Malware Analysis Report

2025-08-05 09:10

Sample ID 240325-bs432sfa9s
Target 295e0a6b24d257762e105940104b3474.bin
SHA256 0ee05cdf618b8bc9579b9858b2150257d59298e9ee718cb88d1ac3bef34cf5ec
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ee05cdf618b8bc9579b9858b2150257d59298e9ee718cb88d1ac3bef34cf5ec

Threat Level: Known bad

The file 295e0a6b24d257762e105940104b3474.bin was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Detect Socks5Systemz Payload

Socks5Systemz

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 01:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 01:25

Reported

2024-03-25 01:27

Platform

win7-20240221-en

Max time kernel

143s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp
PID 2940 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp
PID 2940 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp
PID 2940 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp
PID 2940 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp
PID 2940 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp
PID 2940 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp
PID 2200 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2200 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2200 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2200 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2200 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2200 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2200 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2200 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe

"C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe"

C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp" /SL5="$3013A,1728895,54272,C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe"

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe" -i

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe" -s

Network

Country Destination Domain Proto
LT 91.211.247.248:53 ckdecad.net udp
MD 45.142.214.240:80 ckdecad.net tcp

Files

memory/2940-1-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-1G78S.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp

MD5 bb16a1aed23a42be299fa83942dc45cc
SHA1 eef3b71f03f3ea6148a08bf4ba6d3bc2239a56ba
SHA256 2fbf5d1a94ff7aa773d0abe9e2216f0347f47083bf66632e516b9e59ede819df
SHA512 bd1c5cf999c8824946906a6242309b41e6bcc926733107e87787ecb70c4e4d78ae395fcc9033606a72f08fee98103957063b3a47cd74e9e395d77c75287fd0b4

memory/2200-8-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-VSNGG.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-VSNGG.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

MD5 0e81e2d8117095ac40229a099eb0e435
SHA1 00dc652c42ac21dd028ac637c94d4d888a425eef
SHA256 f210ff1e50c2e1663bac2a858511c19c30e6b64e3161e4af6150150a50a9a584
SHA512 82aed29f1a59f25916bf1fda1b51c9b700a1d65e253439d9360ffc0429b651819b39e340cb2bca17f9030435ffc6ab19fb904cb7b773324c36aa01c1aecdb321

memory/2200-42-0x0000000003520000-0x0000000003724000-memory.dmp

memory/2664-44-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2664-45-0x0000000000400000-0x0000000000604000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

MD5 c7b5e422c856c254c5c5ece224dfd218
SHA1 788cb554b64c295a7ab55edba8ccb2b533705d73
SHA256 b2379fc1d256ae0c3580ceffa991f70d2451ae16bd6b6e7371d7183f56e0a949
SHA512 58cd7a54edfbeb6c47ddeaf5f82edce8bb6083deec919ba1af623237e2acdba65997e3cb99a9d1b3754a0ee115605fd7041069661717dd3d3c6ec3ed890bc345

memory/2664-48-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2664-49-0x0000000000400000-0x0000000000604000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

MD5 2fc6356ce098ab2fdd3202c3ce36e6a8
SHA1 41ad89cd2b72423c9b33bfc0388a1f547ffa9faf
SHA256 fdadd30e1fc065dc41bc88559dced69a4ef7a0d51c842e16579ceb787cab861f
SHA512 2b297aa36748c4757e2483b4490578522d399425c1cf34b360c8eaafc0dca5d8337c2207972577aabb813de6301bc5eaf7c5b0be20e643cc54df44998a7abb11

memory/2748-51-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-53-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2940-54-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2200-55-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/2748-56-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2200-57-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2200-58-0x0000000003520000-0x0000000003724000-memory.dmp

memory/2748-61-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-62-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-65-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-68-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-71-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-74-0x00000000025E0000-0x0000000002682000-memory.dmp

memory/2748-75-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-77-0x00000000025E0000-0x0000000002682000-memory.dmp

memory/2748-82-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-85-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-86-0x00000000025E0000-0x0000000002682000-memory.dmp

memory/2748-89-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-92-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-95-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-98-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-102-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2748-105-0x0000000000400000-0x0000000000604000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 01:25

Reported

2024-03-25 01:27

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4092 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe C:\Users\Admin\AppData\Local\Temp\is-LDQM1.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp
PID 4092 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe C:\Users\Admin\AppData\Local\Temp\is-LDQM1.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp
PID 4092 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe C:\Users\Admin\AppData\Local\Temp\is-LDQM1.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp
PID 1040 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\is-LDQM1.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 1040 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\is-LDQM1.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 1040 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\is-LDQM1.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 1040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\is-LDQM1.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 1040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\is-LDQM1.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 1040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\is-LDQM1.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe

"C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe"

C:\Users\Admin\AppData\Local\Temp\is-LDQM1.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LDQM1.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp" /SL5="$6020C,1728895,54272,C:\Users\Admin\AppData\Local\Temp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.exe"

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe" -i

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
LT 91.211.247.248:53 ddhxgop.info udp
MD 45.142.214.240:80 ddhxgop.info tcp
US 8.8.8.8:53 248.247.211.91.in-addr.arpa udp
US 8.8.8.8:53 240.214.142.45.in-addr.arpa udp

Files

memory/4092-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4092-2-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LDQM1.tmp\6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c.tmp

MD5 bb16a1aed23a42be299fa83942dc45cc
SHA1 eef3b71f03f3ea6148a08bf4ba6d3bc2239a56ba
SHA256 2fbf5d1a94ff7aa773d0abe9e2216f0347f47083bf66632e516b9e59ede819df
SHA512 bd1c5cf999c8824946906a6242309b41e6bcc926733107e87787ecb70c4e4d78ae395fcc9033606a72f08fee98103957063b3a47cd74e9e395d77c75287fd0b4

memory/1040-7-0x0000000002340000-0x0000000002341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-H6MT0.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

MD5 0e81e2d8117095ac40229a099eb0e435
SHA1 00dc652c42ac21dd028ac637c94d4d888a425eef
SHA256 f210ff1e50c2e1663bac2a858511c19c30e6b64e3161e4af6150150a50a9a584
SHA512 82aed29f1a59f25916bf1fda1b51c9b700a1d65e253439d9360ffc0429b651819b39e340cb2bca17f9030435ffc6ab19fb904cb7b773324c36aa01c1aecdb321

memory/1932-38-0x0000000000400000-0x0000000000604000-memory.dmp

memory/1932-39-0x0000000000400000-0x0000000000604000-memory.dmp

memory/1932-40-0x0000000000400000-0x0000000000604000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

MD5 0a8c4b35c04c225703d7cc94b539d821
SHA1 c9a2b301b42ce2d2f69aa2a75be5fc6df0bcbf04
SHA256 c897574462daaa1c42f91f17d3b72db27b04ef5915d31055bfebdc32499041a5
SHA512 31df7f3e27b663c9b92ae61f4801bb835fce45c820624bf83fce709b3815d40204f7cc463873065d7ab0e2635ffc30f7424de054cc2a8fadd5c606cd314b91d3

memory/1932-43-0x0000000000400000-0x0000000000604000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

MD5 31db4cad015f08a50552f23f70b273b5
SHA1 3617c08c3db23e8afefce93878c377843174da79
SHA256 3ddef74ec4cba22c6041b8ca3410f36384ca3b4374a9e8877dfab6303fb5a8cc
SHA512 6a4b167163aff0c745a1c706e7d569dfb07943fc90298cdfa0b7b5aa4d85d1409b3728fce7614d1e4be205503d9be70d3e13b868cf8f23d2fd669ad397618808

memory/2372-46-0x0000000000400000-0x0000000000604000-memory.dmp

memory/4092-47-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1040-48-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/2372-49-0x0000000000400000-0x0000000000604000-memory.dmp

memory/1040-50-0x0000000002340000-0x0000000002341000-memory.dmp

memory/2372-53-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-54-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-57-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-60-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-63-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-64-0x00000000009A0000-0x0000000000A42000-memory.dmp

memory/2372-68-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-69-0x00000000009A0000-0x0000000000A42000-memory.dmp

memory/2372-74-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-77-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-78-0x00000000009A0000-0x0000000000A42000-memory.dmp

memory/2372-81-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-84-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-87-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-90-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-94-0x0000000000400000-0x0000000000604000-memory.dmp

memory/2372-97-0x0000000000400000-0x0000000000604000-memory.dmp