Malware Analysis Report

2025-08-06 01:25

Sample ID 241109-gt11nsyhrj
Target 2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e
SHA256 2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e
Tags
healer redline down discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e

Threat Level: Known bad

The file 2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e was found to be: Known bad.

Malicious Activity Summary

healer redline down discovery dropper evasion infostealer persistence trojan

Redline family

RedLine

RedLine payload

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 06:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 06:06

Reported

2024-11-09 06:09

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe
PID 4892 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe
PID 4892 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe
PID 764 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe
PID 764 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe
PID 764 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe
PID 2156 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe
PID 2156 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe
PID 2156 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe
PID 5112 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe
PID 5112 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe
PID 5112 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe
PID 5112 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe
PID 5112 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe
PID 2156 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe
PID 2156 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe
PID 2156 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe

"C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 193.233.20.31:4125 tcp
RU 193.233.20.31:4125 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 193.233.20.31:4125 tcp
RU 193.233.20.31:4125 tcp
RU 193.233.20.31:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe

MD5 570dd305660eca093e1784a864ea1ad5
SHA1 0aeaed648472b42cb436bc7d8142e03fbe591cb6
SHA256 f4c291cb1ec7df991fbb2b9adac537e7956d262d92d50c3829cfa824058b661b
SHA512 9f4ed7174d17da17f887357432689b780daf8525db5097cb3fc63a82ec88f97fb9c2efdbcba1ce6479cb04071e375e1ff2c86282f535711010f0ac73b1d6b0c3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe

MD5 80d2bacba68ec9dd5841bb3c8d356055
SHA1 610e66e03d42ece00e942770566b7464d766571e
SHA256 ed53879b7b89ea9927d775f1f6a0e544c3040fe9248d5786b98b1b3cc0ea30e9
SHA512 5bfe93c81194ce76599adfca3bb9c5fb150504c31adc43d5a1688f531a350c17d74cf73ac89a2f66aede23836c1114dcef3a7b8edd7f433a96651717dd46e261

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe

MD5 ee72c631338fad60efd2ed9de67e96f8
SHA1 1993d8d86b5af095ff7f052f38a5228a1a5695ce
SHA256 d5b776ca6f2991e94f80eae424fb4710ee0431182cd4210c2b80b8206ebda1ab
SHA512 0828282df18fd826116a1913993fadee30402e787e6f082ca63ee99c1e671f322ec90162683c7cdb17a3859e278c5bf70fd48dcac6a5778fe6de82862da165f5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3688-28-0x0000000000A10000-0x0000000000A1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe

MD5 3e1e1d0dc6be7d3ad3c50e164e79aa5a
SHA1 1875e9b16f548098ae0ca1a892a6c3962197e784
SHA256 d60f628516102a2a7e57b722c18752f1f8c70ff059d4ba86fe86db3dbaf1a64e
SHA512 34b9318db017de4142f0b6a6b4116707a9a2593eb5a7db9d38e1b75bff86f084657d0cfdeeeb7be7c406db972e426192b7d953e43487bd4a4bf223cbbce45c0b

memory/232-34-0x0000000002480000-0x000000000249A000-memory.dmp

memory/232-35-0x0000000004B00000-0x00000000050A4000-memory.dmp

memory/232-36-0x0000000004A80000-0x0000000004A98000-memory.dmp

memory/232-37-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-48-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-64-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-62-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-60-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-58-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-54-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-53-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-50-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-46-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-44-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-42-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-40-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-38-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-56-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/232-65-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/232-67-0x0000000000400000-0x00000000004E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe

MD5 a36d8541e6bf00b56e6c2b9990833bcf
SHA1 9f1fc299eb443ceb8801dda3b939ddc2275cb43a
SHA256 cb3d2b46de974c63aae6bd4537bc5f95cadaca52ca08ad8274c1add817f81daa
SHA512 823fef42ff2594781524a1d584f9ced7349a64927242253ad3f16f81a8e68d3ebaf6939d1584584107cea3a017c21e8fbbe9cefd53fdf3711225a77c4f347c39

memory/3296-72-0x0000000002300000-0x0000000002346000-memory.dmp

memory/3296-73-0x00000000050E0000-0x0000000005124000-memory.dmp

memory/3296-79-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-87-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-107-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-105-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-101-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-99-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-97-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-96-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-93-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-91-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-90-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-85-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-83-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-81-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-103-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-77-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-75-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-74-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/3296-980-0x0000000005130000-0x0000000005748000-memory.dmp

memory/3296-981-0x00000000057D0000-0x00000000058DA000-memory.dmp

memory/3296-982-0x0000000005910000-0x0000000005922000-memory.dmp

memory/3296-983-0x0000000005A30000-0x0000000005A6C000-memory.dmp

memory/3296-984-0x0000000005A80000-0x0000000005ACC000-memory.dmp