Analysis Overview
SHA256
ed801a3e54843afe989aadd69cdab5e6fbf00e8e02742f354519b4b16de8f31c
Threat Level: Known bad
The file 02e8c7af3724ff535da627197920ad14.exe was found to be: Known bad.
Malicious Activity Summary
Troldesh, Shade, Encoder.858
Reads user/profile data of web browsers
UPX packed file
Adds Run key to start application
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-17 15:10
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-17 15:10
Reported
2024-04-17 19:31
Platform
win10v2004-20240226-en
Max time kernel
602s
Max time network
608s
Command Line
Signatures
Troldesh, Shade, Encoder.858
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe
"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:49831 | tcp | |
| NL | 194.109.206.212:443 | tcp | |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| SE | 171.25.193.9:80 | tcp | |
| US | 8.8.8.8:53 | 9.193.25.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.125.209.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.166.213.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 128.31.0.39:9101 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.166.213.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.187.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.90.14.23.in-addr.arpa | udp |
| BE | 23.14.90.75:80 | tcp |
Files
memory/2428-0-0x0000000002300000-0x00000000023D5000-memory.dmp
memory/2428-1-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-2-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-3-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-5-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-4-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-6-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-9-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-12-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-13-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-14-0x0000000002300000-0x00000000023D5000-memory.dmp
memory/2428-15-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-16-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-17-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-20-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-21-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-22-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-23-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-24-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-25-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-26-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-27-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-28-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-29-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-30-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-31-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-32-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-33-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-34-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-35-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-36-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-37-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-38-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-39-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-40-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-41-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-42-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-43-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-44-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-45-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-46-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-47-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-48-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-49-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-50-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-51-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-52-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-53-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-54-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-55-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-56-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-57-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-58-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-59-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-60-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-61-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-62-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-63-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-64-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-65-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-66-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-67-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-68-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-69-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-70-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2428-71-0x0000000000400000-0x0000000000608000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-17 15:10
Reported
2024-04-17 19:32
Platform
win11-20240412-en
Max time kernel
591s
Max time network
502s
Command Line
Signatures
Troldesh, Shade, Encoder.858
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4041115548-3858121278-1660933110-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe
"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:49776 | tcp | |
| US | 208.83.223.34:80 | tcp | |
| NL | 194.109.206.212:443 | tcp | |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 154.35.32.5:443 | tcp | |
| DE | 193.23.244.244:443 | tcp |
Files
memory/3024-0-0x0000000002320000-0x00000000023F5000-memory.dmp
memory/3024-1-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-2-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-3-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-4-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-5-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-7-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-11-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-12-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-13-0x0000000002320000-0x00000000023F5000-memory.dmp
memory/3024-14-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-15-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-16-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-17-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-18-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-19-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-22-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-23-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-24-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-25-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-26-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-27-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-28-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-29-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-30-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-31-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-32-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-33-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-34-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-35-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-36-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-37-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-38-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-39-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-40-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-41-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-42-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-43-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-44-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-45-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-46-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-47-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-48-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-49-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-50-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-51-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-52-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-53-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-54-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-55-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-56-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-57-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-58-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-59-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-60-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-61-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-62-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-63-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-64-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-65-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-66-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-67-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-68-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-69-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-70-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-71-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3024-72-0x0000000000400000-0x0000000000608000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 15:10
Reported
2024-04-17 19:30
Platform
win10-20240404-en
Max time kernel
609s
Max time network
625s
Command Line
Signatures
Troldesh, Shade, Encoder.858
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe
"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49768 | tcp | |
| US | 208.83.223.34:80 | tcp | |
| AT | 86.59.21.38:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| DE | 131.188.40.189:443 | tcp | |
| US | 8.8.8.8:53 | 189.40.188.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 81.166.213.23.in-addr.arpa | udp |
Files
memory/2212-0-0x0000000000710000-0x00000000007E5000-memory.dmp
memory/2212-1-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-2-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-3-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-4-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-5-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-8-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-11-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-12-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-13-0x0000000000710000-0x00000000007E5000-memory.dmp
memory/2212-14-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-15-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-16-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-17-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-18-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-19-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-22-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-23-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-24-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-25-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-26-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-27-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-28-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-29-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-30-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-31-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-32-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-33-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-34-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-35-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-36-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-37-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-38-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-39-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-40-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-41-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-42-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-43-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-44-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-45-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-46-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-47-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-48-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-49-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-50-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-51-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-52-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-53-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-54-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-55-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-56-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-57-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-58-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-59-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-60-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-61-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-62-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-63-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-64-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-65-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-66-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-67-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-68-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-69-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-70-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-71-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2212-72-0x0000000000400000-0x0000000000608000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 15:10
Reported
2024-04-17 19:30
Platform
win7-20240221-en
Max time kernel
491s
Max time network
493s
Command Line
Signatures
Troldesh, Shade, Encoder.858
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe
"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"
Network
| Country | Destination | Domain | Proto |
| US | 128.31.0.39:9101 | tcp | |
| N/A | 127.0.0.1:49193 | tcp | |
| US | 208.83.223.34:80 | tcp | |
| SG | 76.73.17.194:9090 | tcp | |
| DE | 193.23.244.244:443 | tcp |
Files
memory/2908-0-0x0000000002400000-0x00000000024D5000-memory.dmp
memory/2908-1-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2908-2-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2908-5-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2908-4-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2908-6-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2908-7-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2908-3-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2908-11-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2908-12-0x0000000002400000-0x00000000024D5000-memory.dmp
memory/2908-13-0x0000000000400000-0x0000000000608000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-17 15:10
Reported
2024-04-17 19:30
Platform
win10-20240404-en
Max time kernel
592s
Max time network
601s
Command Line
Signatures
Troldesh, Shade, Encoder.858
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe
"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49774 | tcp | |
| DE | 131.188.40.189:443 | tcp | |
| US | 8.8.8.8:53 | 189.40.188.131.in-addr.arpa | udp |
| SG | 76.73.17.194:9090 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 154.35.32.5:443 | tcp | |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 81.166.213.23.in-addr.arpa | udp |
Files
memory/2304-0-0x00000000020B0000-0x0000000002185000-memory.dmp
memory/2304-1-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-2-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-5-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-4-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-3-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-7-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-11-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-12-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-13-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-14-0x00000000020B0000-0x0000000002185000-memory.dmp
memory/2304-15-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-16-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-17-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-18-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-19-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-22-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-23-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-24-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-25-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-26-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-27-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-28-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-29-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-30-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-31-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-32-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-33-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-34-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-35-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-36-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-37-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-38-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-39-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-40-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-41-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-42-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-43-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-44-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-45-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-46-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-47-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-48-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-49-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-50-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-51-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-52-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-53-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-54-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-55-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-56-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-57-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-58-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-59-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-60-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-61-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-62-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-63-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-64-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-65-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-66-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-67-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-68-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-69-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-70-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-71-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2304-72-0x0000000000400000-0x0000000000608000-memory.dmp