Malware Analysis Report

2025-04-03 09:10

Sample ID 250301-dp6tksynw8
Target 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe
SHA256 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715
Tags
amadey a4d2cd defense_evasion discovery trojan systembc
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715

Threat Level: Known bad

The file 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe was found to be: Known bad.

Malicious Activity Summary

amadey a4d2cd defense_evasion discovery trojan systembc

Systembc family

SystemBC

Amadey family

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-01 03:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-01 03:12

Reported

2025-03-01 03:14

Platform

win7-20240903-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe

"C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp

Files

memory/2352-0-0x0000000000C00000-0x00000000010B5000-memory.dmp

memory/2352-1-0x0000000077260000-0x0000000077262000-memory.dmp

memory/2352-2-0x0000000000C01000-0x0000000000C2F000-memory.dmp

memory/2352-3-0x0000000000C00000-0x00000000010B5000-memory.dmp

memory/2352-4-0x0000000000C00000-0x00000000010B5000-memory.dmp

memory/2352-6-0x0000000000C00000-0x00000000010B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 36e536a514745cab05f83cbe5f4a412e
SHA1 befb59b14249e5f240bb80281f1a14663438b126
SHA256 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715
SHA512 63245e2771ce4118f3a51a5d0d87cec398838389e56ad7783299cd21b98f5f5b33dcf99ca015f68b30d9349e94c8cfc1e7ad40ec67f8db2766d38c94202ab88f

memory/2352-17-0x0000000006BA0000-0x0000000007055000-memory.dmp

memory/2724-20-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2352-19-0x0000000006BA0000-0x0000000007055000-memory.dmp

memory/2352-22-0x0000000000C00000-0x00000000010B5000-memory.dmp

memory/2724-23-0x0000000001181000-0x00000000011AF000-memory.dmp

memory/2724-24-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-26-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-27-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-28-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-29-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-30-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-31-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-32-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-33-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-34-0x0000000001180000-0x0000000001635000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000440100\winnet.exe

MD5 e2803fef7cfb1c203d8b96f888e4dca3
SHA1 cd6807430ba29a4da075409b02b568ace8a5559d
SHA256 ed6072555bfc78f42d2f9e776035a50fc2843afe13b2a75dee2a96707afe8d1d
SHA512 2308932fac6c28d339ff84633ada31b846f9cc6a8272f4b1b6dd3488baa9ac2fb2cff94a02b4d773181554b16c7d8744368e236d633fcf66cee8218f0a594d40

memory/2724-44-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-45-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-46-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-47-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-48-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-49-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-50-0x0000000001180000-0x0000000001635000-memory.dmp

memory/2724-51-0x0000000001180000-0x0000000001635000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-01 03:12

Reported

2025-03-01 03:14

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\lrbv\hbvsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000440100\winnet.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\lrbv\hbvsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\lrbv\hbvsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000440100\winnet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000440100\winnet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000440100\winnet.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\ProgramData\lrbv\hbvsv.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000440100\winnet.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\lrbv\hbvsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000440100\winnet.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe

"C:\Users\Admin\AppData\Local\Temp\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000440100\winnet.exe

"C:\Users\Admin\AppData\Roaming\10000440100\winnet.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\lrbv\hbvsv.exe

C:\ProgramData\lrbv\hbvsv.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 62.60.226.86:4000 towerbingobongoboom.com tcp
DE 62.60.226.86:4264 towerbingobongoboom.com tcp

Files

memory/1880-0-0x0000000000A00000-0x0000000000EB5000-memory.dmp

memory/1880-1-0x00000000774A4000-0x00000000774A6000-memory.dmp

memory/1880-2-0x0000000000A01000-0x0000000000A2F000-memory.dmp

memory/1880-3-0x0000000000A00000-0x0000000000EB5000-memory.dmp

memory/1880-4-0x0000000000A00000-0x0000000000EB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 36e536a514745cab05f83cbe5f4a412e
SHA1 befb59b14249e5f240bb80281f1a14663438b126
SHA256 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715
SHA512 63245e2771ce4118f3a51a5d0d87cec398838389e56ad7783299cd21b98f5f5b33dcf99ca015f68b30d9349e94c8cfc1e7ad40ec67f8db2766d38c94202ab88f

memory/1344-16-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/1880-18-0x0000000000A00000-0x0000000000EB5000-memory.dmp

memory/1344-19-0x0000000000ED1000-0x0000000000EFF000-memory.dmp

memory/1344-20-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/1344-21-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/1344-22-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/1344-23-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/1344-24-0x0000000000ED0000-0x0000000001385000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000440100\winnet.exe

MD5 598cbb4775bec2b1aac2cb43ef00321e
SHA1 0d6f99c1c3d26b1e4dd92ad9958f8f7507b0b89f
SHA256 a89977186920e1f4104c034b686663b530fe1df480632685301ea0ac643290de
SHA512 36a63fad3842d1ca7aa798d52a13f2cf296c1f7f49d43fdf12052629a344f261d48ea8dfb7114b6c7c4fcae23fba098b372cf8ded6b18d0889126215e6d1f83f

memory/1512-39-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1512-40-0x0000000000401000-0x0000000000403000-memory.dmp

memory/1512-41-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-44-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/1512-45-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1512-46-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1512-47-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1512-48-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-49-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/1512-50-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-51-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/1512-52-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-53-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/1304-55-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/2880-58-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1304-59-0x0000000000ED0000-0x0000000001385000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 087e2e048879631c2610bb98d3cb82c0
SHA1 25f8eb4b6bfea3b8255f232fac651a0a4030e2ac
SHA256 8a39ceeacc6e3141216b75ddfed90e5c83336e9be3b59e28a80009276c1f6fc5
SHA512 cc22caf21b6814357d7055f0bc9db5379c183886e858a497cf7276b2cdbc1fcce0d089c2ef2de6eeb46a2d3d0fd9b7313cbcf40499a61c6f6bf2894a8ea98cc6

memory/1512-61-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-62-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/2880-63-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1512-64-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-65-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/2880-66-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1512-67-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1512-68-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-69-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/2880-70-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-71-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/2880-72-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-73-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/2880-74-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-75-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/2484-77-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/2484-78-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/2880-79-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-80-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/2880-81-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-82-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/2880-83-0x0000000000400000-0x0000000000837000-memory.dmp

memory/1344-84-0x0000000000ED0000-0x0000000001385000-memory.dmp

memory/2880-85-0x0000000000400000-0x0000000000837000-memory.dmp