Malware Analysis Report

2025-01-23 07:40

Sample ID 241104-q6xnfszmew
Target 75b21363eb446d456292c4d31ef906624c98ff8f7bc949e325e398d75de9694d
SHA256 75b21363eb446d456292c4d31ef906624c98ff8f7bc949e325e398d75de9694d
Tags
healer redline diro lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75b21363eb446d456292c4d31ef906624c98ff8f7bc949e325e398d75de9694d

Threat Level: Known bad

The file 75b21363eb446d456292c4d31ef906624c98ff8f7bc949e325e398d75de9694d was found to be: Known bad.

Malicious Activity Summary

healer redline diro lada discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer family

Healer

RedLine

Redline family

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:52

Reported

2024-11-04 13:55

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75b21363eb446d456292c4d31ef906624c98ff8f7bc949e325e398d75de9694d.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu977176.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\75b21363eb446d456292c4d31ef906624c98ff8f7bc949e325e398d75de9694d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\75b21363eb446d456292c4d31ef906624c98ff8f7bc949e325e398d75de9694d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu977176.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk076217.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu977176.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3988 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\75b21363eb446d456292c4d31ef906624c98ff8f7bc949e325e398d75de9694d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe
PID 3988 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\75b21363eb446d456292c4d31ef906624c98ff8f7bc949e325e398d75de9694d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe
PID 3988 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\75b21363eb446d456292c4d31ef906624c98ff8f7bc949e325e398d75de9694d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe
PID 3472 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe
PID 3472 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe
PID 3472 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe
PID 4080 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe
PID 4080 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe
PID 4080 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe
PID 4080 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu977176.exe
PID 4080 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu977176.exe
PID 4080 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu977176.exe
PID 5052 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu977176.exe C:\Windows\Temp\1.exe
PID 5052 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu977176.exe C:\Windows\Temp\1.exe
PID 5052 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu977176.exe C:\Windows\Temp\1.exe
PID 3472 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk076217.exe
PID 3472 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk076217.exe
PID 3472 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk076217.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75b21363eb446d456292c4d31ef906624c98ff8f7bc949e325e398d75de9694d.exe

"C:\Users\Admin\AppData\Local\Temp\75b21363eb446d456292c4d31ef906624c98ff8f7bc949e325e398d75de9694d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 820 -ip 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu977176.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu977176.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5052 -ip 5052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1380

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk076217.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk076217.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un969015.exe

MD5 24b35a616233290628a118877a74c1f4
SHA1 434ee97cee5d25cb89b4811e8285042e94353a1f
SHA256 869f74503508589f92edf0fa20555015c75b76b861f077abf2f8aa6e220d54bd
SHA512 52026705cf59a3eb9587e40d2596c9935d1826a941789ca1f04781a0e7bbf53e1a204c159ca6b415b6e70d2004b7533830884b778480d39a4f806e3a82e2cd85

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un428814.exe

MD5 892e75f765155274e1cec8ada7a1c401
SHA1 aacd9ab623c008d5e5498161b14ad1c391823627
SHA256 8efe307cfa2a8e429b3dc97857bc1ce1c413ce5198898373fa28e94cd7947c7e
SHA512 940e07277cb6ca565ee3a52f5945fc98ecfbb79483fb54096824a85f1338e124752d9e46d3a401118411f5a124d3456c7d1662ed8eb36b9d0c384d473f6f94bb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr743034.exe

MD5 e2eac4b1096057c75726955e917c9eeb
SHA1 2864d11087abe8ee96c204c89bdfa65205f8df88
SHA256 73a7280988196ae9715c9c2fa4efc02be4af13efcd6f71ab06b4960084bf6b8b
SHA512 12f24a187ef9ed160828ecc92942e36938632ccea7e12ccb2f0482ab4b8bec1c1978677726e6b47a24c58a199aad7f4fa003dc2dbf7385573045b37272092a6b

memory/820-22-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/820-23-0x0000000002330000-0x000000000234A000-memory.dmp

memory/820-24-0x0000000004AC0000-0x0000000005064000-memory.dmp

memory/820-25-0x0000000002600000-0x0000000002618000-memory.dmp

memory/820-29-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-53-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-51-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-49-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-47-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-45-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-43-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-41-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-39-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-37-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-35-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-33-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-31-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-27-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-26-0x0000000002600000-0x0000000002612000-memory.dmp

memory/820-54-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/820-55-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/820-57-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu977176.exe

MD5 1ad7b260d18ad1b63ef2c113cccf4ab5
SHA1 0a8977836d64d08e0e4da9a5486675255efcef84
SHA256 5c765f0cebdd656982f4ba11728024f409abea6f3fde9101b69a9089a393a44a
SHA512 da051c10c89fdc8518686f56931d090fc131cdb1623bab8f8a98f29205ce6aca96594740d698ab12d3c5bba1e6e871a28c27db5d982e840238e1bdaf113df694

memory/5052-62-0x0000000004B20000-0x0000000004B88000-memory.dmp

memory/5052-63-0x00000000051C0000-0x0000000005226000-memory.dmp

memory/5052-65-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-73-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-95-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-93-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-91-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-89-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-87-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-83-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-81-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-79-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-78-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-75-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-71-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-69-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-67-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-97-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-85-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-64-0x00000000051C0000-0x0000000005220000-memory.dmp

memory/5052-2206-0x0000000005410000-0x0000000005442000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/5356-2219-0x0000000000BB0000-0x0000000000BDE000-memory.dmp

memory/5356-2220-0x0000000002D10000-0x0000000002D16000-memory.dmp

memory/5356-2221-0x0000000005B10000-0x0000000006128000-memory.dmp

memory/5356-2222-0x0000000005600000-0x000000000570A000-memory.dmp

memory/5356-2223-0x0000000005530000-0x0000000005542000-memory.dmp

memory/5356-2224-0x0000000005590000-0x00000000055CC000-memory.dmp

memory/5356-2225-0x0000000005710000-0x000000000575C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk076217.exe

MD5 da61796e80b4a77ad45cd07a17385118
SHA1 64ed885cc06f6c72653daf5d1f867a247c10b23e
SHA256 d28b58ba7d42f3fe4a1b80231541bbb1513c93358a2509407eae73133a765ef1
SHA512 0209894fe7b2432ab06ad819a9435d3b6719165c0e119a50c9c9c088226f2babae510659d9abf8b4bac61c885bc1f803387ca88319396a2c8407dd5406afcb5c

memory/5860-2230-0x0000000000490000-0x00000000004C0000-memory.dmp

memory/5860-2231-0x0000000000BD0000-0x0000000000BD6000-memory.dmp