Analysis Overview
SHA256
6b0a9042919243dbd7e2f81c2ba38f1a5f3dfc5fbbecf9e3d5a0c21244893e62
Threat Level: Likely malicious
The file 3f43b9396551277894edec9387907d50_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Modifies boot configuration data using bcdedit
Possible privilege escalation attempt
Drops file in Drivers directory
Modifies file permissions
Executes dropped EXE
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: CmdExeWriteProcessMemorySpam
Kills process with taskkill
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 10:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 10:13
Reported
2024-10-13 10:15
Platform
win7-20241010-en
Max time kernel
104s
Max time network
19s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DRIVERS\ETC\HOSTS | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DRIVERS\ETC\HOSTS | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DRIVERS\ETC\hosts | C:\Windows\system32\attrib.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\MBR\bootsect.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\slmgr.vbs | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\slmgr.vbs | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\slmgr.vbs | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\slmgr.vbs | C:\Windows\system32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\MBR\bootsect.exe | C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe | N/A |
| File created | C:\Windows\MBR\HOSTS | C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe | N/A |
| File created | C:\Windows\MBR\sfix.cmd | C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\MBR\bootsect.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\MBR\bootsect.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /c taskkill /f /im explorer.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\system32\cmd.exe
"cmd.exe" /c start /w /min %WINDIR%\MBR\sfix slmgr.vbs x86
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Windows\MBR\sfix slmgr.vbs x86
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo.slmgr.vbs x86"
C:\Windows\system32\find.exe
find "?"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo.slmgr.vbs"
C:\Windows\system32\find.exe
find /i "\syswow64"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo.x86"
C:\Windows\system32\find.exe
find "64"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo.x86"
C:\Windows\system32\find.exe
find "32"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo.x86"
C:\Windows\system32\find.exe
find "86"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /s /b "C:\Windows\winsxs\slmgr.vbs"|find /i "86_microsoft"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir /s /b "C:\Windows\winsxs\slmgr.vbs""
C:\Windows\system32\find.exe
find /i "86_microsoft"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\slmgr.vbs" /save "C:\Users\Admin\AppData\Local\Temp\f1449231836.acl"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\slmgr.vbs"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\slmgr.vbs" /grant *s-1-1-0:f
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64" /restore "C:\Users\Admin\AppData\Local\Temp\f1449231836.acl"
C:\Windows\system32\cmd.exe
"cmd.exe" /c start /w /min %WINDIR%\MBR\sfix slmgr.vbs x64
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Windows\MBR\sfix slmgr.vbs x64
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo.slmgr.vbs x64"
C:\Windows\system32\find.exe
find "?"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo.slmgr.vbs"
C:\Windows\system32\find.exe
find /i "\syswow64"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo.x64"
C:\Windows\system32\find.exe
find "64"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo.x64"
C:\Windows\system32\find.exe
find "32"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo.x64"
C:\Windows\system32\find.exe
find "86"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /s /b "C:\Windows\winsxs\slmgr.vbs"|find /i "64_microsoft"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir /s /b "C:\Windows\winsxs\slmgr.vbs""
C:\Windows\system32\find.exe
find /i "64_microsoft"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\slmgr.vbs" /save "C:\Users\Admin\AppData\Local\Temp\f1459026608.acl"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\slmgr.vbs"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\slmgr.vbs" /grant *s-1-1-0:f
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /restore "C:\Users\Admin\AppData\Local\Temp\f1459026608.acl"
C:\Windows\system32\cmd.exe
"cmd.exe" /c IF EXIST %WINDIR%\System32\Wat\WatAdminSvc.exe START %WINDIR%\System32\Wat\WatAdminSvc.exe /run
C:\Windows\system32\cmd.exe
"cmd.exe" /c IF EXIST %WINDIR%\System32\DRIVERS\ETC\HOSTS*.* ATTRIB +A -H -R -S %WINDIR%\System32\DRIVERS\ETC\HOSTS*.*
C:\Windows\system32\attrib.exe
ATTRIB +A -H -R -S C:\Windows\System32\DRIVERS\ETC\HOSTS*.*
C:\Windows\system32\cmd.exe
"cmd.exe" /c IF EXIST %WINDIR%\System32\DRIVERS\ETC\HOSTS.OLD DEL %WINDIR%\System32\DRIVERS\ETC\HOSTS.OLD
C:\Windows\system32\cmd.exe
"cmd.exe" /c IF EXIST %WINDIR%\System32\DRIVERS\ETC\HOSTS REN %WINDIR%\System32\DRIVERS\ETC\HOSTS HOSTS.OLD
C:\Windows\system32\cmd.exe
"cmd.exe" /c IF EXIST %WINDIR%\System32\DRIVERS\ETC\NUL COPY /Y %WINDIR%\MBR\HOSTS %WINDIR%\System32\DRIVERS\ETC
C:\Windows\system32\cmd.exe
"cmd.exe" /c %WINDIR%\MBR\bootsect.exe /nt60 SYS /mbr /force
C:\Windows\MBR\bootsect.exe
C:\Windows\MBR\bootsect.exe /nt60 SYS /mbr /force
C:\Windows\system32\cmd.exe
"cmd.exe" /c cscript %WINDIR%\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
C:\Windows\system32\cscript.exe
cscript C:\Windows\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
C:\Windows\system32\cmd.exe
"cmd.exe" /c %WINDIR%\System32\bcdedit -set testsigning off
C:\Windows\System32\bcdedit.exe
C:\Windows\System32\bcdedit -set testsigning off
C:\Windows\system32\cmd.exe
"cmd.exe" /c rundll32 slc.dll,SLReArmWindows
C:\Windows\system32\rundll32.exe
rundll32 slc.dll,SLReArmWindows
C:\Windows\system32\cmd.exe
"cmd.exe" /c cscript %WINDIR%\System32\slmgr.vbs -rearm
C:\Windows\system32\cscript.exe
cscript C:\Windows\System32\slmgr.vbs -rearm
C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls %WINDIR%\System32\sppcext.dll /grant *S-1-1-0:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\sppcext.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls %WINDIR%\System32\sppcomapi.dll /grant *S-1-1-0:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\sppcomapi.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls %WINDIR%\System32\sppcommdlg.dll /grant *S-1-1-0:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\sppcommdlg.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls %WINDIR%\System32\sppcext.dll /grant *S-1-1-0:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\sppcext.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls %WINDIR%\System32\slui.exe /grant *S-1-1-0:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\slui.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls %WINDIR%\System32\Wat\npWatWeb.dll /grant *S-1-1-0:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Wat\npWatWeb.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls %WINDIR%\System32\Wat\WatAdminSvc.exe /grant *S-1-1-0:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Wat\WatAdminSvc.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls %WINDIR%\System32\Wat\WatUX.exe /grant *S-1-1-0:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Wat\WatUX.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls %WINDIR%\System32\Wat\WatWeb.dll /grant *S-1-1-0:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Wat\WatWeb.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls %WINDIR%\System32\Wat\WatAdminSvc.exe /grant *S-1-1-0:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Wat\WatAdminSvc.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
"cmd.exe" /c start /wait /min sfc /scannow
C:\Windows\system32\sfc.exe
sfc /scannow
Network
Files
memory/1820-0-0x000007FEF69EE000-0x000007FEF69EF000-memory.dmp
memory/1820-1-0x0000000000D10000-0x0000000000D78000-memory.dmp
memory/1820-2-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp
memory/1820-3-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp
memory/1820-4-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp
memory/1820-6-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp
memory/1820-5-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp
memory/1820-10-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp
memory/1820-11-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp
memory/1820-12-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp
C:\Windows\MBR\sfix.cmd
| MD5 | 0f00bdfa3d784cc57bbd7121ac9a5ac1 |
| SHA1 | 9df56ad2d3c8798bccaaa906f1ec8acc6c157524 |
| SHA256 | 7a4cf93010fc72ea41b7a0bad5800aa0d9e575c50b5b7b7816b534abf2a43488 |
| SHA512 | 6cf135c2ccd570c3f33c58ebd070f74dbf0ac64c355980690cc1babab4bbc66322a1991c08ce9a545000a7ffceeec3999ac34e0b18d97c32e8f0d138838d76a1 |
C:\Users\Admin\AppData\Local\Temp\f1449231836.acl
| MD5 | 7a3b8ec21ac9956ed258f5b397d281ab |
| SHA1 | 63cc8f5ca73640fa5fae2d20e69ce393a07a873d |
| SHA256 | bc1f553ca66a548e98f53caf25cebe0fb08f29704549b45095f61893f0113683 |
| SHA512 | ae19429864fe8c2473857538c8d52c95801ecdb269e11aed8ba700f43c3d6c6363cd8678178db67ffeb31f4ac47f37335643c392914226079da4b998e9edb40c |
C:\Windows\SysWOW64\slmgr.vbs
| MD5 | 38482a5013d8ab40df0fb15eae022c57 |
| SHA1 | 5a4a7f261307721656c11b5cc097cde1cf791073 |
| SHA256 | ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8 |
| SHA512 | 29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331 |
C:\Windows\MBR\HOSTS
| MD5 | 3688374325b992def12793500307566d |
| SHA1 | 4bed0823746a2a8577ab08ac8711b79770e48274 |
| SHA256 | 2d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085 |
| SHA512 | 59119e66f5945029f8652c5981589d95cace534adc6780ccea736b7e776615caa0b567c14d161271d6066f57d9bab0d4055850162f5a046c0456264b7b9e7508 |
C:\Windows\MBR\bootsect.exe
| MD5 | 034ab2b9c684d57770e8115426d63278 |
| SHA1 | 9f5d9c197411b18ccd9c3f9fd6c071cdb6791beb |
| SHA256 | b2d7e45c20489ed7d8b111a2097352af4c3f5d8e3059e000c23273086cd4396e |
| SHA512 | 107937198574356ac6512402d4c870605c378eb507442a0b6580a1cfc3b5cef1267f32f8ae3ab702841cc9febf73de9447338b5fdaa2f0cf96443793dfa91c06 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 10:13
Reported
2024-10-13 10:15
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\MBR\bootsect.exe | C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe | N/A |
| File created | C:\Windows\MBR\HOSTS | C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe | N/A |
| File created | C:\Windows\MBR\sfix.cmd | C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1116-0-0x00007FFC046E5000-0x00007FFC046E6000-memory.dmp
memory/1116-1-0x000000001C3F0000-0x000000001C8BE000-memory.dmp
memory/1116-2-0x00007FFC04430000-0x00007FFC04DD1000-memory.dmp
memory/1116-3-0x000000001C8C0000-0x000000001C928000-memory.dmp
memory/1116-4-0x000000001C9D0000-0x000000001CA6C000-memory.dmp
memory/1116-5-0x00007FFC04430000-0x00007FFC04DD1000-memory.dmp
memory/1116-6-0x0000000001980000-0x0000000001988000-memory.dmp
memory/1116-7-0x00007FFC04430000-0x00007FFC04DD1000-memory.dmp
memory/1116-8-0x00007FFC04430000-0x00007FFC04DD1000-memory.dmp
memory/1116-12-0x00007FFC046E5000-0x00007FFC046E6000-memory.dmp
memory/1116-13-0x00007FFC04430000-0x00007FFC04DD1000-memory.dmp
memory/1116-14-0x00007FFC04430000-0x00007FFC04DD1000-memory.dmp