Malware Analysis Report

2025-01-19 00:31

Sample ID 240506-akp4gsaf3w
Target 19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118
SHA256 fc46887dce507c14a49bcecd46df32e3f5946fdf3acef1ef2670c474db6ec43d
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc46887dce507c14a49bcecd46df32e3f5946fdf3acef1ef2670c474db6ec43d

Threat Level: Known bad

The file 19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 00:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 00:16

Reported

2024-05-06 00:19

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 16.37.50.108:1034 tcp
US 32.97.110.142:1034 tcp
US 15.197.214.225:1034 tcp
N/A 192.168.2.114:1034 tcp
IN 4.240.75.108:1034 tcp
IN 4.240.75.91:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.10.5:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 15.198.4.192:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
IN 4.240.78.53:1034 tcp

Files

memory/1196-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2224-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1196-10-0x00000000001C0000-0x00000000001C8000-memory.dmp

memory/1196-9-0x00000000001C0000-0x00000000001C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2224-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2224-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1196-23-0x00000000001C0000-0x00000000001C8000-memory.dmp

memory/1196-22-0x00000000001C0000-0x00000000001C8000-memory.dmp

memory/2224-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2224-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2224-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2224-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2224-37-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nhElkwbtb.log

MD5 cb3baecd57a17f9399ce7d84cdd7dc56
SHA1 686d8d3dd90364213a8a69f5c5e50acb337345e0
SHA256 aeee89668e539733a9012be3d4975d4652f833a2082ce773b25433524b0ee58e
SHA512 27fdeec42b254862e9e254a04632670b666ad2acff1b2416836d2fa1654ce80560fe7dc43f7d577b7554ffbf30e635d560a08954dd458e0670fec92234748969

memory/2224-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2224-45-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2224-46-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2224-50-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2224-54-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 30355167165cd0b9f1d366ca3b818766
SHA1 c49f922f22699997f5d6a1791c35659d0ee9e268
SHA256 8d80f3f8e9cbfd1dc5baadb8b5942364856fad2bca9afb41fd43194f1b26dbc6
SHA512 659ac9e370d1191d8c73110fe80cf19d8eae3305c9bc6ae224285f801135926cf79087a86f7d4b375c4fa163ff015e9bac5820a507f19a964204209930391be3

C:\Users\Admin\AppData\Local\Temp\tmp80F.tmp

MD5 d60120f0b5aa9fe746e9725a1836babe
SHA1 97888e9352af33879cf09e4d584f579e6d812add
SHA256 dc0272639889da0520a6d3029ef3a9026e891c10377d9f7e1399dc5d0052ede6
SHA512 554132f1e9b285e3917a21de86db0156d30d40566e7f1ec08489009b15d9c44d7cdb4bddad700318a062c5549fd0a49fd55344037f4e17c347dbd1b60bd367c3

memory/2224-75-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2224-78-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 00:16

Reported

2024-05-06 00:19

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 16.37.50.108:1034 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 32.97.110.142:1034 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 15.197.214.225:1034 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
N/A 192.168.2.114:1034 tcp
US 8.8.8.8:53 88.121.18.2.in-addr.arpa udp
IN 4.240.75.108:1034 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
IN 4.240.75.91:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
IE 209.85.202.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.9.0:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 www.google.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 hachyderm.io udp
IE 209.85.202.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 15.198.4.192:1034 tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 65.254.227.224:25 burtleburtle.net tcp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
NL 142.251.9.27:25 alt3.aspmx.l.google.com tcp
IN 4.240.78.53:1034 tcp
US 8.8.8.8:53 udp
N/A 142.250.153.27:25 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/3064-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/5048-6-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5048-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5048-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5048-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5048-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5048-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5048-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5048-31-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jeqauh8.log

MD5 d348ca61f671e640529b802823dbdf4a
SHA1 ee2c70aeeb4718bb8dd92d76b058f60a74198373
SHA256 8e2c6cc539c5c970339d928bbde2e0e5ecdc58a72994030b48ace9eaff908c81
SHA512 18e26bd0728ddf8d8c46f69490617a486fac4a5c5d81c0efd8b4bab80e5bb78e50bfb358fbd30e26b7073a6e609e4ad29979e35626ca2a0532bf69e44fbfec72

memory/5048-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5048-39-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5048-40-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 420e8f2c9a9d9a27f4b4dd2343170b31
SHA1 8bdf490949461cd6be186d1f6ec6720cd5a8381a
SHA256 8a8cca426ee206afae0ddfa1faa6365e30be72011006ab09e7f628aa70719cfe
SHA512 df6547ffe41ee4edbc5a9af8631384845ee68f371ca944b710e0503e6d768ecc8c625dddc4c41e96b9f374adc595b304a07d737cc3dbc76d44058dbaf5b76aa6

C:\Users\Admin\AppData\Local\Temp\tmpDB59.tmp

MD5 0b241728c6f710d2e28dcc5b1697e750
SHA1 4fd02edac4068b77b2813ac5ccc6c29bd46f0df9
SHA256 b6c3391bc338ecec448c4146a8d78d2d0ba4d67ad8c2cec27b279f35a15d2a30
SHA512 a93c301e67c66368c4183bcc77ce3ac3c78f575254ff1704aefd7189984f6974c7613ced37d6f02457acbbc47f27b82fc854c7e8f0b59eeb0ef8e00cb8cb0181

memory/5048-145-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SZ2TD4H5\7OR3SRS1.htm

MD5 e4b18c4e1dd88c3f829544f790e3b3dc
SHA1 12bf9f6946fd0a2adb0aeebb66f49c0eb62ff5a4
SHA256 008fe7fce567d25b6f16ff0a8f461c885f4a3e07219612bea8ca51e2100ad6a5
SHA512 86ed01f797424eabc3f0a1bd9b9b94abdbc588a94b3db26cece6e7c5216dd6459c1e9f1a1403f3f679bfdb879cd5300506560e061462f1244e5687e42d4db5ae

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BB8X2UQ6\results[2].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SZ2TD4H5\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/5048-196-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5048-197-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5048-201-0x0000000000400000-0x0000000000408000-memory.dmp