Malware Analysis Report

2025-04-03 14:21

Sample ID 241110-dffk2ayajk
Target 6e180dd6599dcc68f28845265956f8b4bdbf5b211473c84269d7ce53760551aa
SHA256 6e180dd6599dcc68f28845265956f8b4bdbf5b211473c84269d7ce53760551aa
Tags
healer redline sony discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e180dd6599dcc68f28845265956f8b4bdbf5b211473c84269d7ce53760551aa

Threat Level: Known bad

The file 6e180dd6599dcc68f28845265956f8b4bdbf5b211473c84269d7ce53760551aa was found to be: Known bad.

Malicious Activity Summary

healer redline sony discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Redline family

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:56

Reported

2024-11-10 02:59

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e180dd6599dcc68f28845265956f8b4bdbf5b211473c84269d7ce53760551aa.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6e180dd6599dcc68f28845265956f8b4bdbf5b211473c84269d7ce53760551aa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4769.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4769.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsa40s40.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e180dd6599dcc68f28845265956f8b4bdbf5b211473c84269d7ce53760551aa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsa40s40.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\6e180dd6599dcc68f28845265956f8b4bdbf5b211473c84269d7ce53760551aa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4769.exe
PID 5020 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\6e180dd6599dcc68f28845265956f8b4bdbf5b211473c84269d7ce53760551aa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4769.exe
PID 5020 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\6e180dd6599dcc68f28845265956f8b4bdbf5b211473c84269d7ce53760551aa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4769.exe
PID 3148 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4769.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe
PID 3148 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4769.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe
PID 3148 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4769.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe
PID 3624 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe
PID 3624 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe
PID 3624 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe
PID 4416 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe
PID 4416 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe
PID 4416 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe
PID 4416 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe
PID 4416 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe
PID 3624 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsa40s40.exe
PID 3624 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsa40s40.exe
PID 3624 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsa40s40.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e180dd6599dcc68f28845265956f8b4bdbf5b211473c84269d7ce53760551aa.exe

"C:\Users\Admin\AppData\Local\Temp\6e180dd6599dcc68f28845265956f8b4bdbf5b211473c84269d7ce53760551aa.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4769.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4769.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsa40s40.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsa40s40.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4769.exe

MD5 a9a27dae57f00f970ba3199653f81435
SHA1 9301694f7fc606c3100712c5b491449b7e64e354
SHA256 2c72608640fb1ba95095a2a155e0f26d3948279b65f81f78ae4dc8340d113b55
SHA512 ad613e2bab189b40617dc4c90e15770bdbb974e112f9e56cf498dd7b3b692130941de126d25652a00cf6d1816892cb078d6645e4b48c2fb0ef007db9876312b3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina6575.exe

MD5 cbc40646da93994bb411caf34eaea493
SHA1 34976fda61cfa4077ddbe6b0f82443cddc8cc4d1
SHA256 0663470a39efb471a75a2c3fdb294459ef83c9faff156560f68202d874cf231d
SHA512 8e9b1646d14e29cc864f60fe5f35052b277526c5bb7582b969426e9e3290e80fa48b2874308021fbb26cb680a99bd147ef3aa2677dea42f317868ef042c291ee

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9711.exe

MD5 6f44f81ca0d1b39fb340ab40b2dbf68f
SHA1 5bf6a67130c28c69158497f78db1327ae921990a
SHA256 46e12820bfb8c2e1817578369749d7d3b09292e157a2c4c11e3f323a8ed56583
SHA512 d33d73d353feb0b31a6c090030dd1d44a52bed7640e37451215a56cda67ac516ba32bdbf97058444f5efead1f94ec92bc87bef373eba1b290f7feb5f6c2e69b0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu841808.exe

MD5 043a8b533e230bd63bc256e67bd5eec9
SHA1 312cb24d443c3ee952d0b77a854029ecfade190d
SHA256 43d695677f76daa84dcbe4863620cc726d02fed68dc2fe2363b442abca418e04
SHA512 5cc71ca268532d5ee3b49d7f5e5c21c24e3681951dd8ae7ddff205d43e9dae0b4cd3ac80702937c31f8b8c59afc4da1200030f5d92c9407dc46a095e3255ac9b

memory/2808-28-0x00000000005F0000-0x00000000005FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3110.exe

MD5 8c5675ac5e9c8d6f65397bd53debf3c4
SHA1 e707b90d80f96f09a64f22eaf0ee5d019a91d462
SHA256 f1c1a8f235a8b6acaf620747b463dd6eaa31d69a3678fe26ecb9b23baa070ee1
SHA512 91e14e777f48fb1c9b6faf2c69fe37196b6e065f6232bb667f92bdfe12862eeba73c55ef140a0ae4c8d74fc2735d03fbeaa1ebf3aee1982b7dd69869639ce085

memory/1120-34-0x0000000002510000-0x000000000252A000-memory.dmp

memory/1120-35-0x0000000004F20000-0x00000000054C4000-memory.dmp

memory/1120-36-0x00000000027B0000-0x00000000027C8000-memory.dmp

memory/1120-37-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-64-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-62-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-60-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-58-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-56-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-54-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-52-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-50-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-48-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-46-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-44-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-43-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-41-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-38-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/1120-65-0x0000000000400000-0x000000000070E000-memory.dmp

memory/1120-67-0x0000000000400000-0x000000000070E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsa40s40.exe

MD5 a49dc895795ac1fa82f2255a577cf3a5
SHA1 6438642728f910635bf36e67083d4c1ac1245d51
SHA256 31c3c58d776ac535bef947067a121ad19fca98bd12c9d73162fab49b7f2308a7
SHA512 c918d5a66d5685dd4908269febc06d25ef8625a65fbf942ed062295a6cc0d56f9e27d6405f8b523079d2d7652e2693bf1245dc4f1128f9bc8043b94901e5f7a6

memory/2292-72-0x0000000002640000-0x0000000002686000-memory.dmp

memory/2292-73-0x0000000005330000-0x0000000005374000-memory.dmp

memory/2292-87-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-102-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-107-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-105-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-103-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-99-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-97-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-95-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-93-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-91-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-89-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-85-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-83-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-81-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-79-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-77-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-75-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-74-0x0000000005330000-0x000000000536E000-memory.dmp

memory/2292-980-0x0000000005370000-0x0000000005988000-memory.dmp

memory/2292-981-0x00000000059F0000-0x0000000005AFA000-memory.dmp

memory/2292-982-0x0000000005B30000-0x0000000005B42000-memory.dmp

memory/2292-983-0x0000000005B50000-0x0000000005B8C000-memory.dmp

memory/2292-984-0x0000000005CA0000-0x0000000005CEC000-memory.dmp