Malware Analysis Report

2025-01-23 07:40

Sample ID 241104-q3nw5szhmh
Target d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251
SHA256 d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251

Threat Level: Known bad

The file d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Healer family

Healer

Detects Healer an antivirus disabler dropper

Redline family

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:47

Reported

2024-11-04 13:49

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe
PID 3908 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe
PID 3908 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe
PID 4460 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe
PID 4460 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe
PID 4460 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe
PID 5004 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe
PID 5004 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe
PID 5004 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe
PID 4464 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe
PID 4464 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe
PID 4464 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe
PID 2156 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe
PID 2156 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe
PID 2156 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe
PID 3252 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe
PID 3252 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe
PID 3252 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe
PID 3252 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe
PID 3252 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251.exe

"C:\Users\Admin\AppData\Local\Temp\d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe

MD5 124cda411475130c5d8315b3fd746216
SHA1 f04f0da227843a2aafb23f2bb773f491b6aec4a4
SHA256 071dda77c990e0592d956e5a711e9beedf2d5e4be8ca14ad2e2edb86d08987be
SHA512 7c53859776fdc79c71e8f79bade36beb7f4d14ad475b2538b7a80a4eefa9bc8ca474d09878d6fea6187bd25c0abca80dfab693dd7f692b96e093b100a4d9964f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe

MD5 fe312e028a23f008211091023b477d93
SHA1 cd4edad0ee1cf89c22d6e3a8f0d3383d51204d61
SHA256 ab8f5867c2385c6c8008b7eb8bc97074698052d517106bb038f0aa5de3233528
SHA512 0f0231742957a6bf69920588a7815f5e3abac1958dd2fadd78ec8d4b341295a3c17d5675392acc68d81da6f313af3af565f66ff242b2af54190ddfc92f1f6b75

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe

MD5 2bd192dc9f3fd8ed5b0269cb355a2974
SHA1 eeac1c79a1fd032be0bbc7815112fd1cb3a24e38
SHA256 fb04c007615bfc7ba6377ca01b545d9d6fae3cca5b3d98d32f83fed0129f4174
SHA512 1f61700737e8e0955dcc97536f4a061e6f9a2e43b54c5bb846b4e6da8465955c9a0e21f6b3d105b6d7f37bc523359bbe84341d2e89e7895676a9436c252adfa6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe

MD5 6ed4f139aab2d34d03ca7fffeff69d87
SHA1 96bf6c07f99b3a063f32c8dade2b690be83de6c8
SHA256 880b8295b2d9e15ad979558336db6ce4101e51624ad05366c98dc138a49c303f
SHA512 9a12df0e08ba40688f38b25076620f3db6d5b542149eb1489b314b74ff9633b7fe4d920a198a4247b7ca17707b9d226c1c46c9141820950d441bd3f01cf34a69

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe

MD5 bc2394e563e1bdeeaa722b90a53d4b7a
SHA1 f6aecded7c472a8fa452698f98a7b935aa98c93d
SHA256 e6d56d8dd9dbde443de2914ba32a9e9acb61600425f20cb5984deb8f67d29234
SHA512 d9e1194bf2fdedeb43e3f950fdc8364e4bd36788f822b86f9c66afc5678965eb0e57cfd05bbfc3eb422c9fcc6b5073e99380a3a87efc891adaa8d6f342254082

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe

MD5 6d89124f304d88ce8cee9c55754c0991
SHA1 6f4d7b6cfa346e7f5e8773f64a00b2dbb9bb8e83
SHA256 0960145b5afa396a1c6f17cbef2d43fb2b9251a9cbf2467df6a28b4ea741aace
SHA512 79e0ae3fead104fd54bd7b1bf9a08ddd9d4df6a21ca4025b7ccb3446baf988ffb9ac55c4114381e690b3b8e780245c50748246401fddb87bf4910e66a08c863e

memory/212-42-0x0000000000D00000-0x0000000000D0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe

MD5 1c5a86f75232313703fab93a198cfae7
SHA1 ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA256 6c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512 fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f

memory/1528-48-0x0000000002530000-0x0000000002576000-memory.dmp

memory/1528-49-0x0000000004C60000-0x0000000005204000-memory.dmp

memory/1528-50-0x0000000004BB0000-0x0000000004BF4000-memory.dmp

memory/1528-62-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-65-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-112-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-110-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-108-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-106-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-104-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-102-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-98-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-96-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-94-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-92-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-90-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-86-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-84-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-82-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-80-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-78-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-74-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-72-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-70-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-69-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-66-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-60-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-58-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-114-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-100-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-88-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-76-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-56-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-54-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-52-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-51-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

memory/1528-957-0x0000000005210000-0x0000000005828000-memory.dmp

memory/1528-958-0x0000000005860000-0x000000000596A000-memory.dmp

memory/1528-959-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/1528-960-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/1528-961-0x0000000005B10000-0x0000000005B5C000-memory.dmp