Malware Analysis Report

2025-03-14 23:27

Sample ID 240407-wwe9babb22
Target e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118
SHA256 15ec190cd1510696b56bc112c84902c862f052d35d5eff70c9c6dec9ce99816e
Tags
modiloader evasion persistence themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15ec190cd1510696b56bc112c84902c862f052d35d5eff70c9c6dec9ce99816e

Threat Level: Known bad

The file e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence themida trojan

ModiLoader, DBatLoader

UAC bypass

ModiLoader Second Stage

Executes dropped EXE

Identifies Wine through registry keys

Themida packer

Loads dropped DLL

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System policy modification

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:16

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:16

Reported

2024-04-07 18:18

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\msnmsgrs.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\12.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12.exe N/A
N/A N/A C:\Windows\msnmsgrs.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\msnmsgrs.exe N/A
N/A N/A C:\Windows\msnmsgrs.exe N/A
N/A N/A C:\Windows\msnmsgrs.exe N/A
N/A N/A C:\Windows\msnmsgrs.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnmsgr = "C:\\Windows\\msnmsgrs.exe" C:\Windows\msnmsgrs.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\12.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\msnmsgrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\msnmsgrs.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msnmsgrs.exe C:\Users\Admin\AppData\Local\Temp\12.exe N/A
File opened for modification C:\Windows\msnmsgrs.exe C:\Users\Admin\AppData\Local\Temp\12.exe N/A
File created C:\Windows\ntdtcstp.dll C:\Windows\msnmsgrs.exe N/A
File created C:\Windows\cmsetac.dll C:\Windows\msnmsgrs.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\msnmsgrs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\msnmsgrs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe N/A
N/A N/A C:\Windows\msnmsgrs.exe N/A
N/A N/A C:\Windows\msnmsgrs.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\msnmsgrs.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\12.exe

"C:\Users\Admin\AppData\Local\Temp\12.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\msnmsgrs.exe

"C:\Windows\msnmsgrs.exe" \melt "C:\Users\Admin\AppData\Local\Temp\12.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 maxboy.no-ip.org udp
US 8.8.8.8:53 maxboy.no-ip.org udp

Files

memory/2392-0-0x0000000000400000-0x000000000057D000-memory.dmp

memory/2392-2-0x0000000000400000-0x000000000057D000-memory.dmp

memory/2392-7-0x0000000004C80000-0x0000000004C81000-memory.dmp

memory/2392-4-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

memory/2392-8-0x0000000004C90000-0x0000000004C91000-memory.dmp

memory/2392-5-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

memory/2392-9-0x0000000004B90000-0x0000000004B91000-memory.dmp

memory/2392-10-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

memory/2392-11-0x0000000004C70000-0x0000000004C71000-memory.dmp

memory/2392-12-0x0000000004C60000-0x0000000004C61000-memory.dmp

memory/2392-13-0x0000000004C40000-0x0000000004C42000-memory.dmp

memory/2392-14-0x0000000004C50000-0x0000000004C51000-memory.dmp

memory/2392-15-0x0000000004C00000-0x0000000004C01000-memory.dmp

memory/2392-16-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

memory/2392-18-0x0000000004C10000-0x0000000004C11000-memory.dmp

memory/2392-17-0x0000000004C20000-0x0000000004C22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\12.exe

MD5 ab03f7d12eb1c9ec8ecc1c4a50b0dcfc
SHA1 d5d5cde4ddb4892198ac2dae47d142313bf57aa4
SHA256 234a9c6dc4217c935692268a0d3b3c7f889d80463e53d9fed11965cf1f7f36f0
SHA512 8343608a58d12a56f9f767afbf6f69b23db6c831bc366075918d4004292cec6c030f5691bfa195aab5ba33e34fde5a158f5fe486f74d173bed569e053ffb1cb5

memory/2392-27-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

memory/2392-28-0x0000000000400000-0x000000000057D000-memory.dmp

memory/2160-29-0x0000000000590000-0x0000000000591000-memory.dmp

memory/2160-39-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Windows\ntdtcstp.dll

MD5 67587e25a971a141628d7f07bd40ffa0
SHA1 76fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256 e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA512 6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

memory/4548-51-0x0000000002250000-0x000000000225E000-memory.dmp

C:\Windows\cmsetac.dll

MD5 93ccf5a58bb4999d02d085818240d0e0
SHA1 57dab0949efbd204a3e504717a86beca07eeb5b7
SHA256 a656645fd8b937fbca2f4a66889eaa31570a2a7ab7677e2384f21ae296bfa3d1
SHA512 6366be3b76d8896f8915488f2b4ff5555fed5991bcb509c31853ae30478bcbc4b583774c9293d091d9c3cad773cf38f7af401e2afacf208505cfb99f3982b34d

memory/4548-47-0x0000000000590000-0x0000000000591000-memory.dmp

memory/4548-54-0x0000000002240000-0x0000000002241000-memory.dmp

memory/4548-55-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-56-0x00000000005A0000-0x00000000005A8000-memory.dmp

memory/4548-57-0x0000000002250000-0x000000000225E000-memory.dmp

memory/4548-58-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-61-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-64-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-67-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-70-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-73-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-76-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-79-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-82-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-85-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-88-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-91-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4548-94-0x0000000000400000-0x000000000044C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:16

Reported

2024-04-07 18:18

Platform

win7-20240215-en

Max time kernel

147s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\msnmsgrs.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12.exe N/A
N/A N/A C:\Windows\msnmsgrs.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\msnmsgr = "C:\\Windows\\msnmsgrs.exe" C:\Windows\msnmsgrs.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\msnmsgrs.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\12.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\msnmsgrs.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msnmsgrs.exe C:\Users\Admin\AppData\Local\Temp\12.exe N/A
File opened for modification C:\Windows\msnmsgrs.exe C:\Users\Admin\AppData\Local\Temp\12.exe N/A
File created C:\Windows\ntdtcstp.dll C:\Windows\msnmsgrs.exe N/A
File created C:\Windows\cmsetac.dll C:\Windows\msnmsgrs.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\msnmsgrs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\msnmsgrs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe N/A
N/A N/A C:\Windows\msnmsgrs.exe N/A
N/A N/A C:\Windows\msnmsgrs.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\msnmsgrs.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58e2d2d2fab88e1b2f8c88aca3118b9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\12.exe

"C:\Users\Admin\AppData\Local\Temp\12.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\msnmsgrs.exe

"C:\Windows\msnmsgrs.exe" \melt "C:\Users\Admin\AppData\Local\Temp\12.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maxboy.no-ip.org udp

Files

memory/1656-0-0x0000000000400000-0x000000000057D000-memory.dmp

memory/1656-4-0x0000000000400000-0x000000000057D000-memory.dmp

memory/1656-5-0x0000000004390000-0x0000000004391000-memory.dmp

memory/1656-6-0x0000000004380000-0x0000000004381000-memory.dmp

memory/1656-19-0x0000000004480000-0x0000000004481000-memory.dmp

memory/1656-18-0x00000000043A0000-0x00000000043A1000-memory.dmp

memory/1656-17-0x00000000043D0000-0x00000000043D1000-memory.dmp

memory/1656-16-0x0000000004430000-0x0000000004431000-memory.dmp

memory/1656-15-0x0000000004420000-0x0000000004421000-memory.dmp

memory/1656-14-0x00000000043C0000-0x00000000043C1000-memory.dmp

memory/1656-13-0x0000000004460000-0x0000000004461000-memory.dmp

memory/1656-12-0x0000000004440000-0x0000000004441000-memory.dmp

memory/1656-11-0x0000000004470000-0x0000000004471000-memory.dmp

memory/1656-10-0x0000000004370000-0x0000000004371000-memory.dmp

memory/1656-9-0x0000000003F50000-0x0000000003F51000-memory.dmp

memory/1656-8-0x00000000044A0000-0x00000000044A1000-memory.dmp

memory/1656-7-0x0000000004490000-0x0000000004491000-memory.dmp

memory/1656-21-0x0000000004610000-0x0000000004620000-memory.dmp

\Users\Admin\AppData\Local\Temp\12.exe

MD5 ab03f7d12eb1c9ec8ecc1c4a50b0dcfc
SHA1 d5d5cde4ddb4892198ac2dae47d142313bf57aa4
SHA256 234a9c6dc4217c935692268a0d3b3c7f889d80463e53d9fed11965cf1f7f36f0
SHA512 8343608a58d12a56f9f767afbf6f69b23db6c831bc366075918d4004292cec6c030f5691bfa195aab5ba33e34fde5a158f5fe486f74d173bed569e053ffb1cb5

memory/1656-30-0x0000000004900000-0x0000000004902000-memory.dmp

memory/2260-31-0x0000000000220000-0x0000000000222000-memory.dmp

memory/1656-33-0x00000000043B0000-0x00000000043B1000-memory.dmp

memory/1656-32-0x0000000000400000-0x000000000057D000-memory.dmp

memory/2260-34-0x0000000000390000-0x0000000000391000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pegadinhadomalandrow.jpg

MD5 119e5752e236a5e52c82b482918682db
SHA1 cd1e3bb34e5442d779966059f84c8f722a98ab68
SHA256 3034da60dda68bb8889a76fe82383862e6ad1a9800e5c04c31e89dab0ae6f630
SHA512 2029fe4d8a3bab9d376e97b08128dca683ba7b3ca8ccbdecf73d53c070479b4ae441a690011bf32cd891f3ba5cdc60c323a7ab3a54f4a149fe5dd6560941ee08

memory/2908-36-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2908-47-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-51-0x0000000000370000-0x0000000000371000-memory.dmp

memory/2728-52-0x0000000001E70000-0x0000000001E7E000-memory.dmp

memory/2728-55-0x0000000074AC0000-0x0000000074AD4000-memory.dmp

memory/2728-54-0x0000000077300000-0x00000000773F0000-memory.dmp

memory/2728-56-0x0000000001E20000-0x0000000001E21000-memory.dmp

memory/1656-57-0x00000000043B0000-0x00000000043B1000-memory.dmp

memory/2260-58-0x0000000000390000-0x0000000000391000-memory.dmp

memory/2728-59-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-60-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-61-0x0000000077300000-0x00000000773F0000-memory.dmp

memory/2728-62-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-63-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-64-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-66-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-67-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-68-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-69-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-70-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-71-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-72-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-73-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2728-74-0x0000000000400000-0x000000000044C000-memory.dmp