Malware Analysis Report

2025-04-03 14:17

Sample ID 241109-1tfjhstbjb
Target c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2
SHA256 c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2

Threat Level: Known bad

The file c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

RedLine

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:56

Reported

2024-11-09 21:58

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe
PID 4556 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe
PID 4556 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe
PID 3768 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe
PID 3768 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe
PID 3768 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe
PID 3612 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe
PID 3612 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe
PID 3612 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe
PID 3036 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe
PID 3036 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe
PID 3036 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe
PID 3036 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe
PID 3036 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe
PID 3612 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe
PID 3612 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe
PID 3612 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2.exe

"C:\Users\Admin\AppData\Local\Temp\c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 868 -ip 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe

MD5 4b851bfa0a52d9721528472960bea39e
SHA1 86f2c3dd4bf39695c91dae0f1ead6825941c889c
SHA256 218d79c7a6d75888470584ab9b519ba57ba3f2c835b42c8cc7f3022015182c53
SHA512 1bbfa990c9e327c82655d93207ca8ea84af58e49e145a50ea5960ef1d33fe4fdb7bedbbaa6e1f6e1f08616c4d96c26c97e69320d9e435fa83f967ab37032faac

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe

MD5 d3fd21661e5c780fd5a990ed573b0895
SHA1 428468b5c11caa1ff442a21fbbd9ec3ca86e3e94
SHA256 0ad922e6eb19cd59073d1eb61fb950ed32689a2ea4a582ac007e43022453a561
SHA512 0dc79a759cfd731dd95c75ea529c76ee22729c9cecf533596012b682368fa9f47bab14b9e4591ecca92237a2e5cffe57ee78a1f48c1c632743726def77badc19

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe

MD5 2c056cc3f964ee550f3581c39a7eb65b
SHA1 221655d8149a61dfdc34cbeba957018bcaa563e4
SHA256 cfad3c0ce756871d58998b347184c0609a7a58fea6dcd0451401034c6d8bfb20
SHA512 653f3d9864da0a1a7983685cf81cd01cc0dbd9d7815a267f36b3f148c3748659cc01b383ab8cfe823d3198e927d0bc6e3d625525cb475045e9e483c5f1dbd6e5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe

MD5 7c291b64056bf2aaacaeca34023ec2f4
SHA1 cb592c6614d7063d6876c175b9d1a3b0e7678cb5
SHA256 44c8011e3392c890b1f30fa5382bd621a95d94cae28cccfa4cc6e8e062541951
SHA512 1bb04549c56e2558eec71cac26c125044ed093ed427e5ece594d81d20d07e50f6b1ef408de05f064d4cd0c66090d67ce7da7338c06f85cb8d7c0848ccd8cdbf7

memory/4980-28-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe

MD5 f40854be7e29461c8f4a47dd907d4180
SHA1 31c8eb58e1921aa843e02d72f55e754349e7028b
SHA256 73afc9bf1423ee6f9b2912907558ee25607f09d5df467093a989b87d43ad27f8
SHA512 41dba6c847b6bbcd0b3d933b39f0b5af205469dd02c0397e88bf2de3ffff3e9b51ce3d4cc67dc9551f026b3452ffa84a4a3cd675337ffdb78bc0c92b7c2404bd

memory/868-34-0x00000000022B0000-0x00000000022CA000-memory.dmp

memory/868-35-0x0000000004C80000-0x0000000005224000-memory.dmp

memory/868-36-0x00000000023B0000-0x00000000023C8000-memory.dmp

memory/868-42-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-40-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-64-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-62-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-60-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-58-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-56-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-54-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-53-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-51-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-48-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-46-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-45-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-38-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-37-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/868-65-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/868-67-0x0000000000400000-0x00000000004B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe

MD5 d47ff96c02eeea76620286a8bcbb64cf
SHA1 334addf5fe11776a6051e28b92f9c357c410f1e7
SHA256 35feea349f02b293e5a8602ed7f8d9c2b77af26551797d079e989a1522af143a
SHA512 680c3cfa757874c5b0ef4318ceda1451e54374ed4d4423b5a0501d9f4e1febeff63628a90e29e698a0745593407092220882d8a1a3ff775460ac0393c2c4c9e3

memory/2708-72-0x00000000049F0000-0x0000000004A36000-memory.dmp

memory/2708-73-0x0000000004A90000-0x0000000004AD4000-memory.dmp

memory/2708-93-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-99-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-107-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-103-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-101-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-97-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-95-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-91-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-89-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-87-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-85-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-83-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-105-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-81-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-79-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-77-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-75-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/2708-980-0x00000000050F0000-0x0000000005708000-memory.dmp

memory/2708-981-0x0000000005790000-0x000000000589A000-memory.dmp

memory/2708-982-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/2708-983-0x00000000058F0000-0x000000000592C000-memory.dmp

memory/2708-984-0x0000000005A40000-0x0000000005A8C000-memory.dmp