Malware Analysis Report

2024-11-16 13:25

Sample ID 241015-ca78essbkk
Target f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN
SHA256 f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7d
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7d

Threat Level: Known bad

The file f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 01:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 01:53

Reported

2024-10-15 01:55

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\guliz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzbar.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\guliz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uzbar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Users\Admin\AppData\Local\Temp\guliz.exe
PID 2528 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Users\Admin\AppData\Local\Temp\guliz.exe
PID 2528 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Users\Admin\AppData\Local\Temp\guliz.exe
PID 2528 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Users\Admin\AppData\Local\Temp\guliz.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\guliz.exe C:\Users\Admin\AppData\Local\Temp\uzbar.exe
PID 2340 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\guliz.exe C:\Users\Admin\AppData\Local\Temp\uzbar.exe
PID 2340 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\guliz.exe C:\Users\Admin\AppData\Local\Temp\uzbar.exe
PID 2340 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\guliz.exe C:\Users\Admin\AppData\Local\Temp\uzbar.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe

"C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe"

C:\Users\Admin\AppData\Local\Temp\guliz.exe

"C:\Users\Admin\AppData\Local\Temp\guliz.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\uzbar.exe

"C:\Users\Admin\AppData\Local\Temp\uzbar.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2528-0-0x0000000001000000-0x0000000001081000-memory.dmp

memory/2528-1-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\guliz.exe

MD5 be687615ed51c250dd4e4228a6ac7bd4
SHA1 00e955fb2454d26e1115f3eb4c1fddd8e8a31aed
SHA256 0996a11dda52c7be96d1575339ed3612adb5d3279638bd278c2fe231e21c8141
SHA512 1c9eaca13e139f7b486f20cbee66d9368a54308360b931dceb04cb034f781272c16b85b977bf69b00f00ac53b136b09f7c6160989469f30b8d24803cb6480488

memory/2340-18-0x0000000000F20000-0x0000000000FA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 9aa697a51fdea1d66b8c6ae525f43c07
SHA1 28b8563321bae665b0b7cc1b67bb64a2f00949ad
SHA256 8c1227dd84ae0ba73ba27efe08233beb3617c909e014ef6a08e0180664bb3247
SHA512 fd3e84e4bd4ca2e5e5c5a47034f96c4ebe0e10e0f1e6ac1e2f2551e3d6e6e47f491e8b6f4728ec48cd468c41fa64b89ab33890c22a9f2ab401437ca0ff4c135c

memory/2340-19-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2528-9-0x0000000000AB0000-0x0000000000B31000-memory.dmp

memory/2528-21-0x0000000001000000-0x0000000001081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 37f1696fd13182061762d9a8f348dbab
SHA1 85605938db8267c976df45ad56a40a294579a899
SHA256 d9287ac9ea7a2e08cec3aa01f0a38db863fa0f5a47c5e1a4b521e899f5f5ea3a
SHA512 ecd96245d941b9ec74acc10ad394be9105bbedceebc16b0ed36c627f1babf32c4023fa4cb0b5e120225e944805062236a98d7d7665b781efc1de388353a2c3b1

memory/2340-24-0x0000000000F20000-0x0000000000FA1000-memory.dmp

memory/1800-44-0x0000000001320000-0x00000000013B9000-memory.dmp

memory/1800-41-0x0000000001320000-0x00000000013B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uzbar.exe

MD5 824c4a9d2a75e00b0fe5c61dea47ba0e
SHA1 f7d164c60dd9b8b4ee9b321a719d668cec24fedf
SHA256 eaea9f65a8050edbb975688fc6df16d9bd8b30cff181146b5c656a6bb855df22
SHA512 9e740b480dfd3626b6c9b618e3a3d9042eb8e69482f185ac6601eb253dcfb8a915e21c5d1bf94a70187f6790192129d036ece4920dcf8c311fbbd0ee0d3ce5ea

memory/2340-39-0x0000000000F20000-0x0000000000FA1000-memory.dmp

memory/1800-46-0x0000000001320000-0x00000000013B9000-memory.dmp

memory/1800-47-0x0000000001320000-0x00000000013B9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 01:53

Reported

2024-10-15 01:55

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sigui.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigui.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sigui.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xerer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Users\Admin\AppData\Local\Temp\sigui.exe
PID 2368 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Users\Admin\AppData\Local\Temp\sigui.exe
PID 2368 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Users\Admin\AppData\Local\Temp\sigui.exe
PID 2368 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\sigui.exe C:\Users\Admin\AppData\Local\Temp\xerer.exe
PID 4544 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\sigui.exe C:\Users\Admin\AppData\Local\Temp\xerer.exe
PID 4544 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\sigui.exe C:\Users\Admin\AppData\Local\Temp\xerer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe

"C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe"

C:\Users\Admin\AppData\Local\Temp\sigui.exe

"C:\Users\Admin\AppData\Local\Temp\sigui.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\xerer.exe

"C:\Users\Admin\AppData\Local\Temp\xerer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2368-0-0x0000000000440000-0x00000000004C1000-memory.dmp

memory/2368-1-0x0000000001030000-0x0000000001031000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sigui.exe

MD5 1dbd323238d3fb7df27e9d08a2664668
SHA1 a0b89a3e74ed254a4d8c2bc1dce3c7b29a583045
SHA256 082a993ec593c2f8e78f3af3261b3f0d4d2b38fc318d7a781f9477f3295056a4
SHA512 a46aba88e662f20d9ef1171b665535ea9b2e9370a1b8521ab1e087495ef1a82f00a587de731cfed9f22ee1ecfa832d350fa1b2a5778b0786fcb7bd057869e2f4

memory/4544-14-0x0000000000E60000-0x0000000000E61000-memory.dmp

memory/4544-13-0x0000000000500000-0x0000000000581000-memory.dmp

memory/2368-16-0x0000000000440000-0x00000000004C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 9aa697a51fdea1d66b8c6ae525f43c07
SHA1 28b8563321bae665b0b7cc1b67bb64a2f00949ad
SHA256 8c1227dd84ae0ba73ba27efe08233beb3617c909e014ef6a08e0180664bb3247
SHA512 fd3e84e4bd4ca2e5e5c5a47034f96c4ebe0e10e0f1e6ac1e2f2551e3d6e6e47f491e8b6f4728ec48cd468c41fa64b89ab33890c22a9f2ab401437ca0ff4c135c

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 d5bdb0d99a15f96e8b89de97fd952cf3
SHA1 5f7b78bd1d8cbf9b190584dcfd49b887fd2ee672
SHA256 0b5bbf40e1c6ccfc12aead3baa7c2438acb7127a12998733015cb5436840864d
SHA512 b3b8293589de85aac0dfe27646f6b450031425a354c8ec3b6af6760e37add1328545703e031d7736a5cb5c9453b616833864059685939e5148f8e4442aedca9c

memory/4544-19-0x0000000000500000-0x0000000000581000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xerer.exe

MD5 b4eedfa3baa4680c157eaa7999eda368
SHA1 74e7df654780045144055c1ae3bae192edc06f8a
SHA256 71547e24af536c5729f8e2a5fad184b870608a89a2f4dc48393230b6439ef66c
SHA512 045a06088cc283dd0f63705b44202d92643b97d19195b08531bdb2a642f2db2afd0e12dcdf3c156fe4378f2f01379ec221172236b72e9cf665091b51c9cabedc

memory/3388-36-0x00000000002E0000-0x0000000000379000-memory.dmp

memory/4544-38-0x0000000000500000-0x0000000000581000-memory.dmp

memory/3388-42-0x0000000000260000-0x0000000000262000-memory.dmp

memory/3388-39-0x00000000002E0000-0x0000000000379000-memory.dmp

memory/3388-44-0x00000000002E0000-0x0000000000379000-memory.dmp

memory/3388-45-0x00000000002E0000-0x0000000000379000-memory.dmp