Malware Analysis Report

2024-10-16 03:40

Sample ID 240830-kh133svdkf
Target aa11496ae8767601729e7f74ad715430N.cab
SHA256 7b8c157934afb9480c8ad7f456fccb235294c2a5557eb05102c736a24e2c9aaf
Tags
redline monik discovery infostealer healer petin dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b8c157934afb9480c8ad7f456fccb235294c2a5557eb05102c736a24e2c9aaf

Threat Level: Known bad

The file aa11496ae8767601729e7f74ad715430N.cab was found to be: Known bad.

Malicious Activity Summary

redline monik discovery infostealer healer petin dropper evasion persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

RedLine payload

RedLine

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-30 08:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 08:36

Reported

2024-08-30 08:38

Platform

win7-20240708-en

Max time kernel

106s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\j5520135.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2984 set thread context of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\j5520135.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\j5520135.exe

"C:\Users\Admin\AppData\Local\Temp\j5520135.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

memory/1944-1-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1944-2-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1944-5-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1944-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1944-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1944-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1944-8-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1944-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1944-10-0x00000000744CE000-0x00000000744CF000-memory.dmp

memory/1944-11-0x00000000003B0000-0x00000000003B6000-memory.dmp

memory/1944-12-0x00000000744C0000-0x0000000074BAE000-memory.dmp

memory/1944-13-0x00000000744CE000-0x00000000744CF000-memory.dmp

memory/1944-14-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-30 08:36

Reported

2024-08-30 08:38

Platform

win10v2004-20240802-en

Max time kernel

107s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\j5520135.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3100 set thread context of 3088 N/A C:\Users\Admin\AppData\Local\Temp\j5520135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\j5520135.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\j5520135.exe

"C:\Users\Admin\AppData\Local\Temp\j5520135.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

memory/3088-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3088-1-0x00000000744DE000-0x00000000744DF000-memory.dmp

memory/3088-2-0x0000000002930000-0x0000000002936000-memory.dmp

memory/3088-3-0x000000000AA20000-0x000000000B038000-memory.dmp

memory/3088-4-0x000000000A520000-0x000000000A62A000-memory.dmp

memory/3088-5-0x000000000A460000-0x000000000A472000-memory.dmp

memory/3088-6-0x000000000A4C0000-0x000000000A4FC000-memory.dmp

memory/3088-7-0x00000000744D0000-0x0000000074C80000-memory.dmp

memory/3088-8-0x00000000028B0000-0x00000000028FC000-memory.dmp

memory/3088-9-0x00000000744DE000-0x00000000744DF000-memory.dmp

memory/3088-10-0x00000000744D0000-0x0000000074C80000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-30 08:36

Reported

2024-08-30 08:38

Platform

win10v2004-20240802-en

Max time kernel

106s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x2665667.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\x2665667.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4776 set thread context of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\x2665667.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\x2665667.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe
PID 1676 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\x2665667.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe
PID 1676 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\x2665667.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe
PID 4144 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe
PID 4144 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe
PID 4144 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe
PID 4776 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4776 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4776 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4776 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4776 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4776 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4776 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4776 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4144 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe
PID 4144 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe
PID 4144 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe

Processes

C:\Users\Admin\AppData\Local\Temp\x2665667.exe

"C:\Users\Admin\AppData\Local\Temp\x2665667.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe

MD5 d07a8d025ad5167e0519e860780f58b0
SHA1 930163600ba309aa6f8c72844d133378bb1df911
SHA256 50f4fdfafc46731ed6f310d378ddda0a39d4b4cc10da9729a45b12f63e17aee4
SHA512 55ea0e4ca8f6202539254f10e87a608a0c8a1ad03ae0263a207664bb385cb78119641838bfc9e293c2e7799e9027b458694ae984ef5c8a8aacd62c4349e9ea25

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe

MD5 c04574bae7475ceb34295dba472371fd
SHA1 69644e2718e135c484d62abd409e10c94a280863
SHA256 38484c394c6c62deb85ee75b30cd5ff568c5dc23ca08a3366d0f2482dfefe11c
SHA512 9ffc37140111861f4b645fa7015beed57291bd45a0e02145391fed3638f853eff9b8beb7e60709716e3dc368abbc91d0a2e8e7088e3f138287d846cd3cf87a87

memory/2968-14-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe

MD5 2ebab37f88bd95040550fddf6b98086b
SHA1 c87316aea7a90fbb0b058a5c472c294e1a711848
SHA256 81110de81c715b9b50429ca1f7a1ee9d83bc6a2ff10a79175a61e0ef344ebc1a
SHA512 42461327fdf3ef262861af2746f6a809d6c9867fae1f4bb6e1cff9b497e2a85fd2f95058be98dfae54aa35b841e3e93dd342ab0e5fd16df919ef76892baf212b

memory/832-18-0x0000000000560000-0x0000000000590000-memory.dmp

memory/832-19-0x0000000004D80000-0x0000000004D86000-memory.dmp

memory/832-20-0x000000000A8E0000-0x000000000AEF8000-memory.dmp

memory/832-21-0x000000000A3D0000-0x000000000A4DA000-memory.dmp

memory/832-22-0x000000000A310000-0x000000000A322000-memory.dmp

memory/832-23-0x000000000A370000-0x000000000A3AC000-memory.dmp

memory/832-24-0x0000000002740000-0x000000000278C000-memory.dmp