Malware Analysis Report

2024-10-23 17:03

Sample ID 240331-2ql3kaed4x
Target 6048d2cc24be326d2ede052bb52c19fa_JaffaCakes118
SHA256 2115a61103609e2f05e93ad1f8a18a21ef5f9a718e765c7bd7fc91e2cf6ba619
Tags
xloader amb4 loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2115a61103609e2f05e93ad1f8a18a21ef5f9a718e765c7bd7fc91e2cf6ba619

Threat Level: Known bad

The file 6048d2cc24be326d2ede052bb52c19fa_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xloader amb4 loader rat

Xloader

Xloader payload

Deletes itself

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-31 22:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-31 22:47

Reported

2024-03-31 22:49

Platform

win7-20240221-en

Max time kernel

153s

Max time network

127s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2836 set thread context of 2504 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 2504 set thread context of 1380 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Windows\Explorer.EXE
PID 2504 set thread context of 1380 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Windows\Explorer.EXE
PID 796 set thread context of 1380 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 2836 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 2836 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 2836 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 2836 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 2836 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 2836 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 1380 wrote to memory of 796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1380 wrote to memory of 796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1380 wrote to memory of 796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1380 wrote to memory of 796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 796 wrote to memory of 1164 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 1164 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 1164 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 1164 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe

"C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe"

C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe

"C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe"

C:\Windows\SysWOW64\wlanext.exe

"C:\Windows\SysWOW64\wlanext.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe"

Network

N/A

Files

memory/2836-0-0x0000000001220000-0x0000000001290000-memory.dmp

memory/2836-1-0x0000000074700000-0x0000000074DEE000-memory.dmp

memory/2836-2-0x0000000007280000-0x00000000072C0000-memory.dmp

memory/2836-3-0x00000000004B0000-0x00000000004BE000-memory.dmp

memory/2836-4-0x0000000074700000-0x0000000074DEE000-memory.dmp

memory/2836-5-0x0000000007280000-0x00000000072C0000-memory.dmp

memory/2836-6-0x0000000007F50000-0x0000000007FA2000-memory.dmp

memory/2504-7-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2504-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2504-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2504-13-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2836-14-0x0000000074700000-0x0000000074DEE000-memory.dmp

memory/2504-15-0x0000000000700000-0x0000000000A03000-memory.dmp

memory/2504-18-0x0000000000550000-0x0000000000561000-memory.dmp

memory/2504-17-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1380-19-0x00000000068D0000-0x0000000006A14000-memory.dmp

memory/2504-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1380-23-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2504-22-0x00000000005A0000-0x00000000005B1000-memory.dmp

memory/1380-24-0x0000000004CA0000-0x0000000004D58000-memory.dmp

memory/796-25-0x0000000000660000-0x0000000000676000-memory.dmp

memory/796-26-0x0000000000660000-0x0000000000676000-memory.dmp

memory/796-27-0x0000000000080000-0x00000000000A9000-memory.dmp

memory/796-28-0x0000000001EE0000-0x00000000021E3000-memory.dmp

memory/796-29-0x0000000000080000-0x00000000000A9000-memory.dmp

memory/1380-31-0x00000000068D0000-0x0000000006A14000-memory.dmp

memory/796-32-0x0000000001CE0000-0x0000000001D70000-memory.dmp

memory/1380-34-0x0000000004CA0000-0x0000000004D58000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-31 22:47

Reported

2024-03-31 22:49

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3312 set thread context of 2172 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 2172 set thread context of 3476 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Windows\Explorer.EXE
PID 2172 set thread context of 3476 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Windows\Explorer.EXE
PID 3872 set thread context of 3476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3312 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 3312 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 3312 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 3312 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 3312 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 3312 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe
PID 3476 wrote to memory of 3872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 3476 wrote to memory of 3872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 3476 wrote to memory of 3872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 3872 wrote to memory of 4488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 4488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 4488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe

"C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe"

C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe

"C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\czOxHskgIAQwZ8m.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.simbaimmigration.com udp
US 8.8.8.8:53 www.kuzeykibrissatilik.com udp
US 8.8.8.8:53 www.shopmew.com udp
US 8.8.8.8:53 www.pokorny.industries udp
CZ 31.15.13.219:80 www.pokorny.industries tcp
US 8.8.8.8:53 219.13.15.31.in-addr.arpa udp
US 8.8.8.8:53 www.wenzhikeji.online udp
US 8.8.8.8:53 www.freelotto.online udp
US 8.8.8.8:53 www.tasteofstraddie.com udp
US 15.197.142.173:80 www.tasteofstraddie.com tcp
US 8.8.8.8:53 173.142.197.15.in-addr.arpa udp
US 8.8.8.8:53 www.arpatientsapp.com udp
US 8.8.8.8:53 www.atahukukbafra.com udp
US 34.149.87.45:80 www.atahukukbafra.com tcp
US 8.8.8.8:53 45.87.149.34.in-addr.arpa udp

Files

memory/3312-0-0x0000000000CB0000-0x0000000000D20000-memory.dmp

memory/3312-1-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/3312-2-0x0000000008080000-0x0000000008624000-memory.dmp

memory/3312-3-0x0000000007BC0000-0x0000000007C52000-memory.dmp

memory/3312-4-0x0000000007D10000-0x0000000007D20000-memory.dmp

memory/3312-5-0x0000000003010000-0x000000000301A000-memory.dmp

memory/3312-6-0x0000000007CD0000-0x0000000007CDE000-memory.dmp

memory/3312-7-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/3312-8-0x0000000007D10000-0x0000000007D20000-memory.dmp

memory/3312-9-0x0000000008F10000-0x0000000008FAC000-memory.dmp

memory/3312-10-0x0000000009000000-0x0000000009052000-memory.dmp

memory/2172-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3312-13-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/2172-15-0x0000000001960000-0x0000000001CAA000-memory.dmp

memory/2172-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2172-17-0x0000000001E90000-0x0000000001EA1000-memory.dmp

memory/3476-18-0x0000000009470000-0x00000000095F9000-memory.dmp

memory/2172-21-0x00000000037E0000-0x00000000037F1000-memory.dmp

memory/2172-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3476-22-0x0000000008D40000-0x0000000008E92000-memory.dmp

memory/3872-23-0x0000000000920000-0x0000000000934000-memory.dmp

memory/3872-25-0x0000000000920000-0x0000000000934000-memory.dmp

memory/3872-26-0x0000000000F50000-0x0000000000F79000-memory.dmp

memory/3872-27-0x0000000003120000-0x000000000346A000-memory.dmp

memory/3872-28-0x0000000000F50000-0x0000000000F79000-memory.dmp

memory/3476-30-0x0000000009470000-0x00000000095F9000-memory.dmp

memory/3872-31-0x0000000002E50000-0x0000000002EE0000-memory.dmp

memory/3476-33-0x0000000002D30000-0x0000000002E9D000-memory.dmp

memory/3476-35-0x0000000002D30000-0x0000000002E9D000-memory.dmp

memory/3476-38-0x0000000002D30000-0x0000000002E9D000-memory.dmp