Malware Analysis Report

2025-04-03 09:24

Sample ID 250303-clg6datlw9
Target 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
Tags
a4d2cd amadey systembc defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c

Threat Level: Known bad

The file 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe was found to be: Known bad.

Malicious Activity Summary

a4d2cd amadey systembc defense_evasion discovery trojan

Systembc family

Amadey

Amadey family

SystemBC

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-03 02:09

Signatures

Amadey family

amadey

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-03 02:09

Reported

2025-03-03 02:12

Platform

win7-20240903-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\xmcslfc\mjbs.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\xmcslfc\mjbs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\xmcslfc\mjbs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\ProgramData\xmcslfc\mjbs.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\ProgramData\xmcslfc\mjbs.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\xmcslfc\mjbs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\ProgramData\xmcslfc\mjbs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2716 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2716 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2716 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2820 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe
PID 2820 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe
PID 2820 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe
PID 2820 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe
PID 2780 wrote to memory of 2012 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\xmcslfc\mjbs.exe
PID 2780 wrote to memory of 2012 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\xmcslfc\mjbs.exe
PID 2780 wrote to memory of 2012 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\xmcslfc\mjbs.exe
PID 2780 wrote to memory of 2012 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\xmcslfc\mjbs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe

"C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe

"C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {420BFA46-0262-43A1-9809-88F37599418C} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]

C:\ProgramData\xmcslfc\mjbs.exe

C:\ProgramData\xmcslfc\mjbs.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4458 towerbingobongoboom.com tcp

Files

memory/2716-1-0x0000000000390000-0x0000000000391000-memory.dmp

\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe

MD5 9218e5cad03c752f237ed87a9e52def4
SHA1 0ccddab0d87776d78c613c6e7a6f3bce93ffc3d3
SHA256 833610e95cc965e70096620e0adaa8917963df9f9ec56e00af1ff331161a7971
SHA512 4ca94c23bf82bee5ff5a7f7e318e99c084f7403cdc2e23276087f55620f9e9f988a7a6816fedcd2f853a21fe645c3cc89f7b2f6f05f792b549fd698fd14f5cb3

memory/2820-27-0x00000000045B0000-0x0000000004A06000-memory.dmp

memory/2820-26-0x00000000045B0000-0x0000000004A06000-memory.dmp

memory/2620-28-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2620-29-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

memory/2620-30-0x0000000000401000-0x0000000000403000-memory.dmp

memory/2620-33-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2620-37-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-38-0x0000000000400000-0x0000000000856000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 d2210b34ae5d92f476bde77464a47f26
SHA1 8535effc083ad62a515fa15ee7aa5b7aedeec6d3
SHA256 eb2ea5e62563d71c51cf19863f3ff29982eeefa937503b34816d27e9e584c43d
SHA512 1ce228ce7f8b33fe0964438a032a838b2b60dda78db1e78a71628722a2444d77ef7f255dc2cf19631291c720eb862202cf89aadbc296a10f0a7e9a1eab16bab7

memory/2620-40-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2620-41-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-43-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-44-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2620-45-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-46-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2620-47-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-48-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2620-49-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-50-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2620-51-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-52-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2620-53-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2620-55-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-56-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-57-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-58-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-59-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-60-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-61-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-62-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2012-63-0x0000000000400000-0x0000000000856000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-03 02:09

Reported

2025-03-03 02:12

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\tbnnhg\swcunko.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\tbnnhg\swcunko.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\tbnnhg\swcunko.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\ProgramData\tbnnhg\swcunko.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\ProgramData\tbnnhg\swcunko.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\tbnnhg\swcunko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\ProgramData\tbnnhg\swcunko.exe N/A
N/A N/A C:\ProgramData\tbnnhg\swcunko.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe

"C:\Users\Admin\AppData\Local\Temp\1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe

"C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe"

C:\ProgramData\tbnnhg\swcunko.exe

C:\ProgramData\tbnnhg\swcunko.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4784 towerbingobongoboom.com tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe

MD5 9218e5cad03c752f237ed87a9e52def4
SHA1 0ccddab0d87776d78c613c6e7a6f3bce93ffc3d3
SHA256 833610e95cc965e70096620e0adaa8917963df9f9ec56e00af1ff331161a7971
SHA512 4ca94c23bf82bee5ff5a7f7e318e99c084f7403cdc2e23276087f55620f9e9f988a7a6816fedcd2f853a21fe645c3cc89f7b2f6f05f792b549fd698fd14f5cb3

memory/2184-25-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2184-26-0x0000000077824000-0x0000000077826000-memory.dmp

memory/2184-27-0x0000000000401000-0x0000000000403000-memory.dmp

memory/2184-28-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2184-31-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-35-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2184-34-0x0000000000400000-0x0000000000856000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 ce8dc2faf9b59566d29debf3e06d3561
SHA1 62e48b1e62a1805055beb5f794641cc485419038
SHA256 64de01ce6aaae42d0d96bc5de51fa49be58fa4b492416ef43503d151f6d3d6cc
SHA512 5cf9e262bc7f26a207f16240b940bb4933eb3adfeb588af387d9231b3a0b19d35de0b75590e4cfc08159018d78701ea318b800f5a33148e56f35c0fd05655aaf

memory/2184-38-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-39-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-40-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2184-41-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-42-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2184-43-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-44-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2184-45-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-46-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2184-47-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-48-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2184-49-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2184-50-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-52-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-53-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-54-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-55-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-56-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-57-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-59-0x0000000000400000-0x0000000000856000-memory.dmp

memory/228-60-0x0000000000400000-0x0000000000856000-memory.dmp