Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-ef3k8sxbnr
Target 139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61
SHA256 139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61

Threat Level: Known bad

The file 139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Healer family

Healer

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:53

Reported

2024-11-09 03:56

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuoB11ue25.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuoB11ue25.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exe
PID 1164 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exe
PID 1164 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exe
PID 4040 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exe
PID 4040 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exe
PID 4040 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exe
PID 3936 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exe
PID 3936 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exe
PID 3936 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exe
PID 1680 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exe
PID 1680 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exe
PID 1680 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exe
PID 4464 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe
PID 4464 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe
PID 4464 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe
PID 2808 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe
PID 2808 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe
PID 2808 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuoB11ue25.exe
PID 2808 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuoB11ue25.exe
PID 2808 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuoB11ue25.exe

Processes

C:\Users\Admin\AppData\Local\Temp\139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe

"C:\Users\Admin\AppData\Local\Temp\139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuoB11ue25.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuoB11ue25.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exe

MD5 9ec28288a452d28e3b9b1721a9c366e8
SHA1 7d4b46ddfcb2e56d01600a527a3308818d83054f
SHA256 44665130e48a60c62681a56ba03f16e8755199a3680201d6425b34e3322bdfa5
SHA512 d13ade32bf374fc5d7114e02509b008190f35bb116718e15080ac0f96c9216fdf76c0c24f36190e2b1fc9cf1e862446ffdd8e42f93c764df454dcc16fd1c1ce1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exe

MD5 dbb925f32f311649c157a115ba4763e7
SHA1 797a8f94e839e1af374635fe4fa71186dd9a7cbe
SHA256 3048a4f56790aa35929d1ab5491915cc32ccde7508027bc43c3c131340319f68
SHA512 9364da51dedf514796882282fe97ab2462419425c81e2c546ad7d8f5a16286fb578918dd7555080607e3b3bedf0c6d61947bb5330029ff260573a62d5b48f4d5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exe

MD5 9ed43ee098e799be311164e5b94e834f
SHA1 3decd7930db9cd0b3f803dfb737bda08b5e66767
SHA256 830973dd7b19620a994aa3af654fadee994f05f2630aa5b805d0a7943aaeaa70
SHA512 529400699854751468f9dfc933ade2f7a618e7b1bb1800204fa65a1b95a6cb2f01b1dbcb458a4c4f4c9a4768754f478c6b98b66659508ba338b9c72b2919066e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exe

MD5 e752f5d93b5fb47a2591bc57fbc8153c
SHA1 699d3a0e3304eb60d323f658c9a6d196da7b0b52
SHA256 1a9761d4d8d1ee59556906a918e95bec483c1738a250878b9d3504ac456c38a2
SHA512 0a75ad924c8dce7b7c5f8d7668da46ffafde7857c0be4650d55544b0e724d0c2f02154b5fabb83f27ed433eb12931b5cc9043a9afdaf630c0c3d48d003b367d6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe

MD5 ac42ad32f401a681b4a6e4a26bde7fde
SHA1 36e2ccdc82a4a2c06308e0032d5e6a0a843c4c10
SHA256 cd2b3d902a992a9520d64a58cf2633d8e0cb6e9716dbdc958f72523d9666f43e
SHA512 136c3001065182c527ad3ece05ec82b0924bbd654ebfb569f7fbce72a7ff8add50468202faebb6caed5571039aa6d9c6721d9a0e9135278d3fd2ab486dfc028c

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe

MD5 09b7c2264158ec822921cc6b633c559f
SHA1 4913d6311d2c2c79ef8cee2e016e1272f77b67ea
SHA256 8a54f5f06d157051fe85d25b41c9f8376431ad199071fa5599f448977a6fcb26
SHA512 c1b71e09a3558fd1ba3d5683afc3e9f7f237a3f36c0cbf7cc52067add84e4de00307d142b5f02a7e8b483fc7ea5e32d4222fc06d5d1096d1a7c5113e4b248897

memory/3460-42-0x0000000000F40000-0x0000000000F4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuoB11ue25.exe

MD5 1c5a86f75232313703fab93a198cfae7
SHA1 ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA256 6c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512 fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f

memory/4408-48-0x0000000002360000-0x00000000023A6000-memory.dmp

memory/4408-49-0x0000000004BD0000-0x0000000005174000-memory.dmp

memory/4408-50-0x0000000005180000-0x00000000051C4000-memory.dmp

memory/4408-54-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-76-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-114-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-112-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-110-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-108-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-106-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-104-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-102-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-98-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-96-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-95-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-90-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-88-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-86-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-84-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-82-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-80-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-74-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-72-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-70-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-69-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-66-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-62-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-60-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-58-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-56-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-100-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-92-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-78-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-64-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-52-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-51-0x0000000005180000-0x00000000051BE000-memory.dmp

memory/4408-957-0x00000000051C0000-0x00000000057D8000-memory.dmp

memory/4408-958-0x0000000005860000-0x000000000596A000-memory.dmp

memory/4408-959-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/4408-960-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/4408-961-0x0000000005B10000-0x0000000005B5C000-memory.dmp