Malware Analysis Report

2025-01-02 14:45

Sample ID 240823-gv9n7s1emp
Target baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118
SHA256 cfa38f8a3c4cea8f6a0004dfceeaae1fd3c8ad155724f5869f8b67f96796df60
Tags
andromeda backdoor botnet discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfa38f8a3c4cea8f6a0004dfceeaae1fd3c8ad155724f5869f8b67f96796df60

Threat Level: Known bad

The file baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

andromeda backdoor botnet discovery persistence

Detects Andromeda payload.

Andromeda, Gamarue

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Maps connected drives based on registry

Drops file in Program Files directory

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-23 06:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-23 06:08

Reported

2024-08-23 06:11

Platform

win7-20240704-en

Max time kernel

144s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe"

Signatures

Andromeda, Gamarue

botnet backdoor andromeda

Detects Andromeda payload.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\43714 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msweqpv.com" C:\Windows\syswow64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\syswow64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\LOCALS~1\Temp\msweqpv.com C:\Windows\syswow64\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tuk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\tuk.exe
PID 2584 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\tuk.exe
PID 2584 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\tuk.exe
PID 2584 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\tuk.exe
PID 2584 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2584 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2584 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2584 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2584 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bot_0.exe
PID 2584 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bot_0.exe
PID 2584 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bot_0.exe
PID 2584 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bot_0.exe
PID 1916 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe C:\Windows\syswow64\svchost.exe
PID 1916 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe C:\Windows\syswow64\svchost.exe
PID 1916 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe C:\Windows\syswow64\svchost.exe
PID 1916 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe C:\Windows\syswow64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sar3.bat" "

C:\Users\Admin\AppData\Local\Temp\tuk.exe

tuk.exe

C:\Windows\SysWOW64\PING.EXE

ping microsoft.com

C:\Users\Admin\AppData\Local\Temp\bot_0.exe

bot_0.exe

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.spotlife.com.br udp
US 8.8.8.8:53 microsoft.com udp
US 172.67.192.173:80 www.spotlife.com.br tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
US 8.8.4.4:53 klabsotype.ru udp
US 8.8.8.8:53 klabsotype.ru udp
US 8.8.4.4:53 klabsotype.ru udp
US 8.8.4.4:53 klabsotype.ru udp

Files

C:\Users\Admin\AppData\Local\Temp\sar3.bat

MD5 f358b9d1143fa9d78422b30a9eadf455
SHA1 f0219285c28b74d223020ef2957cd99c0c6b00dc
SHA256 7db3bafa7acbd9f1707411aac175b3825a33639c88a2feec7851acc7cc3fa375
SHA512 d87be7981f74751f8b0d95cc0f98292feff3cec1332f636442b7788d48a5a50b457fdde12a87522bc5223b1c536080b36473c5cd446402baee308217a4ff0ada

C:\Users\Admin\AppData\Local\Temp\tuk.exe

MD5 8c3244a681b016bda5032d10af658f60
SHA1 7eb5c556792d7a44e89b25f18ed9bf3cb4ba798f
SHA256 f68a970f8830602aa5497693ed6773ca9078c900727c4bdf09061fcf55fbe3df
SHA512 6bac24aa93de215abc015b47a46f179066d9bfa6d5fe77ca862fb114fa4358ff241e5f012f3dfe953cf39621a593aa47c2ab20acbb9563f4ac133e9b3146ca8a

memory/2148-18-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2180-19-0x0000000000400000-0x0000000000421000-memory.dmp

\Users\Admin\AppData\Local\Temp\bot_0.exe

MD5 8a7616551ce19dda50daca2479c2de76
SHA1 a8abeaf5b460f77dee2005df3c2dc79428743d2c
SHA256 7cd1560ea0d639d9d6d945646be21aba72590cd37f57fe313de93822f4ca839f
SHA512 04a3a7fc095f6135e859718876da4b84ab3fe009f181e6ab356917208d5b17f31944fcb64b111ab0d8e8fe28e1722411520ea52221f3136fafc765116fe7e1b0

memory/2584-21-0x0000000000130000-0x0000000000135000-memory.dmp

memory/1916-25-0x0000000000020000-0x0000000000022000-memory.dmp

memory/2636-28-0x00000000003B0000-0x00000000003B8000-memory.dmp

memory/2148-29-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2636-26-0x00000000003B0000-0x00000000003B8000-memory.dmp

memory/2636-31-0x0000000000020000-0x0000000000025000-memory.dmp

memory/2636-35-0x0000000000020000-0x0000000000025000-memory.dmp

memory/2148-37-0x0000000000400000-0x0000000000495000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-23 06:08

Reported

2024-08-23 06:11

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe"

Signatures

Andromeda, Gamarue

botnet backdoor andromeda

Detects Andromeda payload.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\23417 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mseqqui.com" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\LOCALS~1\Temp\mseqqui.com C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tuk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 852 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\tuk.exe
PID 5104 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\tuk.exe
PID 5104 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\tuk.exe
PID 5104 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5104 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5104 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5104 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bot_0.exe
PID 5104 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bot_0.exe
PID 5104 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bot_0.exe
PID 3536 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe C:\Windows\SysWOW64\svchost.exe
PID 3536 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe C:\Windows\SysWOW64\svchost.exe
PID 3536 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\bot_0.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sar3.bat" "

C:\Users\Admin\AppData\Local\Temp\tuk.exe

tuk.exe

C:\Windows\SysWOW64\PING.EXE

ping microsoft.com

C:\Users\Admin\AppData\Local\Temp\bot_0.exe

bot_0.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 www.spotlife.com.br udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 172.67.192.173:80 www.spotlife.com.br tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 173.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
US 8.8.4.4:53 klabsotype.ru udp
US 8.8.8.8:53 klabsotype.ru udp
US 8.8.8.8:53 82.235.72.20.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.4.4:53 klabsotype.ru udp
US 8.8.8.8:53 klabsotype.ru udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.4.4:53 klabsotype.ru udp
US 8.8.8.8:53 klabsotype.ru udp

Files

C:\Users\Admin\AppData\Local\Temp\sar3.bat

MD5 f358b9d1143fa9d78422b30a9eadf455
SHA1 f0219285c28b74d223020ef2957cd99c0c6b00dc
SHA256 7db3bafa7acbd9f1707411aac175b3825a33639c88a2feec7851acc7cc3fa375
SHA512 d87be7981f74751f8b0d95cc0f98292feff3cec1332f636442b7788d48a5a50b457fdde12a87522bc5223b1c536080b36473c5cd446402baee308217a4ff0ada

C:\Users\Admin\AppData\Local\Temp\tuk.exe

MD5 8c3244a681b016bda5032d10af658f60
SHA1 7eb5c556792d7a44e89b25f18ed9bf3cb4ba798f
SHA256 f68a970f8830602aa5497693ed6773ca9078c900727c4bdf09061fcf55fbe3df
SHA512 6bac24aa93de215abc015b47a46f179066d9bfa6d5fe77ca862fb114fa4358ff241e5f012f3dfe953cf39621a593aa47c2ab20acbb9563f4ac133e9b3146ca8a

memory/4656-12-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/852-13-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bot_0.exe

MD5 8a7616551ce19dda50daca2479c2de76
SHA1 a8abeaf5b460f77dee2005df3c2dc79428743d2c
SHA256 7cd1560ea0d639d9d6d945646be21aba72590cd37f57fe313de93822f4ca839f
SHA512 04a3a7fc095f6135e859718876da4b84ab3fe009f181e6ab356917208d5b17f31944fcb64b111ab0d8e8fe28e1722411520ea52221f3136fafc765116fe7e1b0

memory/3536-16-0x0000000000400000-0x0000000000405000-memory.dmp

memory/3536-18-0x0000000000410000-0x0000000000412000-memory.dmp

memory/4176-19-0x0000000000560000-0x000000000056E000-memory.dmp

memory/4176-21-0x0000000000560000-0x000000000056E000-memory.dmp

memory/4656-22-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/4176-24-0x0000000000FD0000-0x0000000000FD5000-memory.dmp

memory/4176-28-0x0000000000FD0000-0x0000000000FD5000-memory.dmp

memory/4656-30-0x0000000000400000-0x0000000000495000-memory.dmp