Analysis Overview
SHA256
26c461c102538e0758dbc3f003850cf7c30760ff2d180dab4759f34e2cd951a1
Threat Level: Known bad
The file d534da11-be41-4c1b-ab00-ddcf7bc442d0.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-17 22:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-17 22:04
Reported
2023-01-17 22:08
Platform
win7-20221111-en
Max time kernel
175s
Max time network
229s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEDrooilsg.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEDrooilsg.js | C:\Windows\System32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d534da11-be41-4c1b-ab00-ddcf7bc442d0.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PEDrooilsg.js"
C:\Users\Admin\AppData\Local\Temp\Payload (3).exe
"C:\Users\Admin\AppData\Local\Temp\Payload (3).exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1884
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ipinfo.io | udp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.136.232:443 | discord.com | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
Files
memory/432-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\PEDrooilsg.js
| MD5 | 2ae3f4bf78428996391b735422d69932 |
| SHA1 | c7cabe2cb2488d4dec8c31ec5d3694244f559149 |
| SHA256 | c2f18d683b7e47c1758130920b336bdd440c3e879a2175b241b4b5d58e79604d |
| SHA512 | 9f95c35cca567fb73fe4164402e5662fbe8839934491cc7e447338235ee4584f0c94ecb4dd1477cf2fe9f931b1a6ce0223f610cae54aab0d3aa789674bb880d8 |
memory/1508-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Payload (3).exe
| MD5 | 3e8af9fffb1b980b193508f6a8a8cdc3 |
| SHA1 | e91e6f525952ae5a812d3cd3a795c6aeca94e527 |
| SHA256 | ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc |
| SHA512 | 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11 |
C:\Users\Admin\AppData\Local\Temp\Payload (3).exe
| MD5 | 3e8af9fffb1b980b193508f6a8a8cdc3 |
| SHA1 | e91e6f525952ae5a812d3cd3a795c6aeca94e527 |
| SHA256 | ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc |
| SHA512 | 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11 |
memory/432-59-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp
memory/1508-60-0x00000000012B0000-0x0000000001374000-memory.dmp
memory/1508-61-0x0000000075E81000-0x0000000075E83000-memory.dmp
memory/1508-62-0x0000000000A00000-0x0000000000A0E000-memory.dmp
memory/1508-63-0x0000000008570000-0x0000000008622000-memory.dmp
memory/1992-64-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Payload (3).exe
| MD5 | 3e8af9fffb1b980b193508f6a8a8cdc3 |
| SHA1 | e91e6f525952ae5a812d3cd3a795c6aeca94e527 |
| SHA256 | ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc |
| SHA512 | 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11 |
\Users\Admin\AppData\Local\Temp\Payload (3).exe
| MD5 | 3e8af9fffb1b980b193508f6a8a8cdc3 |
| SHA1 | e91e6f525952ae5a812d3cd3a795c6aeca94e527 |
| SHA256 | ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc |
| SHA512 | 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11 |
\Users\Admin\AppData\Local\Temp\Payload (3).exe
| MD5 | 3e8af9fffb1b980b193508f6a8a8cdc3 |
| SHA1 | e91e6f525952ae5a812d3cd3a795c6aeca94e527 |
| SHA256 | ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc |
| SHA512 | 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11 |
\Users\Admin\AppData\Local\Temp\Payload (3).exe
| MD5 | 3e8af9fffb1b980b193508f6a8a8cdc3 |
| SHA1 | e91e6f525952ae5a812d3cd3a795c6aeca94e527 |
| SHA256 | ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc |
| SHA512 | 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11 |
\Users\Admin\AppData\Local\Temp\Payload (3).exe
| MD5 | 3e8af9fffb1b980b193508f6a8a8cdc3 |
| SHA1 | e91e6f525952ae5a812d3cd3a795c6aeca94e527 |
| SHA256 | ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc |
| SHA512 | 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-17 22:04
Reported
2023-01-17 22:07
Platform
win10v2004-20220901-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEDrooilsg.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEDrooilsg.js | C:\Windows\System32\wscript.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1612 wrote to memory of 1628 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1612 wrote to memory of 1628 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1612 wrote to memory of 4808 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe |
| PID 1612 wrote to memory of 4808 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe |
| PID 1612 wrote to memory of 4808 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload (3).exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d534da11-be41-4c1b-ab00-ddcf7bc442d0.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PEDrooilsg.js"
C:\Users\Admin\AppData\Local\Temp\Payload (3).exe
"C:\Users\Admin\AppData\Local\Temp\Payload (3).exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.8.45:443 | tcp | |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | ipinfo.io | udp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.137.232:443 | discord.com | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 20.189.173.15:443 | tcp | |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 2.18.109.224:443 | tcp | |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
Files
memory/1628-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\PEDrooilsg.js
| MD5 | 2ae3f4bf78428996391b735422d69932 |
| SHA1 | c7cabe2cb2488d4dec8c31ec5d3694244f559149 |
| SHA256 | c2f18d683b7e47c1758130920b336bdd440c3e879a2175b241b4b5d58e79604d |
| SHA512 | 9f95c35cca567fb73fe4164402e5662fbe8839934491cc7e447338235ee4584f0c94ecb4dd1477cf2fe9f931b1a6ce0223f610cae54aab0d3aa789674bb880d8 |
memory/4808-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Payload (3).exe
| MD5 | 3e8af9fffb1b980b193508f6a8a8cdc3 |
| SHA1 | e91e6f525952ae5a812d3cd3a795c6aeca94e527 |
| SHA256 | ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc |
| SHA512 | 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11 |
C:\Users\Admin\AppData\Local\Temp\Payload (3).exe
| MD5 | 3e8af9fffb1b980b193508f6a8a8cdc3 |
| SHA1 | e91e6f525952ae5a812d3cd3a795c6aeca94e527 |
| SHA256 | ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc |
| SHA512 | 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11 |
memory/4808-137-0x0000000000120000-0x00000000001E4000-memory.dmp
memory/4808-138-0x0000000006F30000-0x0000000006F96000-memory.dmp
memory/4808-139-0x00000000082F0000-0x0000000008312000-memory.dmp
memory/4808-140-0x00000000082C0000-0x00000000082CA000-memory.dmp
memory/4808-141-0x0000000008730000-0x0000000008742000-memory.dmp