Analysis Overview
SHA256
8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30
Threat Level: Known bad
The file QUOTATION_NOVQTRA071244·PDF.scr was found to be: Known bad.
Malicious Activity Summary
Snake Keylogger payload
Snakekeylogger family
Snake Keylogger
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 08:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 08:10
Reported
2024-11-08 08:13
Platform
win7-20241023-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Snakekeylogger family
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2908 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 2908 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 2908 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 2908 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr
"C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr" /S
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 172.67.200.96:80 | filetransfer.io | tcp |
| US | 172.67.200.96:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | s21.filetransfer.io | udp |
| US | 172.67.200.96:443 | s21.filetransfer.io | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
Files
memory/2908-0-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp
memory/2908-1-0x0000000000B10000-0x0000000000B7C000-memory.dmp
memory/2908-2-0x0000000000250000-0x0000000000256000-memory.dmp
memory/2908-3-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp
memory/2908-4-0x000000001B640000-0x000000001B748000-memory.dmp
memory/2908-5-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-19-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-6-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-36-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-8-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-64-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-10-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-14-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-12-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-16-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-22-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-26-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-24-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-20-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-28-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-30-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-68-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-66-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-62-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-60-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-58-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-56-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-54-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-52-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-50-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-48-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-46-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-44-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-42-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-40-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-38-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-34-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-32-0x000000001B640000-0x000000001B742000-memory.dmp
memory/2908-1079-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp
memory/2908-1081-0x0000000000AB0000-0x0000000000AFC000-memory.dmp
memory/2908-1080-0x0000000000670000-0x00000000006EA000-memory.dmp
memory/2908-1082-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp
memory/2908-1083-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp
memory/2908-1084-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp
memory/2908-1085-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp
memory/2908-1086-0x000000001AC80000-0x000000001ACD4000-memory.dmp
memory/5024-1088-0x0000000000060000-0x0000000000088000-memory.dmp
memory/2908-1089-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp
memory/5024-1090-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp
memory/5024-1091-0x00000000005C0000-0x00000000005E4000-memory.dmp
memory/5024-1092-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp
memory/5024-1093-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp
memory/5024-1094-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp
memory/5024-1095-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp
memory/5024-1096-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp
memory/5024-1097-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp
memory/5024-1098-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 08:10
Reported
2024-11-08 08:13
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
139s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Snakekeylogger family
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3144 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 3144 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 3144 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr
"C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244·PDF.scr" /S
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 104.21.13.139:80 | filetransfer.io | tcp |
| US | 104.21.13.139:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | 139.13.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s21.filetransfer.io | udp |
| US | 104.21.13.139:443 | s21.filetransfer.io | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 0.130.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3144-0-0x00007FFD99B73000-0x00007FFD99B75000-memory.dmp
memory/3144-1-0x0000022F101F0000-0x0000022F1025C000-memory.dmp
memory/3144-2-0x0000022F107B0000-0x0000022F107B6000-memory.dmp
memory/3144-3-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp
memory/3144-4-0x0000022F2A970000-0x0000022F2AA78000-memory.dmp
memory/3144-10-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-24-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-66-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-64-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-62-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-68-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-58-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-56-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-54-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-52-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-48-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-46-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-44-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-42-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-38-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-36-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-34-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-32-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-30-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-22-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-20-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-18-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-16-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-14-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-12-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-60-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-50-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-40-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-28-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-26-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-8-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-6-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-5-0x0000022F2A970000-0x0000022F2AA72000-memory.dmp
memory/3144-1079-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp
memory/3144-1080-0x0000022F2AA80000-0x0000022F2AAFA000-memory.dmp
memory/3144-1081-0x0000022F2AB00000-0x0000022F2AB4C000-memory.dmp
memory/3144-1084-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp
memory/3144-1086-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp
memory/3144-1087-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp
memory/3144-1088-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp
memory/3144-1089-0x00007FFD99B73000-0x00007FFD99B75000-memory.dmp
memory/3144-1090-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp
memory/3144-1091-0x0000022F2AD90000-0x0000022F2ADE4000-memory.dmp
memory/3144-1092-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp
memory/1992-1094-0x000001ACB8F70000-0x000001ACB8F98000-memory.dmp
memory/1992-1096-0x00007FFD99B73000-0x00007FFD99B75000-memory.dmp
memory/3144-1095-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp
memory/1992-1097-0x000001ACBAAA0000-0x000001ACBAAC4000-memory.dmp
memory/1992-1099-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp
memory/1992-1098-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp
memory/1992-1100-0x00007FFD99B73000-0x00007FFD99B75000-memory.dmp
memory/1992-1101-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp
memory/1992-1102-0x000001ACBACD0000-0x000001ACBAD20000-memory.dmp
memory/1992-1103-0x000001ACD3AB0000-0x000001ACD3C72000-memory.dmp
memory/1992-1104-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp