Malware Analysis Report

2025-01-02 03:02

Sample ID 240812-zv7hysthqe
Target idk.exe
SHA256 dc0e648c50a81a0be80931b39a973d0edf899eb09c778e68a8b6025635696a05
Tags
remotehost remcos discovery evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc0e648c50a81a0be80931b39a973d0edf899eb09c778e68a8b6025635696a05

Threat Level: Known bad

The file idk.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos discovery evasion persistence rat trojan

UAC bypass

Remcos

Remcos family

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 21:03

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 21:03

Reported

2024-08-12 21:21

Platform

win10v2004-20240802-en

Max time kernel

1049s

Max time network

1036s

Command Line

"C:\Users\Admin\AppData\Local\Temp\idk.exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Windows\SysWOW64\Windows\Windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Windows\SysWOW64\Windows\Windows.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Windows\Windows.exe C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
File created C:\Windows\SysWOW64\Windows\Windows.exe C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2856 set thread context of 2160 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2160 set thread context of 3520 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windows\Windows.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4108 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4108 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 4108 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 4108 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 2856 wrote to memory of 316 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 316 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 316 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2856 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2856 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2856 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2160 wrote to memory of 3952 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 3952 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 3952 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 3520 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2160 wrote to memory of 3520 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2160 wrote to memory of 3520 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2160 wrote to memory of 3520 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 316 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 316 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 316 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3952 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3952 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3952 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\idk.exe

"C:\Users\Admin\AppData\Local\Temp\idk.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\Windows\Windows.exe

"C:\Windows\SysWOW64\Windows\Windows.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 k-peterson.gl.at.ply.gg udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 40.58.20.217.in-addr.arpa udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 35.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 k-peterson.gl.at.ply.gg udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 k-peterson.gl.at.ply.gg udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 k-peterson.gl.at.ply.gg udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp

Files

C:\Windows\SysWOW64\Windows\Windows.exe

MD5 783b3ecb43e1e04cac88e273c7ad2753
SHA1 4df53206d490af68c1352091ba7a51fbe6d23139
SHA256 dc0e648c50a81a0be80931b39a973d0edf899eb09c778e68a8b6025635696a05
SHA512 cc5b563719391acf3a3c54d4ad527e59a0181f57d51a4fc97e7a3a19372392cfa98710f61962844948565e150b92ebf37b2710e30455506d11cfeb174986309b

memory/2160-33-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-34-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-35-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-40-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-43-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-36-0x0000000000900000-0x0000000000982000-memory.dmp

memory/3520-44-0x0000000000EB0000-0x0000000000F32000-memory.dmp

memory/2160-46-0x0000000000900000-0x0000000000982000-memory.dmp

memory/3520-45-0x0000000000EB0000-0x0000000000F32000-memory.dmp

memory/2160-52-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-53-0x0000000000900000-0x0000000000982000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 a68c17cb4182ba7393c1985f5eb11c4c
SHA1 206e49f389defdc9382649a3583105bebfbc815a
SHA256 56a1f9c5943ae7be7edfc049f1e5da92e626dcc5beeb528e730b720c06f593a6
SHA512 3d114e8a734ff30c515ac1d443125cbd2088bc581c06f645c33e98e686aff73873d444aed8fef6562e1264fd247226b2780038059e10e40f4074a22ae19f2c32

memory/2160-58-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-59-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-65-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-66-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-71-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-72-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-78-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-79-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-85-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-86-0x0000000000900000-0x0000000000982000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 8bc72116708a80776d2d349e9e1ec6ab
SHA1 a96df3b24b8dee6776098bfd81e030ca589da5ab
SHA256 13f6e504c34399aa78b92fc003845b229fcf091e1315b4542c21ba9a4532851b
SHA512 00447ab975ae8aed2bfa0eb018aaf7273f6028379b520a21694084485eefc5242b2ad04ba5e0c1db30ccb353fa6f36c1e068117e9c8be1671b335768b936880f

memory/2160-91-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-93-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-98-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-99-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-104-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-105-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-111-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-112-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-117-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-118-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-124-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-125-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-128-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-129-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-135-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-136-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-141-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-142-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-147-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-148-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-153-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-154-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-160-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-161-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-166-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-167-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-173-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-174-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-179-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-180-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-185-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-187-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-192-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-193-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-198-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-200-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-205-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-206-0x0000000000900000-0x0000000000982000-memory.dmp

memory/2160-211-0x0000000000900000-0x0000000000982000-memory.dmp