Malware Analysis Report

2024-10-19 06:59

Sample ID 240620-vsf6rsydnb
Target 081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118
SHA256 b97a7ec81e5386c05b3c6d0987768c292cf286b4b21d50e7b1f2feb8b8a07b5f
Tags
modiloader persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b97a7ec81e5386c05b3c6d0987768c292cf286b4b21d50e7b1f2feb8b8a07b5f

Threat Level: Known bad

The file 081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader persistence trojan

Modifies WinLogon for persistence

ModiLoader, DBatLoader

ModiLoader Second Stage

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 17:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 17:14

Reported

2024-06-20 17:17

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\windows\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\ddlho.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\windows\ddlho.exe N/A
N/A N/A C:\windows\ddlho.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\_svchosl.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe N/A
File created C:\Windows\SysWOW64\_svchosl.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2444 set thread context of 2484 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\windows\ddlho.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\windows\ddlho.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\windows\ddlho.exe C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\windows\ddlho.exe
PID 1700 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\windows\ddlho.exe
PID 1700 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\windows\ddlho.exe
PID 1700 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\windows\ddlho.exe
PID 2648 wrote to memory of 2444 N/A C:\windows\ddlho.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe
PID 2648 wrote to memory of 2444 N/A C:\windows\ddlho.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe
PID 2648 wrote to memory of 2444 N/A C:\windows\ddlho.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe
PID 2648 wrote to memory of 2444 N/A C:\windows\ddlho.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe
PID 2444 wrote to memory of 2484 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2484 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2484 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2484 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2484 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2484 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe
PID 1700 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c date 1980-01-01

C:\windows\ddlho.exe

C:\windows\ddlho.exe

C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c date 2024-6-20

Network

N/A

Files

C:\Windows\ddlho.exe

MD5 de29a7f4ef0593a6d0c0b4960f923642
SHA1 210c6a07e7f0619c509b935e5fce11d4d1641a42
SHA256 3059b727ac8ab54a8d1d3ab457de4ac5f1bcd07e1db25a05411cd030a653c98d
SHA512 27f531da13f26d26672a6c5a48584224cf14fe3428fdc2f64e0c0c13093b4d3b59292994d9744d388e861536f25dc69962d373bb97810a95eee7a55380f9d864

memory/2648-9-0x0000000000400000-0x0000000000519000-memory.dmp

memory/1700-8-0x0000000003AF0000-0x0000000003C09000-memory.dmp

memory/2648-10-0x0000000001DA0000-0x0000000001DF4000-memory.dmp

memory/2648-30-0x0000000003480000-0x0000000003481000-memory.dmp

memory/2648-29-0x0000000003380000-0x0000000003383000-memory.dmp

memory/2648-28-0x0000000003480000-0x0000000003481000-memory.dmp

memory/2648-27-0x0000000003480000-0x0000000003481000-memory.dmp

memory/2648-41-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

memory/2648-40-0x0000000003410000-0x0000000003411000-memory.dmp

memory/2648-39-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/2648-38-0x00000000033E0000-0x00000000033E1000-memory.dmp

memory/2648-37-0x00000000033A0000-0x00000000033A1000-memory.dmp

memory/2648-36-0x00000000033B0000-0x00000000033B1000-memory.dmp

memory/2648-35-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2648-34-0x0000000001D40000-0x0000000001D41000-memory.dmp

memory/2648-33-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2648-26-0x0000000003480000-0x0000000003481000-memory.dmp

memory/2648-25-0x0000000003480000-0x0000000003481000-memory.dmp

memory/2648-24-0x0000000003480000-0x0000000003481000-memory.dmp

memory/2648-23-0x0000000003480000-0x0000000003481000-memory.dmp

memory/2648-22-0x0000000003390000-0x0000000003391000-memory.dmp

memory/2648-21-0x0000000003380000-0x0000000003480000-memory.dmp

memory/2648-20-0x0000000003380000-0x0000000003480000-memory.dmp

memory/2648-19-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

memory/2648-18-0x0000000002040000-0x0000000002041000-memory.dmp

memory/2648-17-0x0000000002010000-0x0000000002011000-memory.dmp

memory/2648-16-0x0000000002020000-0x0000000002021000-memory.dmp

memory/2648-15-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

memory/2648-14-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/2648-13-0x0000000002030000-0x0000000002031000-memory.dmp

memory/2648-12-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

memory/2648-11-0x0000000002000000-0x0000000002001000-memory.dmp

memory/2648-50-0x0000000004640000-0x0000000004759000-memory.dmp

memory/2444-52-0x0000000000350000-0x00000000003A4000-memory.dmp

memory/2444-51-0x0000000000400000-0x0000000000519000-memory.dmp

memory/2484-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2444-63-0x0000000000400000-0x0000000000519000-memory.dmp

memory/2648-66-0x0000000001DA0000-0x0000000001DF4000-memory.dmp

memory/2444-65-0x0000000000350000-0x00000000003A4000-memory.dmp

memory/2648-64-0x0000000000400000-0x0000000000519000-memory.dmp

memory/2484-60-0x0000000000400000-0x0000000000519000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 17:14

Reported

2024-06-20 17:17

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\windows\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\ddlho.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_svchosl.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe N/A
File opened for modification C:\Windows\SysWOW64\_svchosl.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3628 set thread context of 60 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\windows\ddlho.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\windows\ddlho.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\windows\ddlho.exe C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\windows\ddlho.exe
PID 2468 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\windows\ddlho.exe
PID 2468 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\windows\ddlho.exe
PID 3104 wrote to memory of 3628 N/A C:\windows\ddlho.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe
PID 3104 wrote to memory of 3628 N/A C:\windows\ddlho.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe
PID 3104 wrote to memory of 3628 N/A C:\windows\ddlho.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe
PID 3628 wrote to memory of 60 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe
PID 3628 wrote to memory of 60 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe
PID 3628 wrote to memory of 60 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe
PID 3628 wrote to memory of 60 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe
PID 3628 wrote to memory of 60 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\081ed0b356460bf4d7e55a0be7291da0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c date 1980-01-01

C:\windows\ddlho.exe

C:\windows\ddlho.exe

C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchosl.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 60 -ip 60

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 12

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c date 2024-6-20

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Windows\ddlho.exe

MD5 de29a7f4ef0593a6d0c0b4960f923642
SHA1 210c6a07e7f0619c509b935e5fce11d4d1641a42
SHA256 3059b727ac8ab54a8d1d3ab457de4ac5f1bcd07e1db25a05411cd030a653c98d
SHA512 27f531da13f26d26672a6c5a48584224cf14fe3428fdc2f64e0c0c13093b4d3b59292994d9744d388e861536f25dc69962d373bb97810a95eee7a55380f9d864

memory/3104-6-0x0000000000400000-0x0000000000519000-memory.dmp

memory/3104-7-0x0000000002330000-0x0000000002384000-memory.dmp

memory/3104-38-0x0000000003500000-0x0000000003501000-memory.dmp

memory/3104-37-0x0000000003500000-0x0000000003501000-memory.dmp

memory/3104-41-0x0000000003500000-0x0000000003503000-memory.dmp

memory/3104-50-0x0000000003590000-0x0000000003591000-memory.dmp

memory/3104-51-0x0000000002720000-0x0000000002721000-memory.dmp

memory/3104-49-0x0000000003550000-0x0000000003551000-memory.dmp

memory/3104-48-0x0000000003560000-0x0000000003561000-memory.dmp

memory/3104-47-0x0000000003520000-0x0000000003521000-memory.dmp

memory/3104-46-0x0000000003530000-0x0000000003531000-memory.dmp

memory/3104-45-0x0000000003540000-0x0000000003541000-memory.dmp

memory/3104-44-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/3104-43-0x0000000000820000-0x0000000000821000-memory.dmp

memory/3104-42-0x0000000003510000-0x0000000003511000-memory.dmp

memory/3104-36-0x0000000003600000-0x0000000003601000-memory.dmp

memory/3104-35-0x0000000003500000-0x0000000003501000-memory.dmp

memory/3104-34-0x0000000003500000-0x0000000003501000-memory.dmp

memory/3104-33-0x0000000003500000-0x0000000003501000-memory.dmp

memory/3104-32-0x0000000003600000-0x0000000003601000-memory.dmp

memory/3104-31-0x0000000003600000-0x0000000003601000-memory.dmp

memory/3104-30-0x0000000003600000-0x0000000003601000-memory.dmp

memory/3104-29-0x0000000003600000-0x0000000003601000-memory.dmp

memory/3104-28-0x0000000003600000-0x0000000003601000-memory.dmp

memory/3104-27-0x0000000003600000-0x0000000003601000-memory.dmp

memory/3104-26-0x0000000003500000-0x0000000003501000-memory.dmp

memory/3104-25-0x0000000003510000-0x0000000003511000-memory.dmp

memory/3104-24-0x0000000003510000-0x0000000003511000-memory.dmp

memory/3104-23-0x0000000003510000-0x0000000003511000-memory.dmp

memory/3104-22-0x0000000003510000-0x0000000003511000-memory.dmp

memory/3104-21-0x0000000003510000-0x0000000003511000-memory.dmp

memory/3104-20-0x0000000003510000-0x0000000003511000-memory.dmp

memory/3104-19-0x0000000003510000-0x0000000003511000-memory.dmp

memory/3104-18-0x0000000003510000-0x0000000003511000-memory.dmp

memory/3104-17-0x0000000003510000-0x0000000003511000-memory.dmp

memory/3104-16-0x0000000002520000-0x0000000002521000-memory.dmp

memory/3104-15-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/3104-14-0x0000000002560000-0x0000000002561000-memory.dmp

memory/3104-13-0x0000000002580000-0x0000000002581000-memory.dmp

memory/3104-12-0x0000000002500000-0x0000000002501000-memory.dmp

memory/3104-11-0x0000000002510000-0x0000000002511000-memory.dmp

memory/3104-10-0x0000000002590000-0x0000000002591000-memory.dmp

memory/3104-9-0x0000000002530000-0x0000000002531000-memory.dmp

memory/3104-8-0x0000000002550000-0x0000000002551000-memory.dmp

memory/3628-55-0x0000000000400000-0x0000000000519000-memory.dmp

memory/3628-56-0x00000000021A0000-0x00000000021F4000-memory.dmp

memory/3628-63-0x00000000021A0000-0x00000000021F4000-memory.dmp

memory/3104-66-0x0000000002330000-0x0000000002384000-memory.dmp

memory/3104-65-0x0000000000400000-0x0000000000519000-memory.dmp

memory/3628-62-0x0000000000400000-0x0000000000519000-memory.dmp

memory/60-60-0x0000000000400000-0x0000000000519000-memory.dmp