Analysis Overview
SHA256
9598d353175682d82d7bbe9eca3d48c97552db2718e77007601f80541b7c8afb
Threat Level: Known bad
The file quotation.scr.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Uses the VBS compiler for execution
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-26 11:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-26 11:31
Reported
2024-01-26 11:33
Platform
win7-20231215-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1716 set thread context of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 2552 set thread context of 2752 | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 1132 set thread context of 1500 | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe
"C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\explorer"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe" "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\system32\taskeng.exe
taskeng.exe {B64F180A-87E8-4947-8F06-57063889BBA0} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\explorer"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe" "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\explorer"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe" "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
Files
memory/1716-0-0x0000000000A60000-0x0000000000AB0000-memory.dmp
memory/1716-1-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/1716-2-0x00000000042E0000-0x0000000004320000-memory.dmp
memory/1716-3-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/1716-4-0x00000000042E0000-0x0000000004320000-memory.dmp
memory/2828-5-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2828-7-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2828-9-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2828-11-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2828-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2828-14-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2828-18-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2828-16-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2828-21-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/2828-22-0x00000000050A0000-0x00000000050E0000-memory.dmp
memory/1716-20-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/2828-26-0x0000000000870000-0x000000000087A000-memory.dmp
memory/2828-27-0x0000000000A60000-0x0000000000A7E000-memory.dmp
memory/2828-28-0x0000000000890000-0x000000000089A000-memory.dmp
memory/2828-31-0x0000000000B10000-0x0000000000B22000-memory.dmp
memory/2828-32-0x0000000000B20000-0x0000000000B3A000-memory.dmp
memory/2828-33-0x0000000000B90000-0x0000000000B9E000-memory.dmp
memory/2828-34-0x0000000000BB0000-0x0000000000BC2000-memory.dmp
memory/2828-35-0x0000000000BC0000-0x0000000000BCC000-memory.dmp
memory/2828-36-0x0000000000C10000-0x0000000000C1E000-memory.dmp
memory/2828-37-0x0000000000CA0000-0x0000000000CB4000-memory.dmp
memory/2828-38-0x0000000000CB0000-0x0000000000CC0000-memory.dmp
memory/2828-39-0x0000000000CC0000-0x0000000000CD4000-memory.dmp
memory/2828-40-0x0000000000CD0000-0x0000000000CDE000-memory.dmp
memory/2828-41-0x00000000049B0000-0x00000000049DE000-memory.dmp
memory/2828-42-0x0000000004510000-0x0000000004524000-memory.dmp
memory/2828-44-0x0000000073FC0000-0x00000000746AE000-memory.dmp
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
| MD5 | 38699281db788537bea1ce577eb81ea9 |
| SHA1 | 39e11046b7c615a047875ca3a0eafd20d583d693 |
| SHA256 | 9598d353175682d82d7bbe9eca3d48c97552db2718e77007601f80541b7c8afb |
| SHA512 | fd33f696fc92ed4d496088715dbc82ca7c67e3049b1855ca56c3576381677274cdd1d437ea98cb3774c5bef0106a2dbc984c97b8c680d243cee104c042357c3f |
memory/2828-47-0x00000000050A0000-0x00000000050E0000-memory.dmp
memory/2552-48-0x0000000001320000-0x0000000001370000-memory.dmp
memory/2552-49-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/2552-50-0x0000000001190000-0x00000000011D0000-memory.dmp
memory/2552-51-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/2552-52-0x0000000001190000-0x00000000011D0000-memory.dmp
memory/2752-63-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/2552-65-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/2752-64-0x0000000000E10000-0x0000000000E50000-memory.dmp
memory/2752-66-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/1132-68-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/1132-69-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/1500-80-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/1132-81-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/1500-82-0x0000000073FC0000-0x00000000746AE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-26 11:31
Reported
2024-01-26 11:33
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1624 set thread context of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 4168 set thread context of 3160 | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 4844 set thread context of 2000 | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe
"C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe" "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\explorer"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe" "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\explorer"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\explorer"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe" "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | 242.242.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
memory/1624-1-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/1624-0-0x0000000000200000-0x0000000000250000-memory.dmp
memory/1624-2-0x0000000002760000-0x0000000002770000-memory.dmp
memory/1624-3-0x00000000051A0000-0x0000000005744000-memory.dmp
memory/1624-4-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/1624-5-0x0000000002760000-0x0000000002770000-memory.dmp
memory/1624-6-0x0000000004EE0000-0x0000000004F46000-memory.dmp
memory/4636-7-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4636-10-0x00000000059B0000-0x0000000005A42000-memory.dmp
memory/4636-9-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/1624-12-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/4636-11-0x0000000005A50000-0x0000000005AEC000-memory.dmp
memory/4636-15-0x0000000005C20000-0x0000000005C30000-memory.dmp
memory/4636-16-0x0000000005B50000-0x0000000005B5A000-memory.dmp
memory/4636-18-0x0000000006610000-0x000000000661A000-memory.dmp
memory/4636-20-0x00000000068E0000-0x00000000068EA000-memory.dmp
memory/4636-19-0x00000000066A0000-0x00000000066BE000-memory.dmp
memory/4636-29-0x0000000007100000-0x0000000007114000-memory.dmp
memory/4636-34-0x0000000007190000-0x00000000071A4000-memory.dmp
memory/4636-33-0x0000000007160000-0x000000000718E000-memory.dmp
memory/4636-32-0x0000000007150000-0x000000000715E000-memory.dmp
memory/4636-31-0x0000000007130000-0x0000000007144000-memory.dmp
memory/4636-30-0x0000000007110000-0x0000000007120000-memory.dmp
memory/4636-28-0x00000000070F0000-0x00000000070FE000-memory.dmp
memory/4636-27-0x00000000070E0000-0x00000000070EC000-memory.dmp
memory/4636-26-0x00000000070D0000-0x00000000070E2000-memory.dmp
memory/4636-25-0x00000000070C0000-0x00000000070CE000-memory.dmp
memory/4636-24-0x0000000007090000-0x00000000070AA000-memory.dmp
memory/4636-23-0x0000000007080000-0x0000000007092000-memory.dmp
memory/4636-36-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/4636-39-0x0000000005C20000-0x0000000005C30000-memory.dmp
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
| MD5 | 38699281db788537bea1ce577eb81ea9 |
| SHA1 | 39e11046b7c615a047875ca3a0eafd20d583d693 |
| SHA256 | 9598d353175682d82d7bbe9eca3d48c97552db2718e77007601f80541b7c8afb |
| SHA512 | fd33f696fc92ed4d496088715dbc82ca7c67e3049b1855ca56c3576381677274cdd1d437ea98cb3774c5bef0106a2dbc984c97b8c680d243cee104c042357c3f |
memory/4168-40-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/4168-41-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/4168-42-0x0000000004A20000-0x0000000004A30000-memory.dmp
memory/4168-47-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/3160-46-0x0000000005280000-0x0000000005290000-memory.dmp
memory/3160-44-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/3160-49-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/4844-52-0x0000000074A80000-0x0000000075230000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\explorer.exe.log
| MD5 | 81ab0e59097e03cb04c32378024d6628 |
| SHA1 | cc2a7a335f905e787906b6a0820acfbd4c5d0ed2 |
| SHA256 | 704dd8b8fb6dfccf43fd0712e36950102151fe7232d6602c53a42af967969533 |
| SHA512 | 3dd1374962c4d913ad6ec4207889abcca3e28946fa8937626bd2d13025a538e676bfc2efe76d27031d3f741bb3934104c0cf4e10da62758839add1fe543dfacb |
memory/4844-53-0x0000000074A80000-0x0000000075230000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
| MD5 | 84e77a587d94307c0ac1357eb4d3d46f |
| SHA1 | 83cc900f9401f43d181207d64c5adba7a85edc1e |
| SHA256 | e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99 |
| SHA512 | aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691 |
memory/2000-56-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/4844-58-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/2000-57-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/2000-59-0x0000000074A80000-0x0000000075230000-memory.dmp