Analysis Overview
SHA256
f9e2630c091701b27dd620807655fce9c9db2dd36dfcf382feafd8ef165f0946
Threat Level: Known bad
The file CDE 0915.bz was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-11 14:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-11 14:35
Reported
2023-10-12 03:54
Platform
win7-20230831-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3060 set thread context of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | C:\Users\Admin\AppData\Local\Temp\myyzql.exe |
| PID 2724 set thread context of 1244 | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | C:\Windows\Explorer.EXE |
| PID 2724 set thread context of 1244 | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | C:\Windows\Explorer.EXE |
| PID 2764 set thread context of 1244 | N/A | C:\Windows\SysWOW64\systray.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe
"C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe"
C:\Users\Admin\AppData\Local\Temp\myyzql.exe
"C:\Users\Admin\AppData\Local\Temp\myyzql.exe"
C:\Users\Admin\AppData\Local\Temp\myyzql.exe
"C:\Users\Admin\AppData\Local\Temp\myyzql.exe"
C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\myyzql.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.webpanel.cfd | udp |
| US | 8.8.8.8:53 | www.xxxmovs.world | udp |
| NL | 81.171.28.46:80 | www.xxxmovs.world | tcp |
| US | 8.8.8.8:53 | www.ihb4y.com | udp |
| US | 8.8.8.8:53 | www.hkbnzb36a52z.xyz | udp |
| US | 8.8.8.8:53 | www.landscapestandard.com | udp |
| US | 18.119.154.66:80 | www.landscapestandard.com | tcp |
| US | 8.8.8.8:53 | www.willispeng.com | udp |
| US | 34.149.87.45:80 | www.willispeng.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\myyzql.exe
| MD5 | e460b7d571b50e5950fdd69feebf2357 |
| SHA1 | 04d5a524e57a760f0bcea873faab604a6364428d |
| SHA256 | c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed |
| SHA512 | 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863 |
C:\Users\Admin\AppData\Local\Temp\myyzql.exe
| MD5 | e460b7d571b50e5950fdd69feebf2357 |
| SHA1 | 04d5a524e57a760f0bcea873faab604a6364428d |
| SHA256 | c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed |
| SHA512 | 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863 |
memory/3060-6-0x0000000000090000-0x0000000000092000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eazmqu.yfg
| MD5 | 33b827d4ebc3080d1b326e7335dfdfbe |
| SHA1 | 28830e77aa2c9a4b512e20d18734bf03379c81ba |
| SHA256 | e18d141bb79de85f32948f75025263084559780d116f5ddbca8767636b8058d9 |
| SHA512 | 4a47d359cded2f7c634827d2f39522bd0e4e741579401455aed57cabbefc905bf51566c5216aa7879489f7f234ee8255c5f01e7fcf079a7e6fd4cf27c848fba3 |
\Users\Admin\AppData\Local\Temp\myyzql.exe
| MD5 | e460b7d571b50e5950fdd69feebf2357 |
| SHA1 | 04d5a524e57a760f0bcea873faab604a6364428d |
| SHA256 | c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed |
| SHA512 | 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863 |
C:\Users\Admin\AppData\Local\Temp\myyzql.exe
| MD5 | e460b7d571b50e5950fdd69feebf2357 |
| SHA1 | 04d5a524e57a760f0bcea873faab604a6364428d |
| SHA256 | c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed |
| SHA512 | 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863 |
memory/2724-10-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\myyzql.exe
| MD5 | e460b7d571b50e5950fdd69feebf2357 |
| SHA1 | 04d5a524e57a760f0bcea873faab604a6364428d |
| SHA256 | c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed |
| SHA512 | 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863 |
memory/2724-13-0x0000000000800000-0x0000000000B03000-memory.dmp
memory/2724-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1244-16-0x00000000037E0000-0x00000000038E0000-memory.dmp
memory/2724-17-0x0000000000200000-0x0000000000214000-memory.dmp
memory/1244-18-0x0000000006AE0000-0x0000000006C5E000-memory.dmp
memory/2724-20-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2724-21-0x0000000000350000-0x0000000000364000-memory.dmp
memory/1244-22-0x00000000037E0000-0x00000000038E0000-memory.dmp
memory/1244-23-0x0000000006D50000-0x0000000006EE3000-memory.dmp
memory/2764-24-0x00000000007E0000-0x00000000007E5000-memory.dmp
memory/2764-25-0x00000000007E0000-0x00000000007E5000-memory.dmp
memory/2764-26-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/2764-27-0x0000000001EC0000-0x00000000021C3000-memory.dmp
memory/1244-28-0x0000000006D50000-0x0000000006EE3000-memory.dmp
memory/2764-29-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/2764-30-0x0000000001CF0000-0x0000000001D83000-memory.dmp
memory/1244-31-0x00000000037E0000-0x00000000038E0000-memory.dmp
memory/1244-32-0x0000000003AD0000-0x0000000003BA8000-memory.dmp
memory/1244-34-0x0000000003AD0000-0x0000000003BA8000-memory.dmp
memory/1244-36-0x0000000003AD0000-0x0000000003BA8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-11 14:35
Reported
2023-10-12 03:53
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2332 set thread context of 3388 | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | C:\Users\Admin\AppData\Local\Temp\myyzql.exe |
| PID 3388 set thread context of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | C:\Windows\Explorer.EXE |
| PID 2092 set thread context of 2572 | N/A | C:\Windows\SysWOW64\cscript.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\myyzql.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe
"C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe"
C:\Users\Admin\AppData\Local\Temp\myyzql.exe
"C:\Users\Admin\AppData\Local\Temp\myyzql.exe"
C:\Users\Admin\AppData\Local\Temp\myyzql.exe
"C:\Users\Admin\AppData\Local\Temp\myyzql.exe"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\myyzql.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.premiumistudysolution.com | udp |
| CA | 142.44.226.116:80 | www.premiumistudysolution.com | tcp |
| US | 8.8.8.8:53 | 116.226.44.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.nongsanvietco.com | udp |
| VN | 103.75.184.21:80 | www.nongsanvietco.com | tcp |
| US | 8.8.8.8:53 | 21.184.75.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ywx5pn.com | udp |
| US | 8.8.8.8:53 | www.highcaliberhusbands.com | udp |
| US | 8.8.8.8:53 | www.xyhbg.com | udp |
| US | 154.64.84.212:80 | www.xyhbg.com | tcp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.84.64.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.webpanel.cfd | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\myyzql.exe
| MD5 | e460b7d571b50e5950fdd69feebf2357 |
| SHA1 | 04d5a524e57a760f0bcea873faab604a6364428d |
| SHA256 | c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed |
| SHA512 | 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863 |
C:\Users\Admin\AppData\Local\Temp\myyzql.exe
| MD5 | e460b7d571b50e5950fdd69feebf2357 |
| SHA1 | 04d5a524e57a760f0bcea873faab604a6364428d |
| SHA256 | c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed |
| SHA512 | 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863 |
memory/2332-5-0x0000000001550000-0x0000000001552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eazmqu.yfg
| MD5 | 33b827d4ebc3080d1b326e7335dfdfbe |
| SHA1 | 28830e77aa2c9a4b512e20d18734bf03379c81ba |
| SHA256 | e18d141bb79de85f32948f75025263084559780d116f5ddbca8767636b8058d9 |
| SHA512 | 4a47d359cded2f7c634827d2f39522bd0e4e741579401455aed57cabbefc905bf51566c5216aa7879489f7f234ee8255c5f01e7fcf079a7e6fd4cf27c848fba3 |
memory/3388-7-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\myyzql.exe
| MD5 | e460b7d571b50e5950fdd69feebf2357 |
| SHA1 | 04d5a524e57a760f0bcea873faab604a6364428d |
| SHA256 | c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed |
| SHA512 | 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863 |
memory/3388-10-0x00000000017F0000-0x0000000001B3A000-memory.dmp
memory/3388-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3388-13-0x00000000014C0000-0x00000000014D4000-memory.dmp
memory/2572-14-0x0000000008DB0000-0x0000000008E6A000-memory.dmp
memory/2092-15-0x0000000000830000-0x0000000000857000-memory.dmp
memory/2092-16-0x0000000000830000-0x0000000000857000-memory.dmp
memory/2092-17-0x0000000001170000-0x000000000119F000-memory.dmp
memory/2092-18-0x0000000003220000-0x000000000356A000-memory.dmp
memory/2572-19-0x0000000008DB0000-0x0000000008E6A000-memory.dmp
memory/2092-21-0x0000000001170000-0x000000000119F000-memory.dmp
memory/2092-22-0x0000000001170000-0x000000000119F000-memory.dmp
memory/2092-23-0x0000000003050000-0x00000000030E3000-memory.dmp
memory/2572-24-0x00000000093B0000-0x0000000009517000-memory.dmp
memory/2572-25-0x00000000093B0000-0x0000000009517000-memory.dmp
memory/2572-27-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-29-0x0000000001330000-0x0000000001340000-memory.dmp
memory/2572-28-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-30-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-31-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-32-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-33-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-34-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-36-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-38-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-39-0x00000000093B0000-0x0000000009517000-memory.dmp
memory/2572-40-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-41-0x0000000001440000-0x0000000001450000-memory.dmp
memory/2572-42-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-43-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-44-0x0000000001440000-0x0000000001450000-memory.dmp
memory/2572-46-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-45-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-47-0x0000000001330000-0x0000000001340000-memory.dmp
memory/2572-49-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-51-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-53-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-54-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-56-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-55-0x0000000007B90000-0x0000000007BA0000-memory.dmp
memory/2572-58-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-57-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-59-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-61-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-63-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-62-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-60-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-70-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-71-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-72-0x0000000001440000-0x0000000001450000-memory.dmp
memory/2572-73-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-74-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-75-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-76-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-77-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-81-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-79-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-82-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-83-0x0000000003170000-0x0000000003180000-memory.dmp
memory/2572-84-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-85-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-86-0x00000000012F0000-0x0000000001300000-memory.dmp
memory/2572-87-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-89-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-88-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-93-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-91-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-95-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-96-0x00000000012F0000-0x0000000001300000-memory.dmp
memory/2572-97-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-98-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-100-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-102-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-101-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-105-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-104-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-112-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-113-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-114-0x00000000032E0000-0x00000000032F0000-memory.dmp
memory/2572-115-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-116-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-117-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-118-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-121-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-119-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-123-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-124-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-125-0x00000000032E0000-0x00000000032F0000-memory.dmp
memory/2572-126-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-127-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-129-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-131-0x0000000001320000-0x0000000001330000-memory.dmp
memory/2572-128-0x00000000032E0000-0x00000000032F0000-memory.dmp
memory/2572-133-0x0000000001320000-0x0000000001330000-memory.dmp