Malware Analysis Report

2024-11-15 06:40

Sample ID 240603-lhv3habd87
Target 914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118
SHA256 be96bb6c6b3769dbeaeb1f28ccb166dbe6ccb9834899542f7e2ddcd1cf2b0b4d
Tags
discovery persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

be96bb6c6b3769dbeaeb1f28ccb166dbe6ccb9834899542f7e2ddcd1cf2b0b4d

Threat Level: Shows suspicious behavior

The file 914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer upx

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:32

Reported

2024-06-03 09:35

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 372 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 372 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
UA 94.153.127.132:80 tcp
EG 41.38.71.138:80 tcp
SE 94.254.52.140:80 tcp
UA 46.149.62.141:80 tcp
VN 123.28.95.142:80 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 142.95.28.123.in-addr.arpa udp
VN 123.28.95.142:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 127.0.0.1:52290 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
EG 41.38.71.138:80 tcp
SE 94.254.52.140:80 tcp
UA 46.149.62.141:80 tcp
UA 93.77.221.142:80 tcp
YE 188.209.252.154:80 tcp
MD 86.106.147.162:80 tcp
UA 95.69.163.166:80 tcp
CR 186.64.238.167:80 tcp
HK 112.119.69.171:80 tcp
US 75.105.82.179:80 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
CO 186.115.146.229:80 tcp
RO 86.124.230.232:80 tcp
TW 111.249.249.235:80 tcp
UA 176.8.70.239:80 tcp
UA 31.202.178.239:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
UA 93.76.235.208:80 tcp
JP 223.133.177.210:80 tcp
MD 89.149.97.215:80 tcp
US 74.67.21.220:80 tcp
UA 46.118.111.224:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
UA 37.115.102.109:80 tcp
BY 134.17.160.109:80 tcp
RU 178.129.117.110:80 tcp
NL 85.17.31.111:80 tcp
SI 91.246.240.111:80 tcp
UA 31.133.116.26:80 tcp
MD 109.185.202.27:80 tcp
UA 109.87.199.28:80 tcp
RS 46.40.50.34:80 tcp
VN 27.2.179.36:80 tcp

Files

memory/3644-2-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-0-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-4-0x0000000000400000-0x0000000000645000-memory.dmp

memory/372-3-0x00000000027E0000-0x0000000003229000-memory.dmp

memory/3644-5-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-6-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-8-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-10-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-9-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-11-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-12-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-13-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-14-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-16-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-18-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-19-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3644-20-0x0000000000400000-0x0000000000645000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:32

Reported

2024-06-03 09:35

Platform

win7-20240508-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe
PID 1276 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\914a92fcc92b5f786a45c0d0391f1fb7_JaffaCakes118.exe

Network

Country Destination Domain Proto
UA 94.153.127.132:80 tcp
EG 41.38.71.138:80 tcp
SE 94.254.52.140:80 tcp
UA 46.149.62.141:80 tcp
VN 123.28.95.142:80 tcp
VN 123.28.95.142:80 tcp
N/A 127.0.0.1:49219 tcp
UA 46.63.32.75:80 tcp
RO 79.114.135.81:80 tcp
HK 14.199.57.82:80 tcp
RU 176.197.38.84:80 tcp
KR 106.242.117.85:80 tcp
UA 77.122.167.93:80 tcp
LV 81.198.206.95:80 tcp
MD 37.233.40.97:80 tcp
MD 89.28.63.99:80 tcp
UA 178.136.213.107:80 tcp
RO 95.76.169.18:80 tcp
GB 5.105.39.19:80 tcp
UA 176.37.119.19:80 tcp
JP 126.62.77.20:80 tcp
KR 211.237.95.20:80 tcp
CN 117.40.213.89:80 tcp
UA 37.115.102.109:80 tcp
BY 134.17.160.109:80 tcp
RU 178.129.117.110:80 tcp
NL 85.17.31.111:80 tcp
VN 27.3.114.225:80 tcp
CO 186.115.146.229:80 tcp
RO 86.124.230.232:80 tcp
TW 111.249.249.235:80 tcp
UA 176.8.70.239:80 tcp
GE 78.139.185.21:80 tcp
UA 176.8.198.22:80 tcp
RO 89.41.38.24:80 tcp
US 73.38.63.24:80 tcp
TW 182.234.149.25:80 tcp
RO 89.41.38.24:80 tcp
N/A 127.0.0.1:49270 tcp

Files

memory/1680-6-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-12-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1276-13-0x00000000025A0000-0x0000000002FE9000-memory.dmp

memory/1680-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1680-8-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-4-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-2-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-0-0x00000000001B0000-0x00000000002AA000-memory.dmp

memory/1680-15-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-16-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-17-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-19-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-21-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-18-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-22-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-23-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-25-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-24-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-27-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-26-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-28-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-29-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-32-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-33-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1680-34-0x0000000000400000-0x0000000000645000-memory.dmp