Analysis Overview
SHA256
4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363
Threat Level: Likely malicious
The file 4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Deletes itself
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Adds Run key to start application
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 18:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 18:23
Reported
2024-11-09 18:25
Platform
win7-20240903-en
Max time kernel
112s
Max time network
115s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\lmapu.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\lmapu.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\qbutr\\xgaha.dll\",GetWindowClass" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\lmapu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe | N/A |
| N/A | N/A | \??\c:\lmapu.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe
"C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\lmapu.exe "C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\lmapu.exe
c:\lmapu.exe "C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\qbutr\xgaha.dll",GetWindowClass c:\lmapu.exe
Network
| Country | Destination | Domain | Proto |
| US | 67.229.62.198:803 | tcp | |
| US | 67.229.62.198:803 | tcp | |
| US | 67.229.62.194:3201 | tcp | |
| US | 67.229.62.197:805 | tcp | |
| US | 67.229.62.197:805 | tcp | |
| US | 67.229.62.197:805 | tcp | |
| US | 67.229.62.197:805 | tcp | |
| US | 67.229.62.194:3201 | tcp | |
| US | 67.229.62.194:3201 | tcp |
Files
memory/3044-0-0x0000000000400000-0x0000000000425400-memory.dmp
memory/3044-2-0x0000000000400000-0x0000000000425400-memory.dmp
memory/1736-4-0x0000000000210000-0x0000000000236000-memory.dmp
\??\c:\lmapu.exe
| MD5 | a9c793287647e0c17b2cf2fc927c31af |
| SHA1 | 9fe4390c1dc3f1a9c2b588dbc79f9f3b90f5a259 |
| SHA256 | ded080287f8842423442964e64ac3b5b0c243443b1c29e92ebedd6e0894b5d08 |
| SHA512 | a897b459f67d6f239fa5cbdf3eed7e1c288368e1346f7704f2148e3a6f78728f103b329787a11c0a602e4aff0c383f1f4caa24a64363fa24d1fadcf3f533dabf |
memory/812-8-0x0000000000400000-0x0000000000425400-memory.dmp
\??\c:\qbutr\xgaha.dll
| MD5 | bec93912524f50c6f7c943716c7ef02b |
| SHA1 | 69ba8f1dd5a7d6cd94d688c691406cbd54be4486 |
| SHA256 | 032570414587af2303431e8db5d5f4223e0147f4b63a2160b97d9a6ea531bd81 |
| SHA512 | 41fb8970e9007c789227740e81a483bda806470ce25476589a3dfceddaaa60b20d890c37b56f8be83defb2a5b774dbd6c2026fc259884e8acf2971b06041f6a6 |
memory/2092-14-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2092-15-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2092-16-0x0000000010033000-0x0000000010034000-memory.dmp
memory/2092-17-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2092-18-0x0000000010033000-0x0000000010034000-memory.dmp
memory/2092-19-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2092-23-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2092-24-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2092-25-0x0000000010000000-0x0000000010036000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 18:23
Reported
2024-11-09 18:25
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\swyxl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\swyxl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\mjkczeb\\infmjdn.dll\",GetWindowClass" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\swyxl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe | N/A |
| N/A | N/A | \??\c:\swyxl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe
"C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\swyxl.exe "C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\swyxl.exe
c:\swyxl.exe "C:\Users\Admin\AppData\Local\Temp\4ac2ac952a995a4186deb964a72742a3715d49eb231e63cffb80df77f089a363N.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\mjkczeb\infmjdn.dll",GetWindowClass c:\swyxl.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 67.229.62.198:803 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 67.229.62.194:3201 | tcp | |
| US | 67.229.62.197:805 | tcp | |
| US | 67.229.62.197:805 | tcp | |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 67.229.62.197:805 | tcp | |
| US | 67.229.62.194:3201 | tcp | |
| US | 67.229.62.194:3201 | tcp | |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 67.229.62.194:3201 | tcp |
Files
memory/900-0-0x0000000000400000-0x0000000000425400-memory.dmp
memory/900-3-0x0000000000400000-0x0000000000425400-memory.dmp
C:\swyxl.exe
| MD5 | 689ab57d641054d7d85554d930b272b0 |
| SHA1 | be430d723d7e9e61668055e12dfd00716ed8b774 |
| SHA256 | f779e5ba961278c4c63028e72d90addd425d224f8139e28a28f5b7248ae83ec2 |
| SHA512 | 1e78e42a98584935169d7ba943745c89851f8df84a53d1b36f9a0f5b3bea839d3af5eeef1cd7704ae6b9a962a287ba89c6e971f149f2fcebf504d86730c093fd |
memory/1996-9-0x0000000000400000-0x0000000000425400-memory.dmp
\??\c:\mjkczeb\infmjdn.dll
| MD5 | bec93912524f50c6f7c943716c7ef02b |
| SHA1 | 69ba8f1dd5a7d6cd94d688c691406cbd54be4486 |
| SHA256 | 032570414587af2303431e8db5d5f4223e0147f4b63a2160b97d9a6ea531bd81 |
| SHA512 | 41fb8970e9007c789227740e81a483bda806470ce25476589a3dfceddaaa60b20d890c37b56f8be83defb2a5b774dbd6c2026fc259884e8acf2971b06041f6a6 |
memory/5020-12-0x0000000010000000-0x0000000010036000-memory.dmp
memory/5020-13-0x0000000000CD0000-0x0000000000CD2000-memory.dmp
memory/5020-14-0x0000000010000000-0x0000000010036000-memory.dmp
memory/5020-15-0x0000000000CD0000-0x0000000000CD2000-memory.dmp
memory/5020-17-0x0000000010000000-0x0000000010036000-memory.dmp
memory/5020-18-0x0000000010000000-0x0000000010036000-memory.dmp
memory/5020-19-0x0000000010000000-0x0000000010036000-memory.dmp
memory/5020-20-0x0000000010000000-0x0000000010036000-memory.dmp