Malware Analysis Report

2024-11-30 15:45

Sample ID 230118-a9ap4agg31
Target 98e3648add4ab0724ebeb54eb720e8ad97ad52b0
SHA256 9005a39c203e068daa077fe244e2608d36852dbef6f6ce8b28cc5cc015b89b1b
Tags
vjw0rm spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9005a39c203e068daa077fe244e2608d36852dbef6f6ce8b28cc5cc015b89b1b

Threat Level: Known bad

The file 98e3648add4ab0724ebeb54eb720e8ad97ad52b0 was found to be: Known bad.

Malicious Activity Summary

vjw0rm spyware stealer trojan worm

Vjw0rm

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-18 00:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-18 00:54

Reported

2023-01-18 00:57

Platform

win7-20221111-en

Max time kernel

151s

Max time network

208s

Command Line

C:\Windows\Explorer.EXE

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js C:\Windows\System32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 652 set thread context of 1268 N/A C:\Users\Admin\AppData\Local\Temp\bin.exe C:\Windows\Explorer.EXE
PID 652 set thread context of 1268 N/A C:\Users\Admin\AppData\Local\Temp\bin.exe C:\Windows\Explorer.EXE
PID 1768 set thread context of 1268 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\cscript.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cscript.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 1400 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 864 wrote to memory of 1400 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 864 wrote to memory of 1400 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 864 wrote to memory of 652 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 864 wrote to memory of 652 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 864 wrote to memory of 652 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 864 wrote to memory of 652 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1268 wrote to memory of 1768 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 1268 wrote to memory of 1768 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 1268 wrote to memory of 1768 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 1268 wrote to memory of 1768 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 1268 wrote to memory of 1004 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1004 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1004 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1004 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1768 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1768 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1768 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1768 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\98e3648add4ab0724ebeb54eb720e8ad97ad52b0.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js"

C:\Users\Admin\AppData\Local\Temp\bin.exe

"C:\Users\Admin\AppData\Local\Temp\bin.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe"

C:\Windows\SysWOW64\cscript.exe

"C:\Windows\SysWOW64\cscript.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.ambilis.com udp
N/A 199.59.243.222:80 www.ambilis.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.sqlite.org udp
N/A 45.33.6.223:80 www.sqlite.org tcp
N/A 45.33.6.223:80 www.sqlite.org tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.theedenpublicschool.com udp
N/A 162.214.81.26:80 www.theedenpublicschool.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.theedenpublicschool.com udp
N/A 162.214.81.26:80 www.theedenpublicschool.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 theedenpublicschool.com udp
N/A 162.214.81.26:80 theedenpublicschool.com tcp
N/A 8.8.8.8:53 www.ecomicsvilla.com udp
N/A 198.252.102.191:80 www.ecomicsvilla.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp

Files

memory/1400-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js

MD5 90c052e2282de1c12470fc54d62681d9
SHA1 ea069b254dde1f6cad46afedf55c69d4516a0d7a
SHA256 be62476863ca538e76f33e4758a5a5af8609d681026c4e325d8d667470aa9097
SHA512 73661062644236fcd76f689a8271f5f2c875468fbfdd4a4431a2b419c8bc093129345ee9b83d4f87eaa389a1ff12e776ba5d0d5845899931e1b72c32d4cb5ea7

memory/652-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 f9fdfca55156f35ea48a17947d091f4d
SHA1 15f10040cf10535deed5ca028150ed847a585d01
SHA256 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0
SHA512 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302

memory/1400-58-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

memory/652-59-0x0000000000D50000-0x0000000000D7F000-memory.dmp

memory/652-60-0x0000000000D80000-0x0000000001083000-memory.dmp

memory/652-61-0x00000000000E0000-0x00000000000F0000-memory.dmp

memory/1268-62-0x0000000004330000-0x000000000440D000-memory.dmp

memory/652-63-0x0000000000D50000-0x0000000000D7F000-memory.dmp

memory/652-64-0x00000000001A0000-0x00000000001B0000-memory.dmp

memory/1268-65-0x0000000006D40000-0x0000000006E6A000-memory.dmp

memory/1768-66-0x0000000000000000-mapping.dmp

memory/652-67-0x0000000000D50000-0x0000000000D7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 f9fdfca55156f35ea48a17947d091f4d
SHA1 15f10040cf10535deed5ca028150ed847a585d01
SHA256 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0
SHA512 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302

memory/1768-69-0x0000000000ED0000-0x0000000000EF2000-memory.dmp

memory/1768-70-0x0000000000070000-0x000000000009D000-memory.dmp

memory/1768-71-0x0000000000B50000-0x0000000000E53000-memory.dmp

memory/1268-72-0x0000000004330000-0x000000000440D000-memory.dmp

memory/1768-73-0x0000000000A20000-0x0000000000AAF000-memory.dmp

memory/1268-74-0x0000000002AE0000-0x0000000002B78000-memory.dmp

memory/1268-75-0x0000000006D40000-0x0000000006E6A000-memory.dmp

memory/1768-76-0x0000000075B61000-0x0000000075B63000-memory.dmp

\Users\Admin\AppData\Local\Temp\sqlite3.dll

MD5 9c73b282279e74e40435132e61fda001
SHA1 63c7248e91b68fbde4641e3c5e2dc3e9d38671fa
SHA256 6710d91d77e1937dd5b46d96c0852042985dc78c4c51ce12d3e07a4cdb12c202
SHA512 02f9a01a3a5f74ef994ebb9e5f24c6870e2d48c8b99c429a63e74dad73fb581f0b52b2a86d651cafa414675b70a0e85b2e08c843d07e080fe69ee835e3c91108

memory/1268-78-0x0000000002AE0000-0x0000000002B78000-memory.dmp

memory/1268-79-0x000007FEF5890000-0x000007FEF59D3000-memory.dmp

memory/1268-80-0x000007FECFD40000-0x000007FECFD4A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-18 00:54

Reported

2023-01-18 00:57

Platform

win10v2004-20221111-en

Max time kernel

153s

Max time network

208s

Command Line

C:\Windows\Explorer.EXE

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js C:\Windows\System32\wscript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1908 set thread context of 784 N/A C:\Users\Admin\AppData\Local\Temp\bin.exe C:\Windows\Explorer.EXE
PID 3948 set thread context of 784 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wlanext.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\98e3648add4ab0724ebeb54eb720e8ad97ad52b0.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js"

C:\Users\Admin\AppData\Local\Temp\bin.exe

"C:\Users\Admin\AppData\Local\Temp\bin.exe"

C:\Windows\SysWOW64\wlanext.exe

"C:\Windows\SysWOW64\wlanext.exe"

Network

Country Destination Domain Proto
N/A 72.21.81.240:80 tcp
N/A 13.89.179.10:443 tcp
N/A 72.21.91.29:80 tcp
N/A 72.21.81.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.ambilis.com udp
N/A 199.59.243.222:80 www.ambilis.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.theedenpublicschool.com udp
N/A 162.214.81.26:80 www.theedenpublicschool.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.ambilis.com udp
N/A 199.59.243.222:80 www.ambilis.com tcp
N/A 8.8.8.8:53 www.theedenpublicschool.com udp
N/A 162.214.81.26:80 www.theedenpublicschool.com tcp
N/A 8.8.8.8:53 theedenpublicschool.com udp
N/A 162.214.81.26:80 theedenpublicschool.com tcp

Files

memory/3392-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js

MD5 90c052e2282de1c12470fc54d62681d9
SHA1 ea069b254dde1f6cad46afedf55c69d4516a0d7a
SHA256 be62476863ca538e76f33e4758a5a5af8609d681026c4e325d8d667470aa9097
SHA512 73661062644236fcd76f689a8271f5f2c875468fbfdd4a4431a2b419c8bc093129345ee9b83d4f87eaa389a1ff12e776ba5d0d5845899931e1b72c32d4cb5ea7

memory/1908-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 f9fdfca55156f35ea48a17947d091f4d
SHA1 15f10040cf10535deed5ca028150ed847a585d01
SHA256 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0
SHA512 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 f9fdfca55156f35ea48a17947d091f4d
SHA1 15f10040cf10535deed5ca028150ed847a585d01
SHA256 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0
SHA512 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302

memory/1908-137-0x0000000000340000-0x000000000036F000-memory.dmp

memory/1908-138-0x00000000013B0000-0x00000000016FA000-memory.dmp

memory/1908-139-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

memory/784-140-0x0000000007A90000-0x0000000007BB5000-memory.dmp

memory/3948-141-0x0000000000000000-mapping.dmp

memory/1908-142-0x0000000000340000-0x000000000036F000-memory.dmp

memory/3948-143-0x0000000000DC0000-0x000000000110A000-memory.dmp

memory/784-144-0x0000000007A90000-0x0000000007BB5000-memory.dmp

memory/3948-145-0x0000000000800000-0x0000000000817000-memory.dmp

memory/3948-146-0x00000000004E0000-0x000000000050D000-memory.dmp

memory/3948-147-0x0000000000A60000-0x0000000000AEF000-memory.dmp

memory/784-148-0x0000000002B00000-0x0000000002BA3000-memory.dmp

memory/3948-149-0x00000000004E0000-0x000000000050D000-memory.dmp

memory/784-150-0x0000000002B00000-0x0000000002BA3000-memory.dmp