Malware Analysis Report

2024-12-07 14:13

Sample ID 241115-cbkthswhkl
Target 087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e
SHA256 087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e
Tags
agenttesla discovery keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e

Threat Level: Known bad

The file 087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e was found to be: Known bad.

Malicious Activity Summary

agenttesla discovery keylogger spyware stealer trojan

AgentTesla

Agenttesla family

Looks up external IP address via web service

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 01:54

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 01:54

Reported

2024-11-15 01:56

Platform

win7-20241023-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2316 set thread context of 2992 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2316 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2316 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2316 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2316 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2316 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2316 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2316 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe

"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\arrogatingly

MD5 66e2ff4ee8e4c8fce64a49545ccc80e0
SHA1 642c25c9e8d5477558cbe46159cf30f5b22584ae
SHA256 bf436a28d6e7785c0b79e938009684385562c157aa6e1fd47780b3fdea569b91
SHA512 4318467eec66e123863a7e98aa848c203cd3029bde65bfc89653884e05bfbe52ae5d95dc0e040d053533ebd4abb99e852d4cc06f28f4d1a65bb4f588d4b32541

memory/2316-12-0x00000000024B0000-0x00000000025B0000-memory.dmp

memory/2992-13-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2992-15-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2992-16-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2992-17-0x000000007450E000-0x000000007450F000-memory.dmp

memory/2992-18-0x0000000000BE0000-0x0000000000C36000-memory.dmp

memory/2992-19-0x0000000000E20000-0x0000000000E74000-memory.dmp

memory/2992-20-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/2992-21-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/2992-22-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/2992-74-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-82-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-80-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-78-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-76-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-72-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-70-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-68-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-66-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-64-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-62-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-60-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-58-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-56-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-54-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-50-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-48-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-46-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-44-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-43-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-40-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-38-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-36-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-34-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-32-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-30-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-28-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-26-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-24-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-23-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-52-0x0000000000E20000-0x0000000000E6E000-memory.dmp

memory/2992-1091-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/2992-1092-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2992-1093-0x000000007450E000-0x000000007450F000-memory.dmp

memory/2992-1094-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/2992-1095-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/2992-1096-0x0000000074500000-0x0000000074BEE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 01:54

Reported

2024-11-15 01:56

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3980 set thread context of 5040 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3004 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3004 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3004 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe
PID 3004 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe
PID 3004 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe
PID 1808 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe
PID 1808 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe
PID 1808 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe
PID 3980 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3980 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3980 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3980 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe

"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"

C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe

"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"

C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe

"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\aut8E46.tmp

MD5 66e2ff4ee8e4c8fce64a49545ccc80e0
SHA1 642c25c9e8d5477558cbe46159cf30f5b22584ae
SHA256 bf436a28d6e7785c0b79e938009684385562c157aa6e1fd47780b3fdea569b91
SHA512 4318467eec66e123863a7e98aa848c203cd3029bde65bfc89653884e05bfbe52ae5d95dc0e040d053533ebd4abb99e852d4cc06f28f4d1a65bb4f588d4b32541

memory/3004-13-0x0000000004060000-0x0000000004260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pluffer

MD5 a4ad54949137c49124a192254e71347e
SHA1 6ca7b8a0b804a066e5c4658403da6872b8fc4639
SHA256 f64094b1952ee6a3b15d3d17740be0ff2095f37dc1fd988e4c27782d6b1059d6
SHA512 0ef9a7fdd2453667a5a2f7e297ac73d3b4a404d912a1bfa2274d62f78e752cfcc3df840ca9f4daaac699f81796b14814b460644b1bb9920cd80cef7444b5d78b

memory/1808-29-0x0000000003C30000-0x0000000003E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aut9461.tmp

MD5 e31b6fe982af4e4ba9042112c1e4b393
SHA1 587b516e465dccdedc39b215a662c414bfaf92b2
SHA256 65aaad3f6357a34d7b83ed971ee79cd3e130484398388f54ca53cb4213b13e6d
SHA512 9009b6042a7cc331b5af3cc80edee0218d9106675b03551a1712aa68cb2eceb85f191e85ad281b0e2e3699f971ada498b40615831555e5f950dd66da28d3532c

memory/3980-45-0x0000000003C60000-0x0000000003E60000-memory.dmp

memory/5040-46-0x0000000000400000-0x0000000000446000-memory.dmp

memory/5040-49-0x0000000000400000-0x0000000000446000-memory.dmp

memory/5040-48-0x0000000000400000-0x0000000000446000-memory.dmp

memory/5040-47-0x0000000000400000-0x0000000000446000-memory.dmp

memory/5040-50-0x0000000005220000-0x0000000005276000-memory.dmp

memory/5040-51-0x0000000005890000-0x0000000005E34000-memory.dmp

memory/5040-52-0x00000000052E0000-0x0000000005334000-memory.dmp

memory/5040-53-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-78-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-112-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-110-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-108-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-105-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-102-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-100-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-98-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-96-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-94-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-92-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-90-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-86-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-84-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-82-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-80-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-76-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-74-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-72-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-70-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-68-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-66-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-64-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-62-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-60-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-58-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-56-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-54-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-106-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-88-0x00000000052E0000-0x000000000532E000-memory.dmp

memory/5040-1121-0x00000000054E0000-0x0000000005546000-memory.dmp

memory/5040-1122-0x0000000006800000-0x0000000006850000-memory.dmp

memory/5040-1123-0x00000000068F0000-0x0000000006982000-memory.dmp

memory/5040-1124-0x0000000006890000-0x000000000689A000-memory.dmp

memory/5040-1125-0x0000000000400000-0x0000000000446000-memory.dmp