Malware Analysis Report

2024-10-16 03:40

Sample ID 240927-z6grnszfmk
Target 29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675
SHA256 29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675
Tags
healer redline sony discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675

Threat Level: Known bad

The file 29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675 was found to be: Known bad.

Malicious Activity Summary

healer redline sony discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine

RedLine payload

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-27 21:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-27 21:19

Reported

2024-09-27 21:22

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w89QO90.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w89QO90.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe
PID 4816 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe
PID 4816 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe
PID 3696 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe
PID 3696 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe
PID 3696 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe
PID 2204 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe
PID 2204 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe
PID 2204 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe
PID 4588 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe
PID 4588 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe
PID 4588 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe
PID 4588 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe
PID 4588 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe
PID 2204 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w89QO90.exe
PID 2204 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w89QO90.exe
PID 2204 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w89QO90.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe

"C:\Users\Admin\AppData\Local\Temp\29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 920 -ip 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w89QO90.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w89QO90.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe

MD5 d52e020e29ac4dc44aaf18c7379768b5
SHA1 932892064d0ac9d9f209a8acef76878d985eb4df
SHA256 c29af8e595e5a0daf31a2d2ab4213c9cf321a8918b42233bf2703eb74916ebc5
SHA512 609ed4b9b903be40c816b1bb538db41d9ac6baddde74d7c04d6c49abf268c917910df14c1eca6fe5db8d83cf1993ccaaeb92f082ccd73cbda79dc6d7cb5c9baa

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe

MD5 ed402590ff039ffcbcdd2b43ab75dc55
SHA1 6d4956bd6e5ea8994aa8e424731608341946cf23
SHA256 6ed9364a697efaf9608cd2745b64743f32776eac35b5344785a21b597f8e0f49
SHA512 1cd899055a40abed5483080e6c4dbf6c524198bcf644fe46253741737f2a4ef2c292a7b7aa0f65c5d13c81669377451a15a1e0e7dd7389eb0bfcca541a945113

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe

MD5 146f4d7810661af22f98e4369e9059b6
SHA1 33bc262fde6c40cdfca91cf0037cb0a699a8e7aa
SHA256 ffcfeb6ca7d2f87a37c09f4d18baf6c0b58c3d4fb40160179d59e0c549af2bf6
SHA512 94ae0e64921727863f2addcbb1cbe4d531808c42391ef548cec006123924cea8c49f4f029114cfc559dcc72ddbb0ca6b1f1eab6edac0155a4d1a27060d7085e5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe

MD5 8f08d2e339b767178cdecb7dda3fe081
SHA1 2848cb064709300ab76f3361835d695451466ba9
SHA256 f5a02f6f36d7c968622dd2cbceb9f7856ebe3f11023a65c354aca81e8cb94aaf
SHA512 c5eaac2201ca7ba222ae4d9f2a44f467cfae1a8d37b5f87ed63431ac03af92cd41b2116eced14c611c8b128c6ea1cc4652d4eb6093e8ae46aac5f37c1fbc1b83

memory/1132-28-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe

MD5 f4f9b13f02077cc87b4562b561dd10c8
SHA1 32478adb6ee61315b06f1f76464ceeb53f2c45fa
SHA256 2297566e52c196e2772d9ba7f2bf10b6aec0ee5c6c2c1db617865be6cb618a70
SHA512 80a5b1c76d56696d748130098bacd0a1fb4be697531d8b361288cde6b3c79ccedc889f86050f5eab7acd65e477c75eb4a36fc6e23749e596b426de5c3b4a51e2

memory/920-34-0x0000000002500000-0x000000000251A000-memory.dmp

memory/920-35-0x0000000004E60000-0x0000000005404000-memory.dmp

memory/920-36-0x0000000004CB0000-0x0000000004CC8000-memory.dmp

memory/920-46-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-64-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-62-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-60-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-58-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-57-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-54-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-52-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-50-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-48-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-44-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-42-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-40-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-38-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-37-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/920-65-0x0000000000400000-0x000000000070E000-memory.dmp

memory/920-67-0x0000000000400000-0x000000000070E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w89QO90.exe

MD5 2ff54b9ce97a7993e8a90e32dae619c9
SHA1 f39ae8a1dd6f92f0c34505486802194684e5161b
SHA256 e183224970df28862498cd6f5516f6e081c41d6dceda19f2a0ae8e4e88af4f30
SHA512 bbe5ad76e51e9b295f2967c78fb63e06c0b367b3a73ae8e081d61558f2bc0ced464ffed796fc99a3b758a743d367b736b54c009a84463311fa91bf9445326175

memory/4428-72-0x00000000025F0000-0x0000000002636000-memory.dmp

memory/4428-73-0x00000000027C0000-0x0000000002804000-memory.dmp

memory/4428-83-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-85-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-107-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-105-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-103-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-101-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-99-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-97-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-95-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-93-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-91-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-89-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-87-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-81-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-79-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-77-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-75-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-74-0x00000000027C0000-0x00000000027FE000-memory.dmp

memory/4428-980-0x00000000055D0000-0x0000000005BE8000-memory.dmp

memory/4428-981-0x0000000005BF0000-0x0000000005CFA000-memory.dmp

memory/4428-982-0x0000000004F70000-0x0000000004F82000-memory.dmp

memory/4428-983-0x0000000004F90000-0x0000000004FCC000-memory.dmp

memory/4428-984-0x0000000005E00000-0x0000000005E4C000-memory.dmp