Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-wgsabsef88
Target bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118
SHA256 4fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa

Threat Level: Shows suspicious behavior

The file bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:53

Reported

2024-04-04 17:56

Platform

win7-20231129-en

Max time kernel

149s

Max time network

117s

Command Line

C:\Windows\Explorer.EXE

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmdktend = "C:\\Users\\Admin\\AppData\\Roaming\\ciphtune\\cleaubst.exe" C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ipcorver.exe C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipcorver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe
PID 1972 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe
PID 1972 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe
PID 1972 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe
PID 948 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp
PID 948 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp
PID 948 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp
PID 948 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp
PID 2220 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp C:\Windows\Explorer.EXE
PID 1972 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1972 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1972 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1972 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe

"C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe"

C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp

"C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp"

C:\Windows\SysWOW64\ipcorver.exe

C:\Windows\SysWOW64\ipcorver.exe -k

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 260

Network

N/A

Files

memory/1972-0-0x0000000000230000-0x000000000026E000-memory.dmp

\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe

MD5 8f8632b957108d710d90dec7f3d02aab
SHA1 acf3b1bcdfea0c49a1c8583950f113ef241ecb2b
SHA256 864a91ece964b2d235ece6f79ee823f92404183ca12bcd2db457ddccce65d068
SHA512 50da571536c63e1eaf334631ccb9575dd464283cec897d0d1b37d4d1fc0b10281a105fbae5f10cfb0aa61cbc9b6108829caf87bba804f4090626fec529f8d50e

memory/948-11-0x0000000000180000-0x00000000001BE000-memory.dmp

memory/1376-16-0x0000000002AC0000-0x0000000002B01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp

MD5 dd82fd50b49849e5554a7edae2bb78bb
SHA1 63106cfe3d3a1d60be2d44e1218fb3ce9afe686c
SHA256 c4bece33fde62ec6fa1fe0a6b4b23f7106d759134ed72794d8086fe68ace561c
SHA512 af8b5b3b46af78d1382689cf7e92adfa78ef4326c3a96624970502f9955ed6c17917389d525918983fe88fae04f95ae533e4e9a20da161d599d17c48270e6b76

memory/1376-18-0x0000000002AC0000-0x0000000002B01000-memory.dmp

memory/1376-17-0x0000000002AC0000-0x0000000002B01000-memory.dmp

C:\Windows\SysWOW64\ipcorver.exe

MD5 bedc21cc9bb6cc278ba47dee9f32dc27
SHA1 7c8d177753fcf3f1afb578895e8e852a6bd75c55
SHA256 4fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa
SHA512 46ad6477c4addaa0a464e02eefbd68e1c76a6d9794bbe820d36de67254b3198dba361769f67ef2ecc2958d160a2bfd8400095bf2c13b352a64c61b864e721216

memory/1884-26-0x0000000000120000-0x000000000015E000-memory.dmp

memory/1884-27-0x0000000000120000-0x000000000015E000-memory.dmp

memory/1884-28-0x0000000000120000-0x000000000015E000-memory.dmp

memory/1972-30-0x0000000000230000-0x000000000026E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 17:53

Reported

2024-04-04 17:56

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~36BB.tmp N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecEmote = "C:\\Users\\Admin\\AppData\\Roaming\\icsuhone\\PickdVol.exe" C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dpapance.exe C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\dpapance.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe

"C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe"

C:\Windows\SysWOW64\dpapance.exe

C:\Windows\SysWOW64\dpapance.exe -k

C:\Users\Admin\AppData\Local\Temp\~36BB.tmp

"C:\Users\Admin\AppData\Local\Temp\~36BB.tmp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5004 -ip 5004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.179.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/5004-0-0x0000000000DB0000-0x0000000000DEE000-memory.dmp

C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe

MD5 ea31c5b4d65b294112d426d4cb069eff
SHA1 18d553cb4ec616d6b1aeb004c92fa2c4a988ffa7
SHA256 9feb8247ab869d58bb6af8cca66287a383875e8666393769f19ccb41abaa0cea
SHA512 b78c4bdf211c3d3e36f8b765ec776a6a3e26a6f0d366fd5fa560720c3140e1498bc73d8791550a5cb4751ad86f34919a6b44a9daa0f1db7d001a44f2c1b65082

memory/4692-6-0x0000000000150000-0x000000000018E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~36BB.tmp

MD5 05259b1cd4005deca335367b98ca7b98
SHA1 b72274d8ff8a79d474a24a7210820bdada57ffda
SHA256 0aebee970b0e915bf0cfe5ee84bdc0421957e797c15e2b5f4ec22b95be5df110
SHA512 eec6a04b937ac9398b7dd91f0b4774172172c7dd0752f502b4866c0a3ba08256909cd8134a3162e9ae93aa9bb63d99631b1d68077dc7cf07565d32cc30c6b45b

memory/3428-12-0x00000000083F0000-0x0000000008431000-memory.dmp

memory/1392-14-0x0000000000B50000-0x0000000000B8E000-memory.dmp

C:\Windows\SysWOW64\dpapance.exe

MD5 bedc21cc9bb6cc278ba47dee9f32dc27
SHA1 7c8d177753fcf3f1afb578895e8e852a6bd75c55
SHA256 4fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa
SHA512 46ad6477c4addaa0a464e02eefbd68e1c76a6d9794bbe820d36de67254b3198dba361769f67ef2ecc2958d160a2bfd8400095bf2c13b352a64c61b864e721216

memory/1392-16-0x0000000000B50000-0x0000000000B8E000-memory.dmp

memory/3428-15-0x00000000083F0000-0x0000000008431000-memory.dmp

memory/1392-19-0x0000000000B50000-0x0000000000B8E000-memory.dmp

memory/5004-23-0x0000000000DB0000-0x0000000000DEE000-memory.dmp