Malware Analysis Report

2024-11-16 13:15

Sample ID 240625-ehhc3syhrc
Target 0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118
SHA256 ae2659106347593ba1d1d08af7bbb9e59597b5e9c47fa9daa316d0bc81009d46
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae2659106347593ba1d1d08af7bbb9e59597b5e9c47fa9daa316d0bc81009d46

Threat Level: Known bad

The file 0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

UPX packed file

Checks whether UAC is enabled

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 03:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 03:56

Reported

2024-06-25 03:58

Platform

win7-20240611-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 132

Network

N/A

Files

memory/2248-0-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2248-1-0x0000000000400000-0x000000000049A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 03:56

Reported

2024-06-25 03:58

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

97s

Command Line

"fontdrvhost.exe"

Signatures

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 5020 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 5020 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 5020 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 5020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 5020 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 5020 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 5020 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 5020 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5020 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 5020 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5020 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 5020 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 5020 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/5020-0-0x0000000001FB0000-0x0000000002FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E577232_Rar\0c68521bfbbf9c51fbc37c4316a6d295_JaffaCakes118.exe

MD5 605a171c61a0607bdcf6be80ed07cf95
SHA1 477d4391b0d84406127e43ead289a3596ac1e5e5
SHA256 09b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9
SHA512 3b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338

memory/5020-15-0x0000000004AC0000-0x0000000004AC2000-memory.dmp

memory/5020-3-0x0000000000400000-0x000000000049A000-memory.dmp

memory/5020-17-0x0000000001FB0000-0x0000000002FE0000-memory.dmp

memory/5020-20-0x0000000004AC0000-0x0000000004AC2000-memory.dmp

memory/5020-21-0x0000000004AC0000-0x0000000004AC2000-memory.dmp

memory/5020-19-0x0000000001FB0000-0x0000000002FE0000-memory.dmp

memory/5020-16-0x0000000004C60000-0x0000000004C61000-memory.dmp

memory/5020-25-0x0000000001FB0000-0x0000000002FE0000-memory.dmp

memory/5020-27-0x0000000001FB0000-0x0000000002FE0000-memory.dmp

memory/5020-51-0x0000000000400000-0x000000000049A000-memory.dmp