Malware Analysis Report

2024-11-13 18:52

Sample ID 240519-287f8agc92
Target 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118
SHA256 9ab651c11036df65785bcd01fe6ecb68a9b0beb56579b76c350dbd3f6960f0ae
Tags
remcos microsoftdll persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ab651c11036df65785bcd01fe6ecb68a9b0beb56579b76c350dbd3f6960f0ae

Threat Level: Known bad

The file 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos microsoftdll persistence rat

Remcos

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 23:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 23:16

Reported

2024-05-19 23:18

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Microsoft\crrcs.exe C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Microsoft\crrcs.exe C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "

C:\Windows\SysWOW64\PING.EXE

PING 127.0.0.1 -n 2

C:\Windows\SysWOW64\Microsoft\crrcs.exe

"C:\Windows\SysWOW64\Microsoft\crrcs.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4256,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3924 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 108.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp
US 8.8.8.8:53 1.habladourf.top udp

Files

memory/5100-0-0x0000000000570000-0x00000000005EB000-memory.dmp

memory/5100-1-0x0000000076F42000-0x0000000076F43000-memory.dmp

memory/5100-2-0x0000000000401000-0x000000000041A000-memory.dmp

memory/5100-8-0x0000000000400000-0x000000000049C000-memory.dmp

memory/5100-10-0x0000000000401000-0x000000000041A000-memory.dmp

memory/5100-9-0x0000000000570000-0x00000000005EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 163f2af0d421cff56e30d04e89363fe7
SHA1 5116aa1cad828ecd3e0819c15523839901fa6eac
SHA256 2f9c8881dd083f02446f616ce3fbbcb008bb92b21cfd5dc85652a38d297eebf5
SHA512 303ca46c8319393f7257088328da0bcd4b5a66de64fb15fd0e306dccf4985d8179d73c346d44c574807436aedd7da8cabb0c24494876fb5c151dd62d174bc8fb

C:\Windows\SysWOW64\Microsoft\crrcs.exe

MD5 5bfc4a0b0e7484ff63f2eb66b45186b7
SHA1 804f350c5034fc13fcc3d49e72de98799e301fb2
SHA256 9ab651c11036df65785bcd01fe6ecb68a9b0beb56579b76c350dbd3f6960f0ae
SHA512 084dcda591290c89d1fec84c7868d65522d193524cbbc15d61bec710f617535bf77386ea5a6c3c1b366cce216dd7310d84271847775497533648d04b8ae00620

memory/4164-15-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-16-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-17-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-20-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-21-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-22-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-23-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-24-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-25-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-26-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-27-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-28-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-29-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-30-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-31-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-32-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4164-33-0x0000000000400000-0x000000000049C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 23:16

Reported

2024-05-19 23:18

Platform

win7-20240220-en

Max time kernel

146s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Microsoft\crrcs.exe C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Microsoft\crrcs.exe C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Microsoft\crrcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2592 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2592 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2592 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2592 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Microsoft\crrcs.exe
PID 2592 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Microsoft\crrcs.exe
PID 2592 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Microsoft\crrcs.exe
PID 2592 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Microsoft\crrcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "

C:\Windows\SysWOW64\PING.EXE

PING 127.0.0.1 -n 2

C:\Windows\SysWOW64\Microsoft\crrcs.exe

"C:\Windows\SysWOW64\Microsoft\crrcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.habladourf.top udp

Files

memory/2784-0-0x0000000000220000-0x000000000029B000-memory.dmp

memory/2784-1-0x0000000077D7F000-0x0000000077D80000-memory.dmp

memory/2784-2-0x0000000000401000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 163f2af0d421cff56e30d04e89363fe7
SHA1 5116aa1cad828ecd3e0819c15523839901fa6eac
SHA256 2f9c8881dd083f02446f616ce3fbbcb008bb92b21cfd5dc85652a38d297eebf5
SHA512 303ca46c8319393f7257088328da0bcd4b5a66de64fb15fd0e306dccf4985d8179d73c346d44c574807436aedd7da8cabb0c24494876fb5c151dd62d174bc8fb

memory/2784-13-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2784-14-0x0000000000220000-0x000000000029B000-memory.dmp

memory/2784-15-0x0000000000401000-0x000000000041A000-memory.dmp

C:\Windows\SysWOW64\Microsoft\crrcs.exe

MD5 5bfc4a0b0e7484ff63f2eb66b45186b7
SHA1 804f350c5034fc13fcc3d49e72de98799e301fb2
SHA256 9ab651c11036df65785bcd01fe6ecb68a9b0beb56579b76c350dbd3f6960f0ae
SHA512 084dcda591290c89d1fec84c7868d65522d193524cbbc15d61bec710f617535bf77386ea5a6c3c1b366cce216dd7310d84271847775497533648d04b8ae00620

memory/2608-21-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-22-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-23-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-26-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-27-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-28-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-29-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-30-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-31-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-32-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-33-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-34-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-35-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-36-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-37-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-38-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2608-39-0x0000000000400000-0x000000000049C000-memory.dmp