Malware Analysis Report

2025-01-23 05:57

Sample ID 241108-enr5gavfqb
Target 8a56dada905d7b9c246a97eb1cce1a820336dfaff983ed59f1c7fe85b4c103f8
SHA256 8a56dada905d7b9c246a97eb1cce1a820336dfaff983ed59f1c7fe85b4c103f8
Tags
healer redline diro lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a56dada905d7b9c246a97eb1cce1a820336dfaff983ed59f1c7fe85b4c103f8

Threat Level: Known bad

The file 8a56dada905d7b9c246a97eb1cce1a820336dfaff983ed59f1c7fe85b4c103f8 was found to be: Known bad.

Malicious Activity Summary

healer redline diro lada discovery dropper evasion infostealer persistence trojan

Redline family

Healer

Detects Healer an antivirus disabler dropper

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 04:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 04:05

Reported

2024-11-08 04:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a56dada905d7b9c246a97eb1cce1a820336dfaff983ed59f1c7fe85b4c103f8.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232293.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8a56dada905d7b9c246a97eb1cce1a820336dfaff983ed59f1c7fe85b4c103f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232293.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk126852.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8a56dada905d7b9c246a97eb1cce1a820336dfaff983ed59f1c7fe85b4c103f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232293.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2616 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\8a56dada905d7b9c246a97eb1cce1a820336dfaff983ed59f1c7fe85b4c103f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe
PID 2616 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\8a56dada905d7b9c246a97eb1cce1a820336dfaff983ed59f1c7fe85b4c103f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe
PID 2616 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\8a56dada905d7b9c246a97eb1cce1a820336dfaff983ed59f1c7fe85b4c103f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe
PID 4780 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe
PID 4780 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe
PID 4780 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe
PID 2416 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe
PID 2416 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe
PID 2416 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe
PID 2416 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232293.exe
PID 2416 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232293.exe
PID 2416 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232293.exe
PID 4640 wrote to memory of 5748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232293.exe C:\Windows\Temp\1.exe
PID 4640 wrote to memory of 5748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232293.exe C:\Windows\Temp\1.exe
PID 4640 wrote to memory of 5748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232293.exe C:\Windows\Temp\1.exe
PID 4780 wrote to memory of 6124 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk126852.exe
PID 4780 wrote to memory of 6124 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk126852.exe
PID 4780 wrote to memory of 6124 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk126852.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8a56dada905d7b9c246a97eb1cce1a820336dfaff983ed59f1c7fe85b4c103f8.exe

"C:\Users\Admin\AppData\Local\Temp\8a56dada905d7b9c246a97eb1cce1a820336dfaff983ed59f1c7fe85b4c103f8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232293.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232293.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4640 -ip 4640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1384

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk126852.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk126852.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177368.exe

MD5 145dd89aa829f089c62191336e683672
SHA1 10aced46c18607984130d991682d7d18f4716d1e
SHA256 7e991eb5bb517c410321db93e74994c2dd0e2b5ead8b0469af65a2b4561ef3c6
SHA512 8ccbded3301b6161f2bd279a2823635b22609ff81d5ada260a89e31f51a4c52801b2b31420ba5860c4c0287aa82872d97a48ac24febfde0bc753d71eec9c12d5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661681.exe

MD5 0ab78a1d04c816e4b0b177cbd2f74c45
SHA1 1c1339d3e2a637af15efbd725741638d33982c5f
SHA256 b9d079ffb30dd9d569847db6c4452fb04974cced4ebdfffe80b16af866eb7d9a
SHA512 17edbe173929213b640a832d05103c8d585f45cd96b26006c00aee01438d8ce1891b1d18e4bd2db2a5de17aced06870b481061e8eba165d12daad658694ecffa

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr833676.exe

MD5 e777aa9d7c042d8c4ecdfeba0bf329e7
SHA1 552a3b43feb2bca84d89df7b9e0715fbf62984fc
SHA256 c882bc4032222a5e77b2ab6abdb275f2ecac4882a2b1261da13e1c0ebf852a0a
SHA512 f07953862512d2155819b58b7012830096951d5b0bbca828d8d591bc65ee6d897e93cde4f7056d4c5a35bd2e0656efe62163ca0e0ea4a70b8dcd3ff3096fc89f

memory/2180-22-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2180-24-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/2180-23-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2180-25-0x0000000002470000-0x000000000248A000-memory.dmp

memory/2180-26-0x0000000004AD0000-0x0000000005074000-memory.dmp

memory/2180-27-0x00000000025C0000-0x00000000025D8000-memory.dmp

memory/2180-47-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-55-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-53-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-51-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-49-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-45-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-43-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-41-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-39-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-37-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-35-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-33-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-31-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-29-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-28-0x00000000025C0000-0x00000000025D2000-memory.dmp

memory/2180-56-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2180-57-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2180-58-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/2180-60-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/2180-61-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu232293.exe

MD5 0be4f290f0426f9443fff1eba37783e7
SHA1 7f108be029302825ca0d37ff77ad41c1e308ffb5
SHA256 5c3a0a9fe24c574c9b1892907fde406054f11590cd36f3769667e6e606a6d0e6
SHA512 80893a9ebc9885db106d277b023b3f0181be5fb488d5b5b1b5c31553917550b4129b8926a673a41a3a090727e5b44b71c99f9ded99541ad78ceeba6cade3ccb9

memory/4640-66-0x0000000004C70000-0x0000000004CD8000-memory.dmp

memory/4640-67-0x00000000052F0000-0x0000000005356000-memory.dmp

memory/4640-79-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-85-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-101-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-99-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-97-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-93-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-91-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-89-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-87-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-83-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-81-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-77-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-75-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-73-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-71-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-95-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-69-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-68-0x00000000052F0000-0x0000000005350000-memory.dmp

memory/4640-2210-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/5748-2223-0x0000000000320000-0x000000000034E000-memory.dmp

memory/5748-2224-0x0000000004C40000-0x0000000004C46000-memory.dmp

memory/5748-2225-0x00000000052B0000-0x00000000058C8000-memory.dmp

memory/5748-2227-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5748-2226-0x0000000004DA0000-0x0000000004EAA000-memory.dmp

memory/5748-2228-0x0000000004D10000-0x0000000004D4C000-memory.dmp

memory/5748-2229-0x0000000004D50000-0x0000000004D9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk126852.exe

MD5 aa8bb998c46f60bacf91f98f8d4d7b5c
SHA1 61c7e314d916035128849f85a29b34ac1fb482e0
SHA256 7e0252d52b7ff9e4466411941eb98cc220824be0f2eefdfe38e6b494f1176131
SHA512 3e1e8400351fbeedbb0f07370260dea23782c24924482d33c54f9db9659c858c2ee89f69b9a8256b091efec0ea33b09e408e0d218769ca3e2cbd013dd935dde7

memory/6124-2234-0x00000000008F0000-0x0000000000920000-memory.dmp

memory/6124-2235-0x00000000051D0000-0x00000000051D6000-memory.dmp