Analysis Overview
SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
Threat Level: Known bad
The file yOMHr.exe was found to be: Known bad.
Malicious Activity Summary
Ryuk
Checks computer location settings
Adds Run key to start application
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-07-31 11:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-31 11:43
Reported
2023-07-31 11:44
Platform
win7-20230712-en
Max time kernel
68s
Max time network
18s
Command Line
Signatures
Ryuk
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yOMHr.exe" | C:\Windows\system32\reg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msadox28.tlb | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zCon.sfx | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\History.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\en-US\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\nl.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\bod_r.TTF | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\handsafe.reg | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\rtstreamsink.ax | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\fr-FR\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\br.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\offset.ax | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp | C:\Windows\system32\taskhost.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2544 wrote to memory of 1612 | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | C:\Windows\System32\cmd.exe |
| PID 2544 wrote to memory of 1612 | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | C:\Windows\System32\cmd.exe |
| PID 2544 wrote to memory of 1612 | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | C:\Windows\System32\cmd.exe |
| PID 2544 wrote to memory of 1116 | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | C:\Windows\system32\taskhost.exe |
| PID 2544 wrote to memory of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | C:\Windows\system32\Dwm.exe |
| PID 1612 wrote to memory of 2024 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 1612 wrote to memory of 2024 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 1612 wrote to memory of 2024 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\reg.exe |
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\yOMHr.exe
"C:\Users\Admin\AppData\Local\Temp\yOMHr.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yOMHr.exe" /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yOMHr.exe" /f
Network
Files
memory/1116-53-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-55-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-56-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
C:\RyukReadMe.txt
| MD5 | cd99cba6153cbc0b14b7a849e4d0180f |
| SHA1 | 375961866404a705916cbc6cd4915de7d9778923 |
| SHA256 | 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2 |
| SHA512 | 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda |
memory/1116-70-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-73-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-71-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-77-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-76-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-79-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-82-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-88-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-84-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-86-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-92-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-95-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-98-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-99-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-104-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-107-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-110-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-113-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-117-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-127-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-134-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-130-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-129-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-126-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-123-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-120-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-115-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1160-137-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-141-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-142-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-143-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-145-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-148-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-151-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-154-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-155-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-156-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-161-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-158-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-169-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
memory/1116-167-0x000000013F9E0000-0x000000013FD6E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-31 11:43
Reported
2023-07-31 11:46
Platform
win10v2004-20230703-en
Max time kernel
7s
Max time network
72s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yOMHr.exe" | C:\Windows\system32\reg.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2052 wrote to memory of 5080 | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | C:\Windows\System32\cmd.exe |
| PID 2052 wrote to memory of 5080 | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | C:\Windows\System32\cmd.exe |
| PID 2052 wrote to memory of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | C:\Windows\system32\sihost.exe |
| PID 2052 wrote to memory of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | C:\Windows\system32\svchost.exe |
| PID 5080 wrote to memory of 4204 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 5080 wrote to memory of 4204 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 2052 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | C:\Windows\system32\taskhostw.exe |
| PID 2052 wrote to memory of 3312 | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | C:\Windows\system32\svchost.exe |
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\yOMHr.exe
"C:\Users\Admin\AppData\Local\Temp\yOMHr.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yOMHr.exe" /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yOMHr.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
Files
memory/2460-133-0x00007FF7973E0000-0x00007FF79776E000-memory.dmp
memory/2460-134-0x00007FF7973E0000-0x00007FF79776E000-memory.dmp