Analysis Overview
SHA256
2977e0b05594746088bff548f75d614c92c1f0ba9ecc321f5350388271deec4c
Threat Level: Known bad
The file Client.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty
Stormkitty family
StormKitty payload
Reads user/profile data of web browsers
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook profiles
Drops desktop.ini file(s)
Drops file in System32 directory
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
outlook_win_path
outlook_office_path
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-29 19:53
Signatures
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-29 19:53
Reported
2024-04-29 19:55
Platform
win7-20240221-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 172.67.160.84:443 | freegeoip.app | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2212-0-0x0000000000BE0000-0x0000000000C36000-memory.dmp
memory/2212-1-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/2212-2-0x0000000005120000-0x0000000005160000-memory.dmp
C:\Users\Admin\AppData\Roaming\IZKCKOTP\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\RegisterDisable.docx
| MD5 | 29cf334cabb5f105c0d4abeac4507b61 |
| SHA1 | cf46f9e572436e6e59db8b3deb03f488a0bb0648 |
| SHA256 | b7e37e718395f43486bf33ef945f1e83549fa0cc5df7705dbed43fc10f073e55 |
| SHA512 | b068921abd2e04cc3f38b57f556232b8534d1cd635cb5e9ba87b47bd385a40d23a5e34034410b5d8ee0b79209020dde1607c82f040b6c03bd876ebe14933aaf9 |
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\RepairWait.docx
| MD5 | 9840b8f362f66b4c9eddcdd642223383 |
| SHA1 | 2ac2f8389bbd3ec2857b985fece8ebb6991ee42e |
| SHA256 | f44d3ec573dedb4da4c44664f99435b5ff9d0c0dc5a5f716f55cee215d0c01f9 |
| SHA512 | b53522ef02bbac5817d6f9f010a653ea19bf6a96d6da8e3b9ae704dca4ef740241697014a0ef6d8ca560a2e8e13682133ac0067841336e081a7a0759c66781b1 |
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\SkipUndo.xls
| MD5 | 476f0b542a2bc62381aab59c1a4edf82 |
| SHA1 | 2f8138347e4af234e329332ef8b3fc8e5531b21b |
| SHA256 | 02b3575871061734d6b8c61f69ad35423e1150fc4e8a4eed588e32f04e5a67cb |
| SHA512 | 477eb5c96fafbfc535d1489c019b1444e4ef704603cfa34acd3e7cbd8d25e679ae88cf4de4882df6c69b8eabfd577a62ddae8ee630b012e256ff914ab7ee236a |
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Documents\StepUninstall.rtf
| MD5 | 47ed7393f4d0e04983474eeac905c4a5 |
| SHA1 | 09881e90a4636b18e917e3176a8c2ac2aad45212 |
| SHA256 | f6e4c21006a2b3fdd5c14b2a3e0fd6390d4481bad7a24d5bed5aea1cd00d6207 |
| SHA512 | 03375de8d9c915015f04e0a673c82f7097912f8d169e7240f3bd561de27db63c32fc4e7da21b2012f44fac114393b2c92cdf759b7617fa89dbb05e45cfe2a5af |
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\ImportDismount.svg
| MD5 | a04cdb0c3f9de5a30e64a10522acd98e |
| SHA1 | caba55395fed4baa76c3edae5ba342096096f276 |
| SHA256 | 455147fff36279df31f9e8397a74a6e8fe22446411690e9875006a68bd6f6c64 |
| SHA512 | c9288401029588cf3a007e27b98c4d6b376ed805b643abacf13f63846714be02c4b593fda51f4414582455b9d993e489d7d29c10cdf5afc8f7682e520bb07804 |
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\InstallRepair.sql
| MD5 | b1c27499ccf7b1f24461bb43a67a90d3 |
| SHA1 | 776c274e38d00e507faf543cbf7f474f81e15abe |
| SHA256 | 4357c7e84ae174883b9e4c891559850c5f50e51e45a3c82afa4969b027e10ce6 |
| SHA512 | 98840ec2248e53ef0dfab7df4bed36448ec5a38f0779eeb8ed4a53a6d28ed838395ef06c2c6215240c1247978d648b250807ea0e56442cc5f2dd58af5fb3252c |
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\InvokeRepair.xlsx
| MD5 | 7f31a5545b2aae8d9f14972261cf6320 |
| SHA1 | 90626d9850fe8f8d33ecdba2eb74cb3acdebd4b4 |
| SHA256 | 0ce6de551926ceab3912ca06df8ddce9de2120631c34f0af10f5c644a5e3f46c |
| SHA512 | febf36c131c4af4f67799b4bdb284c2990311224275dcef43ae903097a952a702116b1d0c85fd064c40108b1d68b4da3162f47c3f8a16971d7b9e32398c97279 |
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\OpenRepair.docx
| MD5 | 05c7541a2798121f303a7815e06dcec3 |
| SHA1 | 01488c70247a35835f67dd6405796e84d1fd0c00 |
| SHA256 | 23c115a65cc3dbaa7673f32afc38e4ebd190195c64317011adf7cae0b8105efa |
| SHA512 | dc34fe7ac09a4c5f4e4938b0203b6c3a60037ed91c97e3795dff30b41ae3ff4fe785e8651d5dc5d4a2a94a7ac11671993078c496a50e691a9a1f3364618ce8f5 |
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Pictures\DenyMount.png
| MD5 | 97a922a1658950903eead6955c314cc7 |
| SHA1 | ea1caecabd131a1d9b17ee1bc1addfbe04e40a48 |
| SHA256 | a4f840bf3b13d5271e1d54943b500a6564a366ac8bd73ff9e1973699a3ce9a78 |
| SHA512 | a02ba7a9d21f6d18bac4e9886bcb47285723c39d85db9b41f5fd21bd64fa00e4cccab482c5961372fb2bc94da8b59152c0bbf1b3a9cf322f710efd79872d956c |
memory/2212-164-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/2212-190-0x00000000745D0000-0x0000000074CBE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-29 19:53
Reported
2024-04-29 19:55
Platform
win10v2004-20240419-en
Max time kernel
55s
Max time network
50s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\PYDWGGUE\FileGrabber\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\PYDWGGUE\FileGrabber\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\PYDWGGUE\FileGrabber\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\PYDWGGUE\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp | C:\Windows\System32\svchost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Windows\system32\mspaint.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 660 -ip 660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 1204
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InitializeNew.png" /ForceBootstrapPaint3D
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
Files
memory/660-0-0x00000000009F0000-0x0000000000A46000-memory.dmp
memory/660-1-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/660-2-0x00000000052B0000-0x00000000052C0000-memory.dmp
memory/660-32-0x00000000064A0000-0x0000000006532000-memory.dmp
memory/660-33-0x0000000006AF0000-0x0000000007094000-memory.dmp
memory/660-35-0x0000000006960000-0x00000000069C6000-memory.dmp
C:\Users\Admin\AppData\Roaming\PYDWGGUE\Process.txt
| MD5 | fd81a473e0682a3f6d16613c710bd48f |
| SHA1 | a133204dd2a0f81afb10c79c96183600d0aff03c |
| SHA256 | 5ba227a8e00023a1f711680437082a67d4a078bf1d8973e6e0200763fa072d42 |
| SHA512 | 144300702bf2a7ef17a3f22efbf63cca8e62ef85738f61317352eca4f4728f79987e32d64b85461928f2f0c25561b0edfaf4b32aadca7f8b57c4c3f1881558ff |
memory/660-120-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/660-121-0x00000000052B0000-0x00000000052C0000-memory.dmp
memory/660-156-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/4388-161-0x0000024823C60000-0x0000024823C70000-memory.dmp
memory/4388-168-0x000002482BF40000-0x000002482BF41000-memory.dmp
memory/4388-170-0x000002482BFC0000-0x000002482BFC1000-memory.dmp
memory/4388-172-0x000002482BFC0000-0x000002482BFC1000-memory.dmp
memory/4388-173-0x000002482C050000-0x000002482C051000-memory.dmp
memory/4388-174-0x000002482C050000-0x000002482C051000-memory.dmp
memory/4388-175-0x000002482C060000-0x000002482C061000-memory.dmp
memory/4388-176-0x000002482C060000-0x000002482C061000-memory.dmp