Malware Analysis Report

2024-10-23 19:31

Sample ID 240620-1gashascln
Target 097d297d04200e1094a2ca5694303587_JaffaCakes118
SHA256 09fa9e5b270fb1e33ade2295bd56dd00194013f5b42e8618ed8eb733798290ef
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09fa9e5b270fb1e33ade2295bd56dd00194013f5b42e8618ed8eb733798290ef

Threat Level: Known bad

The file 097d297d04200e1094a2ca5694303587_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Executes dropped EXE

Deletes itself

Enumerates connected drives

Drops autorun.inf file

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 21:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 21:36

Reported

2024-06-20 21:39

Platform

win7-20240611-en

Max time kernel

143s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rejoice101.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2664 set thread context of 2972 N/A C:\Windows\rejoice101.exe C:\Windows\SysWOW64\calc.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rejoice101.exe C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened for modification C:\Windows\rejoice101.exe C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File created C:\Windows\_rejoice101.exe C:\Windows\rejoice101.exe N/A
File opened for modification C:\Windows\_rejoice101.exe C:\Windows\rejoice101.exe N/A
File created C:\Windows\DelSvel.bat C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rejoice101.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe C:\Windows\rejoice101.exe
PID 1672 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe C:\Windows\rejoice101.exe
PID 1672 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe C:\Windows\rejoice101.exe
PID 1672 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe C:\Windows\rejoice101.exe
PID 2664 wrote to memory of 2972 N/A C:\Windows\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 2664 wrote to memory of 2972 N/A C:\Windows\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 2664 wrote to memory of 2972 N/A C:\Windows\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 2664 wrote to memory of 2972 N/A C:\Windows\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 2664 wrote to memory of 2972 N/A C:\Windows\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 2664 wrote to memory of 2972 N/A C:\Windows\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 2664 wrote to memory of 2356 N/A C:\Windows\rejoice101.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 2356 N/A C:\Windows\rejoice101.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 2356 N/A C:\Windows\rejoice101.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 2356 N/A C:\Windows\rejoice101.exe C:\Windows\SysWOW64\WerFault.exe
PID 1672 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe"

C:\Windows\rejoice101.exe

C:\Windows\rejoice101.exe

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 320

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\DelSvel.bat

Network

N/A

Files

memory/1672-0-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1672-1-0x0000000001E80000-0x0000000001ED4000-memory.dmp

memory/1672-8-0x00000000020D0000-0x00000000020D1000-memory.dmp

memory/1672-7-0x00000000020E0000-0x00000000020E1000-memory.dmp

memory/1672-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1672-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1672-12-0x0000000003370000-0x0000000003371000-memory.dmp

memory/1672-14-0x0000000003460000-0x0000000003461000-memory.dmp

memory/1672-13-0x0000000003360000-0x0000000003364000-memory.dmp

memory/1672-11-0x0000000003360000-0x0000000003460000-memory.dmp

memory/1672-10-0x0000000001E40000-0x0000000001E41000-memory.dmp

memory/1672-9-0x0000000002100000-0x0000000002101000-memory.dmp

memory/1672-4-0x00000000020F0000-0x00000000020F1000-memory.dmp

memory/1672-3-0x0000000001E50000-0x0000000001E51000-memory.dmp

memory/1672-2-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/1672-21-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/1672-20-0x00000000033E0000-0x00000000033E1000-memory.dmp

memory/1672-19-0x0000000003380000-0x0000000003381000-memory.dmp

memory/1672-18-0x0000000003390000-0x0000000003391000-memory.dmp

memory/1672-22-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1672-17-0x00000000033A0000-0x00000000033A1000-memory.dmp

memory/1672-16-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1672-15-0x0000000000290000-0x0000000000291000-memory.dmp

F:\rejoice101.exe

MD5 097d297d04200e1094a2ca5694303587
SHA1 ffae1a3f4e314d6f7783fff3b70ba638e8653131
SHA256 09fa9e5b270fb1e33ade2295bd56dd00194013f5b42e8618ed8eb733798290ef
SHA512 d1238e5430360f83ad8c32527657e819af356d5ac8fd6f958a3751ca0d8cf6b754b95f352d658dd1da7596a13aed8f8a74269ef676366281b62002b24b57d604

memory/1672-39-0x0000000004270000-0x000000000438D000-memory.dmp

memory/1672-38-0x0000000004270000-0x000000000438D000-memory.dmp

memory/2664-41-0x0000000000330000-0x0000000000384000-memory.dmp

memory/2664-40-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2972-48-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2972-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1672-50-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1672-51-0x0000000001E80000-0x0000000001ED4000-memory.dmp

memory/1672-52-0x0000000003360000-0x0000000003460000-memory.dmp

memory/2664-54-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1672-55-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1672-56-0x0000000004270000-0x000000000438D000-memory.dmp

memory/2664-58-0x0000000000330000-0x0000000000384000-memory.dmp

C:\Windows\DelSvel.bat

MD5 9c6aa0178ed69baf465d5c56165677d8
SHA1 e0ecec3a676b3e50255e601d5c12d738857e1557
SHA256 d259521aebc4733592ec7ee5baba7f9dc64aa670b61945e755c0cee38e5f15b9
SHA512 27d2cef660399fababd6b1f4918fb04cc3b10b3410962ca732748d802bce14ea3e77bb6ffa798ce321bed6acacb893a3d6865698c678ab31cb950afea6c5aa07

memory/1672-70-0x0000000001E80000-0x0000000001ED4000-memory.dmp

memory/1672-69-0x0000000000400000-0x000000000051D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 21:36

Reported

2024-06-20 21:39

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rejoice101.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\_rejoice101.exe C:\Windows\rejoice101.exe N/A
File opened for modification C:\Windows\_rejoice101.exe C:\Windows\rejoice101.exe N/A
File created C:\Windows\DelSvel.bat C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File created C:\Windows\rejoice101.exe C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A
File opened for modification C:\Windows\rejoice101.exe C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rejoice101.exe

Processes

C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe"

C:\Windows\rejoice101.exe

C:\Windows\rejoice101.exe

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3916 -ip 3916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\DelSvel.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2100-0-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2100-1-0x0000000002310000-0x0000000002364000-memory.dmp

memory/2100-13-0x00000000035C0000-0x00000000035C1000-memory.dmp

memory/2100-12-0x00000000034C0000-0x00000000034C4000-memory.dmp

memory/2100-11-0x00000000034D0000-0x00000000034D1000-memory.dmp

memory/2100-10-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/2100-4-0x0000000002550000-0x0000000002551000-memory.dmp

memory/2100-9-0x0000000002560000-0x0000000002561000-memory.dmp

memory/2100-8-0x0000000002530000-0x0000000002531000-memory.dmp

memory/2100-20-0x0000000003530000-0x0000000003531000-memory.dmp

memory/2100-19-0x0000000003540000-0x0000000003541000-memory.dmp

memory/2100-18-0x00000000034E0000-0x00000000034E1000-memory.dmp

memory/2100-17-0x00000000034F0000-0x00000000034F1000-memory.dmp

memory/2100-16-0x0000000003500000-0x0000000003501000-memory.dmp

memory/2100-15-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/2100-14-0x0000000002290000-0x0000000002291000-memory.dmp

memory/2100-7-0x0000000002540000-0x0000000002541000-memory.dmp

memory/2100-6-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/2100-5-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/2100-3-0x0000000002500000-0x0000000002501000-memory.dmp

memory/2100-2-0x0000000002520000-0x0000000002521000-memory.dmp

F:\rejoice101.exe

MD5 097d297d04200e1094a2ca5694303587
SHA1 ffae1a3f4e314d6f7783fff3b70ba638e8653131
SHA256 09fa9e5b270fb1e33ade2295bd56dd00194013f5b42e8618ed8eb733798290ef
SHA512 d1238e5430360f83ad8c32527657e819af356d5ac8fd6f958a3751ca0d8cf6b754b95f352d658dd1da7596a13aed8f8a74269ef676366281b62002b24b57d604

memory/2100-25-0x00000000026E0000-0x00000000026E1000-memory.dmp

memory/3916-34-0x0000000000400000-0x000000000051D000-memory.dmp

memory/3916-36-0x0000000002200000-0x0000000002254000-memory.dmp

memory/2100-43-0x0000000003510000-0x0000000003511000-memory.dmp

memory/2100-42-0x0000000003520000-0x0000000003521000-memory.dmp

memory/2100-44-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2100-45-0x0000000002310000-0x0000000002364000-memory.dmp

C:\Windows\DelSvel.bat

MD5 9c6aa0178ed69baf465d5c56165677d8
SHA1 e0ecec3a676b3e50255e601d5c12d738857e1557
SHA256 d259521aebc4733592ec7ee5baba7f9dc64aa670b61945e755c0cee38e5f15b9
SHA512 27d2cef660399fababd6b1f4918fb04cc3b10b3410962ca732748d802bce14ea3e77bb6ffa798ce321bed6acacb893a3d6865698c678ab31cb950afea6c5aa07

memory/3916-47-0x0000000000400000-0x000000000051D000-memory.dmp

memory/3916-48-0x0000000002200000-0x0000000002254000-memory.dmp