Malware Analysis Report

2024-11-30 11:10

Sample ID 241119-axpcqaxglg
Target Dark_drop_2_pers_lum_clean.exe
SHA256 cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88
Tags
discovery darkgate derry execution persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88

Threat Level: Known bad

The file Dark_drop_2_pers_lum_clean.exe was found to be: Known bad.

Malicious Activity Summary

discovery darkgate derry execution persistence stealer

DarkGate

Detect DarkGate stealer

Darkgate family

Executes dropped EXE

Adds Run key to start application

Command and Scripting Interpreter: AutoIT

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 00:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 00:35

Reported

2024-11-19 00:38

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe

"C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 172

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 00:35

Reported

2024-11-19 00:38

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe"

Signatures

DarkGate

stealer darkgate

Darkgate family

darkgate

Detect DarkGate stealer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\temp\test\Autoit3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbaahcf = "\"C:\\ProgramData\\bbcagfh\\Autoit3.exe\" C:\\ProgramData\\bbcagfh\\afdhdcf.a3x" \??\c:\temp\test\Autoit3.exe N/A

Command and Scripting Interpreter: AutoIT

execution
Description Indicator Process Target
N/A N/A \??\c:\temp\test\Autoit3.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1560 set thread context of 4292 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\temp\test\Autoit3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\temp\test\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\temp\test\Autoit3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe N/A
N/A N/A \??\c:\temp\test\Autoit3.exe N/A
N/A N/A \??\c:\temp\test\Autoit3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\temp\test\Autoit3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe \??\c:\temp\test\Autoit3.exe
PID 3080 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe \??\c:\temp\test\Autoit3.exe
PID 3080 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe \??\c:\temp\test\Autoit3.exe
PID 1560 wrote to memory of 3620 N/A \??\c:\temp\test\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 3620 N/A \??\c:\temp\test\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 3620 N/A \??\c:\temp\test\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 2180 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3620 wrote to memory of 2180 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3620 wrote to memory of 2180 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1560 wrote to memory of 716 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1560 wrote to memory of 716 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1560 wrote to memory of 716 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1560 wrote to memory of 4292 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1560 wrote to memory of 4292 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1560 wrote to memory of 4292 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1560 wrote to memory of 4292 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1560 wrote to memory of 4292 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe

"C:\Users\Admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe"

\??\c:\temp\test\Autoit3.exe

"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x

\??\c:\windows\SysWOW64\cmd.exe

"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bbcagfh\bkfkfhc

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic ComputerSystem get domain

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 164.132.5.124:1111 tcp
US 8.8.8.8:53 hard-to-find.cyou udp
US 104.21.29.245:443 hard-to-find.cyou tcp
US 8.8.8.8:53 124.5.132.164.in-addr.arpa udp
US 8.8.8.8:53 245.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 thicktoys.sbs udp
US 8.8.8.8:53 fleez-inc.sbs udp
US 8.8.8.8:53 pull-trucker.sbs udp
US 8.8.8.8:53 3xc1aimbl0w.sbs udp
US 8.8.8.8:53 bored-light.sbs udp
US 8.8.8.8:53 300snails.sbs udp
US 8.8.8.8:53 faintbl0w.sbs udp
US 8.8.8.8:53 crib-endanger.sbs udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3080-0-0x0000000001020000-0x00000000010A0000-memory.dmp

memory/3080-1-0x0000000077362000-0x0000000077363000-memory.dmp

memory/3080-2-0x00000000010A0000-0x00000000010F0000-memory.dmp

C:\temp\test\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/3080-5-0x0000000000400000-0x0000000000A47000-memory.dmp

memory/3080-11-0x0000000000400000-0x0000000000A47000-memory.dmp

memory/3080-10-0x0000000001020000-0x00000000010A0000-memory.dmp

memory/3080-9-0x0000000002B90000-0x0000000002C80000-memory.dmp

\??\c:\temp\test\script.a3x

MD5 b06f6dee405e7edbdb66a38c8f466f40
SHA1 20929c94acdf4bcc9f93ffc9d21682e4f5d27579
SHA256 22bbc7aee06585f281643cccfc6f80c360f2ec27e70a300c578e5a8f4bdb2df1
SHA512 fd759d5dd4e711e6dfe29806f25521ccce90d123a9576e3f688fc103c6f06f76d37fad4844107a0ca98e0730e75266ddaeda529513cb92d8ae1c8d210677c4cc

memory/1560-14-0x0000000000E40000-0x0000000001240000-memory.dmp

memory/1560-15-0x0000000004410000-0x0000000004765000-memory.dmp

C:\ProgramData\bbcagfh\bkfkfhc

MD5 c8bbad190eaaa9755c8dfb1573984d81
SHA1 17ad91294403223fde66f687450545a2bad72af5
SHA256 7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA512 05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

memory/4292-26-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1560-33-0x0000000004410000-0x0000000004765000-memory.dmp

memory/4292-34-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1560-32-0x0000000004410000-0x0000000004765000-memory.dmp

memory/1560-30-0x0000000004410000-0x0000000004765000-memory.dmp

memory/1560-28-0x0000000004410000-0x0000000004765000-memory.dmp

memory/4292-29-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4292-27-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1560-31-0x0000000004410000-0x0000000004765000-memory.dmp

memory/3080-35-0x0000000000400000-0x0000000000A47000-memory.dmp

memory/4292-36-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1560-37-0x0000000000E40000-0x0000000001240000-memory.dmp

memory/1560-38-0x0000000004410000-0x0000000004765000-memory.dmp