Analysis Overview
SHA256
e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a
Threat Level: Known bad
The file e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Modifies visibility of file extensions in Explorer
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Enumerates connected drives
AutoIT Executable
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 04:45
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 04:45
Reported
2024-06-03 04:47
Platform
win7-20240508-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\svhost.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\m: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\p: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\t: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\b: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\g: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\l: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\w: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\x: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\a: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\o: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\r: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\v: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\y: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\z: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\i: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\k: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\s: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\j: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\n: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\q: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\u: | C:\Windows\svhost.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe | N/A |
| File opened for modification | C:\Windows\Driver.db | C:\Windows\svhost.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2036 wrote to memory of 2356 | N/A | C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe | C:\Windows\svhost.exe |
| PID 2036 wrote to memory of 2356 | N/A | C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe | C:\Windows\svhost.exe |
| PID 2036 wrote to memory of 2356 | N/A | C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe | C:\Windows\svhost.exe |
| PID 2036 wrote to memory of 2356 | N/A | C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe
"C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe"
C:\Windows\svhost.exe
C:\Windows\svhost.exe
Network
Files
memory/2036-0-0x0000000000400000-0x00000000004C2000-memory.dmp
C:\Windows\svhost.exe
| MD5 | e8638b9369b6396707580d9229f5892b |
| SHA1 | 74dc0e2276c0b6b88ec05e35e7aa677ab29fc88d |
| SHA256 | 030bfc8d97c407262dfaf0b069aa3a4f4a6989de5282593d30cb93ae81a3e2ee |
| SHA512 | 641a7964d57f06c6364914056c053874029376570f8e88bb3586c95dd69db574b1b5df1d1d771f0f36a8ff3e1c7d6e734d421e591435a20f28ce76ddbd19c9be |
memory/2356-6-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2036-5-0x0000000003D00000-0x0000000003DC2000-memory.dmp
C:\Windows\Driver.db
| MD5 | c2d2dc50dca8a2bfdc8e2d59dfa5796d |
| SHA1 | 7a6150fc53244e28d1bcea437c0c9d276c41ccad |
| SHA256 | b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960 |
| SHA512 | 6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4 |
C:\Documents and Settings.exe
| MD5 | c94122f97af266afe988cde5cac800f9 |
| SHA1 | 6f4695de31bca638bdd9652c77e8b7632a3ffd60 |
| SHA256 | 3f3122c20a0c8b7cc739a4d5ae13143a2f84cf93b3ebc132a7a658de13a16641 |
| SHA512 | 45a4ded4701f095ac267ccc321b7049515950a0d5259f361ec493c3ed2121adaccc0d2c2f27e5e1c495e08661739afdbbc7a88c1f7058f11b7551b02eb05d0eb |
memory/2036-797-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-1325-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-2387-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-2656-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-3449-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-4766-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-5830-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-6889-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-7946-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-9272-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-10330-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-11387-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-12442-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-13772-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-14828-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2356-15886-0x0000000000400000-0x00000000004C2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 04:45
Reported
2024-06-03 04:47
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\svhost.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\m: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\p: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\q: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\t: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\i: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\l: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\z: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\w: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\x: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\a: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\j: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\o: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\u: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\s: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\v: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\y: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\b: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\g: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\n: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\r: | C:\Windows\svhost.exe | N/A |
| File opened (read-only) | \??\k: | C:\Windows\svhost.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Driver.db | C:\Windows\svhost.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4332 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe | C:\Windows\svhost.exe |
| PID 4332 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe | C:\Windows\svhost.exe |
| PID 4332 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe
"C:\Users\Admin\AppData\Local\Temp\e0246e08713bc99a27008063ccae21db16d0d945cdcb1412b5c0d7820c83540a.exe"
C:\Windows\svhost.exe
C:\Windows\svhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/4332-0-0x0000000000400000-0x00000000004C2000-memory.dmp
C:\Windows\svhost.exe
| MD5 | ec59b1616cf690edea7dc08c7e9e31d6 |
| SHA1 | 0ed70354a4d076931f84f0b94ebea01c952b0102 |
| SHA256 | 04241b913b1f36ab37899856ef09e5975a658840590c1b3a8438a63f87cce338 |
| SHA512 | 465615462fcb62107167bf56c2b00f1023af7cdb2f9a2bba00232855639603b8b9155e79692dadf644fbe506b1dc7b9c4b68d45b20b22d1baff362942fbecf1c |
C:\Windows\Driver.db
| MD5 | c2d2dc50dca8a2bfdc8e2d59dfa5796d |
| SHA1 | 7a6150fc53244e28d1bcea437c0c9d276c41ccad |
| SHA256 | b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960 |
| SHA512 | 6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4 |
C:\PerfLogs.exe
| MD5 | 749a4240bc13ea0451f947124998f9a0 |
| SHA1 | d40c5e3546b6bd7fc0c54086d6d09aec788aed2c |
| SHA256 | 9e263c41b2b8eaf2156ea051e71a20ada9450a915f67f502c50dda9903ad82bc |
| SHA512 | 81d3b08404e841fc57aa5f4f46acaf70aea09bfee3c6c4c45423d18bb1dd49b861af42781de10846f7d13144005d1d93df22468c5ecbdffaaeb2aa621db6f239 |
memory/4332-714-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-1256-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-2310-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-3372-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-4692-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-5744-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-6802-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-7861-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-9177-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-10240-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-11292-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-12352-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-13667-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-14725-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2340-15782-0x0000000000400000-0x00000000004C2000-memory.dmp