Malware Analysis Report

2024-11-16 13:26

Sample ID 241010-x4lazasdjh
Target 7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N
SHA256 7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1

Threat Level: Known bad

The file 7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 19:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 19:24

Reported

2024-10-10 19:26

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ruqow.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruqow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ruqow.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rejei.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\ruqow.exe
PID 4568 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\ruqow.exe
PID 4568 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\ruqow.exe
PID 4568 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\ruqow.exe C:\Users\Admin\AppData\Local\Temp\rejei.exe
PID 2832 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\ruqow.exe C:\Users\Admin\AppData\Local\Temp\rejei.exe
PID 2832 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\ruqow.exe C:\Users\Admin\AppData\Local\Temp\rejei.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe

"C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe"

C:\Users\Admin\AppData\Local\Temp\ruqow.exe

"C:\Users\Admin\AppData\Local\Temp\ruqow.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\rejei.exe

"C:\Users\Admin\AppData\Local\Temp\rejei.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4568-0-0x0000000000010000-0x0000000000091000-memory.dmp

memory/4568-1-0x00000000007C0000-0x00000000007C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ruqow.exe

MD5 c1f11b932853342107c35f70d473cae1
SHA1 90b728d28997ad7f967f29b6ec3954fba6ba13f5
SHA256 a321c0bd222bc67ec2589c350d1777b705018344fec3c2d864e3ef491a6d0eca
SHA512 5afa9cd15178d909a3632061795d44d9a7461e005492e558a2a638844d5fbae4143f883b43d4aa63138cae7f8a6bf20450b6228cdcff9f40d5074223bfed29a9

memory/2832-14-0x0000000000740000-0x0000000000741000-memory.dmp

memory/2832-13-0x00000000006B0000-0x0000000000731000-memory.dmp

memory/4568-16-0x0000000000010000-0x0000000000091000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 27218cda5675ca52eb82d36f8f60a7df
SHA1 8f22e3c007d9d7b444b6ccb39cb0f15822693609
SHA256 b48effa75c2c365bd1440a63de608c75e0f4cf3640f7d543b4bbf99f3e32560d
SHA512 803e0cba1e7a0452cac368872c70424def2002fa22caae7281223680c963de71a3d03f208742abe29490537621060afac9cac3f1f3aeed57db5a89f748507930

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 e371d0dc7cbb417bbbd81bd8572e05c6
SHA1 d252a24dbcd0f873dfbfc93b83abaf52116e5f37
SHA256 730453f56cb56a7e16ff8ed25b9c75e5e38c4bf749a7c2d54fc572126142648f
SHA512 59a23016fe09729a44b5665d77053f1a0b40017659b47dc19589cf3d670866fba2365e7ac8bfed35d7fb867512238e7e31f99c68d11edbea525631b9bce91e3d

memory/2832-19-0x00000000006B0000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rejei.exe

MD5 c57f59738bcb755ed44852f98cd83d4e
SHA1 f9533e1c082789842fd5c08e626ed8477a1f4d9b
SHA256 f3019a282101464ad3a7b4e2e0b51f2ac2ccdb06693728a851a567c97e46e36e
SHA512 b273097f1a7731667502b52ecb8affe80894022bed1bdb95475649b9b380ece8f16c56a3d0ab7c1a50a88eb8d0a4af95edf52f8b02a3520a24ee1d55690fda49

memory/4228-36-0x0000000000C50000-0x0000000000CE9000-memory.dmp

memory/4228-37-0x0000000000F70000-0x0000000000F72000-memory.dmp

memory/4228-39-0x0000000000C50000-0x0000000000CE9000-memory.dmp

memory/2832-42-0x00000000006B0000-0x0000000000731000-memory.dmp

memory/4228-44-0x0000000000F70000-0x0000000000F72000-memory.dmp

memory/4228-45-0x0000000000C50000-0x0000000000CE9000-memory.dmp

memory/4228-46-0x0000000000C50000-0x0000000000CE9000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 19:24

Reported

2024-10-10 19:26

Platform

win7-20240729-en

Max time kernel

119s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sufip.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zajuc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sufip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\zajuc.exe
PID 1072 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\zajuc.exe
PID 1072 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\zajuc.exe
PID 1072 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\zajuc.exe
PID 1072 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\zajuc.exe C:\Users\Admin\AppData\Local\Temp\sufip.exe
PID 2804 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\zajuc.exe C:\Users\Admin\AppData\Local\Temp\sufip.exe
PID 2804 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\zajuc.exe C:\Users\Admin\AppData\Local\Temp\sufip.exe
PID 2804 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\zajuc.exe C:\Users\Admin\AppData\Local\Temp\sufip.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe

"C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe"

C:\Users\Admin\AppData\Local\Temp\zajuc.exe

"C:\Users\Admin\AppData\Local\Temp\zajuc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\sufip.exe

"C:\Users\Admin\AppData\Local\Temp\sufip.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/1072-0-0x00000000011C0000-0x0000000001241000-memory.dmp

memory/1072-1-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\zajuc.exe

MD5 8a90ee02075a521e8616e678c9e6564c
SHA1 8340005c9ad5b066156014b4f8bd9a71fe6d8292
SHA256 edfece4f204c7efa523a2cc50ccdcfbc1bfec37861db0ea054c7ac45957fdda0
SHA512 940af6188206e23d90c6d0afe36c43749b125508b1e94c22f7e5a06bc18480cd8c9abcb18821045c38c19528e1312845a7a0bb674c492a157fa9bccdf0e5b167

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 27218cda5675ca52eb82d36f8f60a7df
SHA1 8f22e3c007d9d7b444b6ccb39cb0f15822693609
SHA256 b48effa75c2c365bd1440a63de608c75e0f4cf3640f7d543b4bbf99f3e32560d
SHA512 803e0cba1e7a0452cac368872c70424def2002fa22caae7281223680c963de71a3d03f208742abe29490537621060afac9cac3f1f3aeed57db5a89f748507930

memory/2804-12-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2804-11-0x0000000001090000-0x0000000001111000-memory.dmp

memory/1072-9-0x0000000002770000-0x00000000027F1000-memory.dmp

memory/1072-21-0x00000000011C0000-0x0000000001241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 910ea820e932cf16852b366d79c9b06d
SHA1 e00b779ee627e80e5f4d436846f135d419fc5890
SHA256 c7314c75b36414c8a9b62bbc06378cde6af59b131cfc756ab3ad3f9697e8880c
SHA512 261b9dd3c4046419ffa029d816539d98c64e58ee3d48e4dc6893e23a14547b91c5e0f8c8a45e4529a23c549b90fc34e0e32deaed1e8e3da38015f7a2d06a5540

memory/2804-24-0x0000000001090000-0x0000000001111000-memory.dmp

memory/2804-25-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2804-39-0x0000000003320000-0x00000000033B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sufip.exe

MD5 ebbda67478dab23d67037bcddc11c770
SHA1 2a928f43f6855537c1d2d65d41e38a8a7c58b808
SHA256 a9afd9813c9391f8a581e13134959effedec766d86db47d0fc86fdc9553d49bf
SHA512 d7d6b99d7fbcdc5e6030d165631de38d9a6d28609bdb9c1d23cce6381cc3872d30420041af71c67c390b66f8b5488cd7b4bf90f5cb0d91ba1b553837a4aedab6

memory/1740-43-0x0000000000EC0000-0x0000000000F59000-memory.dmp

memory/2804-42-0x0000000001090000-0x0000000001111000-memory.dmp

memory/1740-44-0x0000000000EC0000-0x0000000000F59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zajuc.exe

MD5 7029fe605e355df1b51359462c38b189
SHA1 0e828fb7518739936bf26c14ffc5d09ef948ef63
SHA256 b650a8bca312bb9e74bec5fdda0c999d7a900c8868dedc12f015adc37c4d4d19
SHA512 c165f8eed0b1f13c5e77f9dd79b1023fbfe166e06ec33d60966a38ec69d6a2946ec1ecf0bb4830266e08eff26b6034b607c65be18e1cbacfd5e082d9f11b9c09

memory/1740-49-0x0000000000EC0000-0x0000000000F59000-memory.dmp

memory/1740-50-0x0000000000EC0000-0x0000000000F59000-memory.dmp