Analysis Overview
SHA256
e148b601cabaf0ff2242d4e204090f34e12c5f181793008125ab53c4bca8cc80
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
Detect Amadey credential stealer module
Executes dropped EXE
Downloads MZ/PE file
Blocklisted process makes network request
Reads local data of messenger clients
Loads dropped DLL
Checks computer location settings
Accesses Microsoft Outlook profiles
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
outlook_win_path
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 22:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 22:03
Reported
2022-10-31 22:05
Platform
win7-20220901-en
Max time kernel
113s
Max time network
128s
Command Line
Signatures
Amadey
Detect Amadey credential stealer module
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads local data of messenger clients
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\rundll32.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
C:\Windows\system32\taskeng.exe
taskeng.exe {F02B6401-4CD8-44CA-8DF0-ABD4E98F6BA7} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Network
| Country | Destination | Domain | Proto |
| RU | 31.41.244.15:80 | 31.41.244.15 | tcp |
| RU | 31.41.244.15:80 | 31.41.244.15 | tcp |
| N/A | 10.127.0.9:80 | tcp | |
| N/A | 10.127.0.9:80 | tcp |
Files
memory/1436-54-0x0000000075711000-0x0000000075713000-memory.dmp
memory/1436-55-0x00000000006FB000-0x000000000071A000-memory.dmp
memory/1436-56-0x0000000000220000-0x000000000025E000-memory.dmp
memory/1436-57-0x0000000000400000-0x00000000005A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 5a5e87d1ca5b3b323a603ccef736119a |
| SHA1 | a52a3d51df3ad463229bc2148d6767ba60199425 |
| SHA256 | e148b601cabaf0ff2242d4e204090f34e12c5f181793008125ab53c4bca8cc80 |
| SHA512 | 03b64cfbc98a0f10f9200271899915f57e264de49c810a1d935a7855e2a4bfbef4356e6ae319e6d91c0b0f2a12a595c53f728473d26883cfdaf3d1f65194bd16 |
memory/760-60-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 5a5e87d1ca5b3b323a603ccef736119a |
| SHA1 | a52a3d51df3ad463229bc2148d6767ba60199425 |
| SHA256 | e148b601cabaf0ff2242d4e204090f34e12c5f181793008125ab53c4bca8cc80 |
| SHA512 | 03b64cfbc98a0f10f9200271899915f57e264de49c810a1d935a7855e2a4bfbef4356e6ae319e6d91c0b0f2a12a595c53f728473d26883cfdaf3d1f65194bd16 |
memory/1436-62-0x00000000006FB000-0x000000000071A000-memory.dmp
memory/1436-63-0x0000000000400000-0x00000000005A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 5a5e87d1ca5b3b323a603ccef736119a |
| SHA1 | a52a3d51df3ad463229bc2148d6767ba60199425 |
| SHA256 | e148b601cabaf0ff2242d4e204090f34e12c5f181793008125ab53c4bca8cc80 |
| SHA512 | 03b64cfbc98a0f10f9200271899915f57e264de49c810a1d935a7855e2a4bfbef4356e6ae319e6d91c0b0f2a12a595c53f728473d26883cfdaf3d1f65194bd16 |
memory/552-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 5a5e87d1ca5b3b323a603ccef736119a |
| SHA1 | a52a3d51df3ad463229bc2148d6767ba60199425 |
| SHA256 | e148b601cabaf0ff2242d4e204090f34e12c5f181793008125ab53c4bca8cc80 |
| SHA512 | 03b64cfbc98a0f10f9200271899915f57e264de49c810a1d935a7855e2a4bfbef4356e6ae319e6d91c0b0f2a12a595c53f728473d26883cfdaf3d1f65194bd16 |
memory/760-67-0x000000000030B000-0x000000000032A000-memory.dmp
memory/760-68-0x0000000000400000-0x00000000005A6000-memory.dmp
memory/760-69-0x000000000030B000-0x000000000032A000-memory.dmp
memory/760-70-0x0000000000400000-0x00000000005A6000-memory.dmp
memory/832-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 5a5e87d1ca5b3b323a603ccef736119a |
| SHA1 | a52a3d51df3ad463229bc2148d6767ba60199425 |
| SHA256 | e148b601cabaf0ff2242d4e204090f34e12c5f181793008125ab53c4bca8cc80 |
| SHA512 | 03b64cfbc98a0f10f9200271899915f57e264de49c810a1d935a7855e2a4bfbef4356e6ae319e6d91c0b0f2a12a595c53f728473d26883cfdaf3d1f65194bd16 |
memory/860-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
| MD5 | 522adad0782501491314a78c7f32006b |
| SHA1 | e487edceeef3a41e2a8eea1e684bcbc3b39adb97 |
| SHA256 | 351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba |
| SHA512 | 5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7 |
\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
| MD5 | 522adad0782501491314a78c7f32006b |
| SHA1 | e487edceeef3a41e2a8eea1e684bcbc3b39adb97 |
| SHA256 | 351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba |
| SHA512 | 5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7 |
memory/860-80-0x0000000000161000-0x000000000017B000-memory.dmp
\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
| MD5 | 522adad0782501491314a78c7f32006b |
| SHA1 | e487edceeef3a41e2a8eea1e684bcbc3b39adb97 |
| SHA256 | 351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba |
| SHA512 | 5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7 |
\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
| MD5 | 522adad0782501491314a78c7f32006b |
| SHA1 | e487edceeef3a41e2a8eea1e684bcbc3b39adb97 |
| SHA256 | 351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba |
| SHA512 | 5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7 |
\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
| MD5 | 522adad0782501491314a78c7f32006b |
| SHA1 | e487edceeef3a41e2a8eea1e684bcbc3b39adb97 |
| SHA256 | 351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba |
| SHA512 | 5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7 |
memory/832-82-0x000000000063B000-0x000000000065A000-memory.dmp
memory/832-83-0x0000000000400000-0x00000000005A6000-memory.dmp
memory/1980-84-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 5a5e87d1ca5b3b323a603ccef736119a |
| SHA1 | a52a3d51df3ad463229bc2148d6767ba60199425 |
| SHA256 | e148b601cabaf0ff2242d4e204090f34e12c5f181793008125ab53c4bca8cc80 |
| SHA512 | 03b64cfbc98a0f10f9200271899915f57e264de49c810a1d935a7855e2a4bfbef4356e6ae319e6d91c0b0f2a12a595c53f728473d26883cfdaf3d1f65194bd16 |
memory/1980-87-0x000000000069B000-0x00000000006BA000-memory.dmp
memory/1980-88-0x0000000000400000-0x00000000005A6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-31 22:03
Reported
2022-10-31 22:05
Platform
win10v2004-20220812-en
Max time kernel
114s
Max time network
147s
Command Line
Signatures
Amadey
Detect Amadey credential stealer module
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads local data of messenger clients
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\rundll32.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4400 -ip 4400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 908
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2404 -ip 2404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 416
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4184 -ip 4184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 416
Network
| Country | Destination | Domain | Proto |
| RU | 31.41.244.15:80 | 31.41.244.15 | tcp |
| RU | 31.41.244.15:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| FR | 40.79.150.121:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| RU | 31.41.244.15:80 | 31.41.244.15 | tcp |
| N/A | 10.127.0.76:80 | tcp | |
| N/A | 10.127.0.76:80 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
memory/4400-132-0x000000000062D000-0x000000000064C000-memory.dmp
memory/4400-133-0x00000000021C0000-0x00000000021FE000-memory.dmp
memory/4400-134-0x0000000000400000-0x00000000005A6000-memory.dmp
memory/1240-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 5a5e87d1ca5b3b323a603ccef736119a |
| SHA1 | a52a3d51df3ad463229bc2148d6767ba60199425 |
| SHA256 | e148b601cabaf0ff2242d4e204090f34e12c5f181793008125ab53c4bca8cc80 |
| SHA512 | 03b64cfbc98a0f10f9200271899915f57e264de49c810a1d935a7855e2a4bfbef4356e6ae319e6d91c0b0f2a12a595c53f728473d26883cfdaf3d1f65194bd16 |
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 5a5e87d1ca5b3b323a603ccef736119a |
| SHA1 | a52a3d51df3ad463229bc2148d6767ba60199425 |
| SHA256 | e148b601cabaf0ff2242d4e204090f34e12c5f181793008125ab53c4bca8cc80 |
| SHA512 | 03b64cfbc98a0f10f9200271899915f57e264de49c810a1d935a7855e2a4bfbef4356e6ae319e6d91c0b0f2a12a595c53f728473d26883cfdaf3d1f65194bd16 |
memory/4400-138-0x0000000000400000-0x00000000005A6000-memory.dmp
memory/1240-139-0x000000000072C000-0x000000000074B000-memory.dmp
memory/1240-140-0x0000000000400000-0x00000000005A6000-memory.dmp
memory/4956-141-0x0000000000000000-mapping.dmp
memory/1240-142-0x000000000072C000-0x000000000074B000-memory.dmp
memory/1240-143-0x0000000000400000-0x00000000005A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 5a5e87d1ca5b3b323a603ccef736119a |
| SHA1 | a52a3d51df3ad463229bc2148d6767ba60199425 |
| SHA256 | e148b601cabaf0ff2242d4e204090f34e12c5f181793008125ab53c4bca8cc80 |
| SHA512 | 03b64cfbc98a0f10f9200271899915f57e264de49c810a1d935a7855e2a4bfbef4356e6ae319e6d91c0b0f2a12a595c53f728473d26883cfdaf3d1f65194bd16 |
memory/5004-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
| MD5 | 522adad0782501491314a78c7f32006b |
| SHA1 | e487edceeef3a41e2a8eea1e684bcbc3b39adb97 |
| SHA256 | 351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba |
| SHA512 | 5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7 |
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
| MD5 | 522adad0782501491314a78c7f32006b |
| SHA1 | e487edceeef3a41e2a8eea1e684bcbc3b39adb97 |
| SHA256 | 351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba |
| SHA512 | 5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7 |
memory/2404-148-0x0000000000760000-0x000000000077F000-memory.dmp
memory/2404-149-0x0000000000400000-0x00000000005A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 5a5e87d1ca5b3b323a603ccef736119a |
| SHA1 | a52a3d51df3ad463229bc2148d6767ba60199425 |
| SHA256 | e148b601cabaf0ff2242d4e204090f34e12c5f181793008125ab53c4bca8cc80 |
| SHA512 | 03b64cfbc98a0f10f9200271899915f57e264de49c810a1d935a7855e2a4bfbef4356e6ae319e6d91c0b0f2a12a595c53f728473d26883cfdaf3d1f65194bd16 |
memory/4184-151-0x00000000008A0000-0x00000000008BF000-memory.dmp
memory/4184-152-0x0000000000400000-0x00000000005A6000-memory.dmp