bb3fe1ff5d0daa
SHA1 b92fb12836fa1392b0e9e7e0616ed26662a13791
SHA256 47865b075d506d19953b299ba9d699b53a730af1b11d08b7395cc5097ba3cf2c
SHA512 30131b0b01517c596a1c66bc6af9e3c259e2d460db922c579a6b3d3300d0106555588afebe130387657eedcb1e1161793659dc150fefd7aa757123bb1ac99184

memory/2980-11-0x0000000000810000-0x0000000000814000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hepatoduodenostomy

MD5 1c5cb5b277787f3806c4f950c5805db5
SHA1 bbce2669c95c8ab82a83ce99092c5c57e142f895
SHA256 45dbf140b2b749ee3c7a63a9927180a56d6ce228a501af20fb51d0a8c040ab5c
SHA512 d8ead5a566cc403ea797ac2a4cf302a59fc8961fcc4bf37222af998e3fdfeac1e270a874fbebba39194a27ccdf0582495e8af5988f13800f348e23590be050e5

memory/2660-25-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2660-28-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2660-27-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2660-29-0x000000007468E000-0x000000007468F000-memory.dmp

memory/2660-30-0x00000000007E0000-0x0000000000834000-memory.dmp

memory/2660-31-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/2660-34-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/2660-33-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/2660-32-0x0000000000B20000-0x0000000000B72000-memory.dmp

memory/2660-60-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-58-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-56-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-54-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-52-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-50-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-48-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-46-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-44-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-86-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-42-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-40-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-38-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-36-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-62-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-35-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-94-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-92-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-90-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-88-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-84-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-82-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-80-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-78-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-76-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-74-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-72-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-70-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-68-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-66-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-64-0x0000000000B20000-0x0000000000B6D000-memory.dmp

memory/2660-1065-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/2660-1066-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2660-1067-0x000000007468E000-0x000000007468F000-memory.dmp

memory/2660-1068-0x0000000074680000-0x0000000074D6E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 07:04

Reported

2024-05-10 07:07

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1408 set thread context of 3708 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe
PID 1808 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe
PID 1808 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe
PID 1408 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1408 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1408 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1408 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\aut4825.tmp

MD5 573d440d12a2bd22c2bb3fe1ff5d0daa
SHA1 b92fb12836fa1392b0e9e7e0616ed26662a13791
SHA256 47865b075d506d19953b299ba9d699b53a730af1b11d08b7395cc5097ba3cf2c
SHA512 30131b0b01517c596a1c66bc6af9e3c259e2d460db922c579a6b3d3300d0106555588afebe130387657eedcb1e1161793659dc150fefd7aa757123bb1ac99184

memory/1808-12-0x0000000003F60000-0x0000000003F64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\parachronistic

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\hepatoduodenostomy

MD5 1c5cb5b277787f3806c4f950c5805db5
SHA1 bbce2669c95c8ab82a83ce99092c5c57e142f895
SHA256 45dbf140b2b749ee3c7a63a9927180a56d6ce228a501af20fb51d0a8c040ab5c
SHA512 d8ead5a566cc403ea797ac2a4cf302a59fc8961fcc4bf37222af998e3fdfeac1e270a874fbebba39194a27ccdf0582495e8af5988f13800f348e23590be050e5

memory/3708-27-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3708-30-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3708-29-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3708-28-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3708-31-0x00000000749DE000-0x00000000749DF000-memory.dmp

memory/3708-32-0x0000000004F10000-0x0000000004F64000-memory.dmp

memory/3708-33-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3708-34-0x0000000005580000-0x0000000005B24000-memory.dmp

memory/3708-37-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3708-36-0x0000000005020000-0x0000000005072000-memory.dmp

memory/3708-35-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3708-67-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-99-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-98-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-95-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-93-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-91-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-89-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-85-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-83-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-81-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-79-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-77-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-75-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-73-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-71-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-69-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-65-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-63-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-61-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-59-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-57-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-55-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-53-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-51-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-49-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-47-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-45-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-43-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-41-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-87-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-39-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-38-0x0000000005020000-0x000000000506D000-memory.dmp

memory/3708-1069-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3708-1068-0x0000000005220000-0x0000000005286000-memory.dmp

memory/3708-1070-0x0000000006180000-0x00000000061D0000-memory.dmp

memory/3708-1071-0x0000000006270000-0x0000000006302000-memory.dmp

memory/3708-1072-0x00000000061D0000-0x00000000061DA000-memory.dmp

memory/3708-1073-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3708-1074-0x00000000749DE000-0x00000000749DF000-memory.dmp

memory/3708-1075-0x00000000749D0000-0x0000000075180000-memory.dmp