Analysis Overview
SHA256
44eaa6185d082fd3273b6b8c267935e2253bbe9acd345a7ef492d98112042743
Threat Level: Known bad
The file Conti Builder.rar was found to be: Known bad.
Malicious Activity Summary
Conti Ransomware
Conti family
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
UPX packed file
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-06 15:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-06 15:46
Reported
2024-12-06 15:48
Platform
win7-20241010-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Conti Builder.rar"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-06 15:46
Reported
2024-12-06 16:01
Platform
win10v2004-20241007-en
Max time kernel
445s
Max time network
449s
Command Line
Signatures
Conti Ransomware
Conti family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Conti Builder\builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Conti Builder\builder.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\3FA.builder.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\8FA.builder.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Conti Builder\builder.exe | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\2EA.builder.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\4D7.builder.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Conti Builder\builder.exe | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\4CC.builder.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\B4C.builder.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Conti Builder\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Conti Builder\builder.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4328 set thread context of 4372 | N/A | C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe | \??\c:\Users\Admin\AppData\Local\Temp\3FA.builder.tmp |
| PID 4328 set thread context of 4792 | N/A | C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe | \??\c:\Users\Admin\AppData\Local\Temp\8FA.builder.tmp |
| PID 4052 set thread context of 3776 | N/A | C:\Users\Admin\Desktop\Conti Builder\builder.exe | \??\c:\Users\Admin\AppData\Local\Temp\2EA.builder.tmp |
| PID 4052 set thread context of 2680 | N/A | C:\Users\Admin\Desktop\Conti Builder\builder.exe | \??\c:\Users\Admin\AppData\Local\Temp\4D7.builder.tmp |
| PID 5080 set thread context of 2168 | N/A | C:\Users\Admin\Desktop\Conti Builder\builder.exe | \??\c:\Users\Admin\AppData\Local\Temp\4CC.builder.tmp |
| PID 5080 set thread context of 1972 | N/A | C:\Users\Admin\Desktop\Conti Builder\builder.exe | \??\c:\Users\Admin\AppData\Local\Temp\B4C.builder.tmp |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\Users\Admin\AppData\Local\Temp\8FA.builder.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\Users\Admin\AppData\Local\Temp\4D7.builder.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\Users\Admin\AppData\Local\Temp\B4C.builder.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Program Files\7-Zip\7zFM.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Conti Builder\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Conti Builder\builder.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Conti Builder.rar"
C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
\??\c:\Users\Admin\AppData\Local\Temp\3FA.builder.tmp
"C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder_conti_aes.exe"
\??\c:\Users\Admin\AppData\Local\Temp\8FA.builder.tmp
"C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO082F98E7\HOW_TO_USE.txt
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Conti Builder\readme.txt
C:\Users\Admin\Desktop\Conti Builder\builder.exe
"C:\Users\Admin\Desktop\Conti Builder\builder.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\Conti Builder\builder.exe" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
\??\c:\Users\Admin\AppData\Local\Temp\2EA.builder.tmp
"C:\Users\Admin\Desktop\Conti Builder\builder_conti_aes.exe"
\??\c:\Users\Admin\AppData\Local\Temp\4D7.builder.tmp
"C:\Users\Admin\Desktop\Conti Builder\builder.exe"
C:\Users\Admin\Desktop\Conti Builder\builder.exe
"C:\Users\Admin\Desktop\Conti Builder\builder.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\Conti Builder\builder.exe" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
\??\c:\Users\Admin\AppData\Local\Temp\4CC.builder.tmp
"C:\Users\Admin\Desktop\Conti Builder\builder_conti_aes.exe"
\??\c:\Users\Admin\AppData\Local\Temp\B4C.builder.tmp
"C:\Users\Admin\Desktop\Conti Builder\builder.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe
| MD5 | 6756f218846f5c89a04906c06220d990 |
| SHA1 | e7d78f8eca9152b319bc58a3b030613046951792 |
| SHA256 | 024278719c6a8ed270e5c2ee6813dcfbc9ae76fffc18a9a5ef17e9549fa5d402 |
| SHA512 | 1d2cf61fde9fed4b73dac51bd08b3b612d66b0fc7504cb31cc3a8a163075d13744461260b11c3929527aa3844d8220278351bb6f220d376d0ab0d8c9e00d5750 |
memory/4328-15-0x0000000140000000-0x00000001400D0000-memory.dmp
memory/4328-16-0x00007FFDE212D000-0x00007FFDE212E000-memory.dmp
memory/4328-17-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp
memory/4328-19-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp
memory/4328-18-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp
memory/4328-30-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp
memory/2928-29-0x00000141587E0000-0x0000014158802000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e4bgdxc5.i5m.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Temp\9CA.builder.tmp
| MD5 | 8fd1d495b09695f4fb95638213559464 |
| SHA1 | 8525bec9fcc14bfb53145f339b5498c7d5948563 |
| SHA256 | 21e178a283f66f767540ca84c2f2fe46bfe18add60a41f49a65ac4bdaae1f7a2 |
| SHA512 | 80239f149715fccd6e0d615ace999b483315ec9451664352aea5953a321435964757721e5694e4dfbb3b8aab001621112332617b99eb95994d616160838a82a4 |
memory/4328-48-0x0000000004870000-0x0000000004EB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3FA.builder.tmp
| MD5 | 86d23632843c402a3a34828bb99317c9 |
| SHA1 | ee7082dcee56cb61d0cae037078efb2a4b32eaae |
| SHA256 | eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280 |
| SHA512 | 9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223 |
memory/4372-55-0x0000000000110000-0x0000000000111000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\8FA.builder.tmp
| MD5 | 30a8ae6901329419008872edd298542a |
| SHA1 | 803a4c0d96ff6e5bcf5d0880f02c6df6bf0e03e6 |
| SHA256 | f8afd0ba8f7cee077edf6dde24443b1e5cc27ea2864c3b9604a1d37380095ebf |
| SHA512 | ca3bdc79a788db16be04f3dbbb33b14c51e8c8bbda7a93341b9361284ba91ceb7103b60fe1eb7b0cb14d8ded2f212653d55ceb580bd8fe4e709d583b184bd353 |
memory/4328-69-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp
memory/4328-68-0x0000000140000000-0x00000001400D0000-memory.dmp
memory/4372-66-0x0000000140000000-0x0000000140641000-memory.dmp
memory/4792-70-0x0000000000400000-0x00000000004AE000-memory.dmp
memory/4792-64-0x0000000000100000-0x0000000000101000-memory.dmp
memory/4372-72-0x0000000140000000-0x0000000140641000-memory.dmp
memory/4792-77-0x0000000000400000-0x00000000004AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO082F98E7\HOW_TO_USE.txt
| MD5 | 13513f2770bfe38e800fae2f01abb7e8 |
| SHA1 | 46e0f70b51245c2a2c47a419c446e6334f41aefb |
| SHA256 | 9c49ca9c51126f4edc977bc045f69c8aada0afc7aeed9a910733f828f117240c |
| SHA512 | 9e9e810e01b392e1c861ac9871a23c2272c0ea4178f1e8f032632ba3a4103b274d56d22a7ffd2bd53298b47f6c7a7b22aea30fa5208917ae5e184729357ad43d |
C:\Users\Admin\Desktop\Conti Builder\readme.txt
| MD5 | 0e774d58848a5231d720857a6fd0720e |
| SHA1 | cdd80f37cdf50706c587ff58ad852fda95356565 |
| SHA256 | 6116cf3598e6ca1ad167ed370d05f2f08f05bc04f0a5d64e2f19c0b488a3359b |
| SHA512 | 587441347f950cc709cd1ed169e27c04e383bb905a01185f87853cf5a2a41ba8ae7af6a3fcb3a673e0af718707c9705a16ba9b7b0678d27300ae74b6259dbc96 |
memory/4052-91-0x0000000140000000-0x00000001400D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb1ad317bd25b55b2bbdce8a28a74a94 |
| SHA1 | 98a3978be4d10d62e7411946474579ee5bdc5ea6 |
| SHA256 | 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98 |
| SHA512 | d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0 |
memory/4052-138-0x0000000140000000-0x00000001400D0000-memory.dmp
memory/4052-124-0x0000000004880000-0x0000000004EC1000-memory.dmp
memory/3776-140-0x0000000140000000-0x0000000140641000-memory.dmp
memory/5080-146-0x0000000140000000-0x00000001400D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15dde0683cd1ca19785d7262f554ba93 |
| SHA1 | d039c577e438546d10ac64837b05da480d06bf69 |
| SHA256 | d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961 |
| SHA512 | 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672 |
memory/5080-192-0x0000000140000000-0x00000001400D0000-memory.dmp
memory/2168-194-0x0000000140000000-0x0000000140641000-memory.dmp
memory/2680-199-0x0000000000400000-0x00000000004AE000-memory.dmp
memory/1972-200-0x0000000000400000-0x00000000004AE000-memory.dmp
memory/2680-202-0x0000000000400000-0x00000000004AE000-memory.dmp