Malware Analysis Report

2024-12-06 02:42

Sample ID 241110-axetaavlfs
Target f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b
SHA256 f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b
Tags
healer redline dezik norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b

Threat Level: Known bad

The file f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b was found to be: Known bad.

Malicious Activity Summary

healer redline dezik norm discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Healer

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine payload

Healer family

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:35

Reported

2024-11-10 00:37

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk168397.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe
PID 4992 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe
PID 4992 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe
PID 3728 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe
PID 3728 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe
PID 3728 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe
PID 4076 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe
PID 4076 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe
PID 4076 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe
PID 4076 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe
PID 4076 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe
PID 4076 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe
PID 3448 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe C:\Windows\Temp\1.exe
PID 3448 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe C:\Windows\Temp\1.exe
PID 3448 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe C:\Windows\Temp\1.exe
PID 3728 wrote to memory of 5712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk168397.exe
PID 3728 wrote to memory of 5712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk168397.exe
PID 3728 wrote to memory of 5712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk168397.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe

"C:\Users\Admin\AppData\Local\Temp\f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1472 -ip 1472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3448 -ip 3448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1524

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk168397.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk168397.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe

MD5 e06742773d31085198854f575b1836f8
SHA1 6e932fc5f974b51d61cd62b948663eef7f29f96a
SHA256 70e8e6132c436aa1383d9659c75e7c6c2df99e4122eb655792ea8f6d6c43e35d
SHA512 16f60d6edd227a0fcf8028c5524c4bba70e403854eaccebdfacb68ab29686ef8da9a7a1b8b14d3af640a1ee142b61d67f253d3f502343e942448523e45fe5700

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe

MD5 dfcad12707a38edf22439b2cb99a9547
SHA1 4d61ed35d4d327b63cf30fc79e6d27d775b7341e
SHA256 00d62480c93aba85cbbbd1d52e28f9e6d7ba949ae6f3243763e8606ac67bb65f
SHA512 cf972f2325cfcf0bc1ccf56f1ab1f6553eaf70828621dd817ec920684d3cc84a309d4dff72bb361b215f96cfbdbb96e26a5545cf9e21ad1e2e9cf24e7a12b3f8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe

MD5 a9cd83a7e7d6417bb347e00d2dd3fbbd
SHA1 5eabe660a1e8d7e1aee3bede29da6cd4da5c616d
SHA256 f9a1dd637e9227a995968d8809e73094a2642f2bdbb086d6196b0c36ba2be873
SHA512 9338087c81bf8cc8b20a668381d7ef3da8627fc6c7d517235e281cad30e78da4d428721b95c0cde7bde35c4c141e9f39d7f4097fd46ba32dd18c09df9c5c29e3

memory/1472-22-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1472-23-0x00000000005B0000-0x00000000005DD000-memory.dmp

memory/1472-24-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1472-25-0x0000000002460000-0x000000000247A000-memory.dmp

memory/1472-26-0x0000000004BC0000-0x0000000005164000-memory.dmp

memory/1472-27-0x00000000025F0000-0x0000000002608000-memory.dmp

memory/1472-37-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-55-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-53-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-51-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-49-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-47-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-45-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-43-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-41-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-39-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-31-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-29-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-28-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-35-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-33-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/1472-56-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1472-57-0x00000000005B0000-0x00000000005DD000-memory.dmp

memory/1472-58-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/1472-59-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1472-61-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/1472-62-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe

MD5 3953945d244f0372c5897744aed4f964
SHA1 04c58f273c37b63292311b94f2573e903964e05f
SHA256 a1758069b120f8bbceeda056b3a9cf8b53e6db8233d38594b915295c5ce7114d
SHA512 49b6e2cfe78c8d201f803d1e729ef4985a5b641ab7b0f2da429c5dfd364977aa50e03dc81d3650e5526ada2c16cb4cc4fe63de86e82cc46262bb432f8bbd92c9

memory/3448-67-0x0000000004A20000-0x0000000004A86000-memory.dmp

memory/3448-68-0x0000000005270000-0x00000000052D6000-memory.dmp

memory/3448-71-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-78-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-90-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-76-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-74-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-72-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-69-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-102-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-100-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-98-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-96-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-94-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-92-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-88-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-86-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-84-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-82-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-80-0x0000000005270000-0x00000000052CF000-memory.dmp

memory/3448-2149-0x0000000005440000-0x0000000005472000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/3180-2162-0x0000000000190000-0x00000000001C0000-memory.dmp

memory/3180-2163-0x0000000004970000-0x0000000004976000-memory.dmp

memory/3180-2164-0x0000000005160000-0x0000000005778000-memory.dmp

memory/3180-2165-0x0000000004C50000-0x0000000004D5A000-memory.dmp

memory/3180-2166-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/3180-2167-0x0000000004B80000-0x0000000004BBC000-memory.dmp

memory/3180-2168-0x0000000004BC0000-0x0000000004C0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk168397.exe

MD5 c5ab4a92d7b28c9e63598bf2eeade8e2
SHA1 e436d4127b8b2ab606d9815543b0d13c5d3b9c83
SHA256 9fdf95fef12de09adfacb495304be004bdd286c24f5c65e4b476a9b77e3d16fb
SHA512 ebab87641725b6d1849969abce588c4e6d957da11492b24bd37ca88ca9f010cd53d054116ce67a46cc6f82622f99779a4bbfbd28c9b62eb545396ab56372cf86

memory/5712-2173-0x0000000000210000-0x000000000023E000-memory.dmp

memory/5712-2174-0x0000000004A30000-0x0000000004A36000-memory.dmp