Malware Analysis Report

2025-01-23 05:58

Sample ID 241107-s87bsavjev
Target b2ee8eac7ff2a3145ea6f371b8f937ea09061b95903261d8e57df4d77dc16a16
SHA256 b2ee8eac7ff2a3145ea6f371b8f937ea09061b95903261d8e57df4d77dc16a16
Tags
healer redline diza lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2ee8eac7ff2a3145ea6f371b8f937ea09061b95903261d8e57df4d77dc16a16

Threat Level: Known bad

The file b2ee8eac7ff2a3145ea6f371b8f937ea09061b95903261d8e57df4d77dc16a16 was found to be: Known bad.

Malicious Activity Summary

healer redline diza lada discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:48

Reported

2024-11-07 15:51

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2ee8eac7ff2a3145ea6f371b8f937ea09061b95903261d8e57df4d77dc16a16.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu312957.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b2ee8eac7ff2a3145ea6f371b8f937ea09061b95903261d8e57df4d77dc16a16.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk222227.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b2ee8eac7ff2a3145ea6f371b8f937ea09061b95903261d8e57df4d77dc16a16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu312957.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu312957.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\b2ee8eac7ff2a3145ea6f371b8f937ea09061b95903261d8e57df4d77dc16a16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe
PID 2084 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\b2ee8eac7ff2a3145ea6f371b8f937ea09061b95903261d8e57df4d77dc16a16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe
PID 2084 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\b2ee8eac7ff2a3145ea6f371b8f937ea09061b95903261d8e57df4d77dc16a16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe
PID 4988 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe
PID 4988 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe
PID 4988 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe
PID 4392 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe
PID 4392 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe
PID 4392 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe
PID 4392 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu312957.exe
PID 4392 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu312957.exe
PID 4392 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu312957.exe
PID 3244 wrote to memory of 5500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu312957.exe C:\Windows\Temp\1.exe
PID 3244 wrote to memory of 5500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu312957.exe C:\Windows\Temp\1.exe
PID 3244 wrote to memory of 5500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu312957.exe C:\Windows\Temp\1.exe
PID 4988 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk222227.exe
PID 4988 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk222227.exe
PID 4988 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk222227.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2ee8eac7ff2a3145ea6f371b8f937ea09061b95903261d8e57df4d77dc16a16.exe

"C:\Users\Admin\AppData\Local\Temp\b2ee8eac7ff2a3145ea6f371b8f937ea09061b95903261d8e57df4d77dc16a16.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu312957.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu312957.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1384

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk222227.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk222227.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382105.exe

MD5 a42ac7638dedc843af252fa7d73b2fc2
SHA1 8b9ea41bf110dcd4b28c9023f421cad33ca3b0bc
SHA256 79459f5dea31a89501058b0890a7bbf6bdd5df215b074288be6a8a5d19382b97
SHA512 b2323a5a7341a726e07384cc26de219fd753f3fbe13fd8072177d05a43fa9a368f87527101e752c4819be1899f5925b752bbda52f08b12ef8dc80fee78f55b70

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un931850.exe

MD5 5550568857c9b07b19d89112a93346f6
SHA1 46ea05e08306b41f7c03f4169e9f61c6a66da2e8
SHA256 88e785b24ec0e4d2e31baccfe78cd8da70804f2841d24449a10c8f18b9e18888
SHA512 60cb21a952f14b08c89c58be0e885a3b1e9988fbb9bd8fe424b76a3fa85f43afb3a5072c756a4f81b19b79cc1c102afb6f974bdce33f210808138321703e5dc6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr148554.exe

MD5 9c837e1fd435c634d0b5084c7f9ca91e
SHA1 b0b0e62d88833a028676839ba36fefc8bf8ef49c
SHA256 2e7f900ab82bee73098c9284049fbae2a6a3c1a8cefceca96a5665de66781aa9
SHA512 4a797ac8758cb15e4c5dd233c65a4e7e4abda5ed7619c8a4f592a4e8e023014b8c6381ab89bdc948e79e75d00908385188fc80af85e20d0193ad0f3ecee52bc4

memory/4856-22-0x0000000000840000-0x0000000000940000-memory.dmp

memory/4856-23-0x0000000000580000-0x00000000005AD000-memory.dmp

memory/4856-24-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4856-25-0x0000000000800000-0x000000000081A000-memory.dmp

memory/4856-26-0x0000000004AC0000-0x0000000005064000-memory.dmp

memory/4856-27-0x0000000002550000-0x0000000002568000-memory.dmp

memory/4856-53-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-28-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-55-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-51-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-49-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-47-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-45-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-43-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-42-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-39-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-37-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-35-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-34-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-31-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-29-0x0000000002550000-0x0000000002562000-memory.dmp

memory/4856-56-0x0000000000840000-0x0000000000940000-memory.dmp

memory/4856-57-0x0000000000580000-0x00000000005AD000-memory.dmp

memory/4856-58-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/4856-59-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4856-61-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/4856-62-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu312957.exe

MD5 3fee618f112caa5d0185410ced1b785c
SHA1 103ff6a25967b7130371b265be894a3a04193b2b
SHA256 6c5dad9174419b97c2b25132197205d48be7178e8a9d8849b60221ce1feb3b4e
SHA512 a69e98469d6d0cccb1830898957c99e3c223a9141c85a6a94b0c89980ed50ed2f25ccaa7472909285ced50f7566ba12eb54eb8e7b524651719d3131d55f0e948

memory/3244-67-0x0000000002440000-0x00000000024A8000-memory.dmp

memory/3244-68-0x00000000024B0000-0x0000000002516000-memory.dmp

memory/3244-82-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-80-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-102-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-98-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-96-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-94-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-92-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-90-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-88-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-86-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-84-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-78-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-76-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-74-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-72-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-100-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-70-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-69-0x00000000024B0000-0x0000000002510000-memory.dmp

memory/3244-2211-0x00000000026D0000-0x0000000002702000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/5500-2224-0x00000000007C0000-0x00000000007EE000-memory.dmp

memory/5500-2225-0x00000000050D0000-0x00000000050D6000-memory.dmp

memory/5500-2226-0x0000000005750000-0x0000000005D68000-memory.dmp

memory/5500-2227-0x0000000005240000-0x000000000534A000-memory.dmp

memory/5500-2228-0x0000000005130000-0x0000000005142000-memory.dmp

memory/5500-2229-0x0000000005190000-0x00000000051CC000-memory.dmp

memory/5500-2230-0x00000000051E0000-0x000000000522C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk222227.exe

MD5 c52ebada00a59ec1f651a0e9fbcef2eb
SHA1 e1941278df76616f1ca3202ef2a9f99d2592d52f
SHA256 35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e
SHA512 6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2

memory/5840-2235-0x0000000000AB0000-0x0000000000AE0000-memory.dmp

memory/5840-2236-0x0000000002BF0000-0x0000000002BF6000-memory.dmp