Malware Analysis Report

2025-08-11 07:52

Sample ID 241111-gltavstgqq
Target d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c
SHA256 d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c

Threat Level: Known bad

The file d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

RedLine

RedLine payload

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:53

Reported

2024-11-11 05:56

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe
PID 4908 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe
PID 4908 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe
PID 2212 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe
PID 2212 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe
PID 2212 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe
PID 2956 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe
PID 2956 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe
PID 2956 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe
PID 3160 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe
PID 3160 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe
PID 3160 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe
PID 2964 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe
PID 2964 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe
PID 2964 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe
PID 2424 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe
PID 2424 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe
PID 2424 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe
PID 2424 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe
PID 2424 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe

"C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe

MD5 135fe05769fde4811b7b82f9e6953898
SHA1 801e3f4cb9f2de8d6f23eef1ae3ad27144a10ea3
SHA256 2cad8389ef3e318f85a1d1e510d6c82deeaa03bfb5d426da75b7b444bf738d88
SHA512 17942df4a59e79c301623b779872c05a76650c78da0c4901fae612e42bf7159d5e67a814b8d84d9405aa83acf408cb02a4ce99fd89d19d85b7ac4b459378b9d8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe

MD5 3b64502135251765957881b1004f2d64
SHA1 060d2dd0a7c40cde8caabb5b38c2403a9e7c99fe
SHA256 cc67a326deaa7036f1f44ff3753179663f88454c1fa3cdb5f4a28c7bb42d2f85
SHA512 3901f0f0420009505fc2d859f7206b85da0fe69fc0428fb19a9ce9c4cff506f7925ee4f45113091aacc3ddf006ba5bdbb4f6ce33eaab5665db615ddcd9d1edde

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe

MD5 17ac80398b34da162fcf7ecc0f763a74
SHA1 57f754d8f66f40b8ca4b622c8c299cba227a92fa
SHA256 43b68ab76dba1942f8344df6654135bc7facadd20c2527a1c171701881a00408
SHA512 e2cc6e6d73c586bc29df7c56e8273ca8eae4f24e721a0e89395f6652455750fb97a47bb22f1d4518bfcf51f2a269f0b23097515687a7d4cf3b0261a303eb1b20

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe

MD5 e1c71f8c38c51f2f332db4caf005c06e
SHA1 5df276c470d78409865ff1249099690db78ba353
SHA256 ed6980bdebcb54e868e3250bdc35d082929e40b7b7ad0c01cd03ea08da24cb74
SHA512 3004a93f81a46636acdcabdca50d2237147011060e9e54923be71c114d988aee93d9518fa6d10dda2ef3a18477422f084db40b5a9312dec863fd46237e21922c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe

MD5 24a2060d275d7173342b0d49ed77f92f
SHA1 30eb51d998c07243eb6ea19012437d714ec761d3
SHA256 f1a0d48198c0943b4a3acc02a3dbf1c961bef2882e5ad10f6582be0cfee8cbca
SHA512 81006cb25e283eceb23047f71bec7d1e29d9fc59a98b6b933bb9686ea02c1d5740438a3c3fc0ac06bfa6b27d23e910fb607de9baa2b13c43dfed2a07d9f8b260

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe

MD5 fbae6642738fc0259a38c805b2e77afe
SHA1 e4fe779f4c01964757936b503ca9bb2ce0c08217
SHA256 281b0349ecf48ce797a70455c9b129bdbaea6c82c98c39b15dc9e910665cbf02
SHA512 0cf14499698a6b625eee336a142e6e7ab2e4cf5121d8fb9682824b5c95e754f84b22bc7a6ad29138dff5f2654d3d2d380f64825de2eb95153e903f4f6454edb4

memory/2600-42-0x0000000000260000-0x000000000026A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe

MD5 c8e450f5bf2b3be41a6329bb78242bf2
SHA1 2a1388a51884b8025366ec0cc90aa168eaf28ecb
SHA256 b897fedfd41567133a1c697a0a6d9ccc1ad81d6a21daa8dc0ec92f23991178ac
SHA512 e3cf75058db2a5817d11b534a1b142ea71f4cdff4cd6c9e553ba9e4bbca52dba58461023dd17ebc0cd50942e4e0677640910790e11aefe51009f05bd4b760d9e

memory/212-48-0x0000000004C20000-0x0000000004C66000-memory.dmp

memory/212-49-0x00000000072A0000-0x0000000007844000-memory.dmp

memory/212-50-0x00000000071B0000-0x00000000071F4000-memory.dmp

memory/212-68-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-70-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-114-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-110-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-108-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-106-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-104-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-102-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-100-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-98-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-96-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-94-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-92-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-90-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-88-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-86-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-82-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-80-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-78-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-76-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-75-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-72-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-66-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-64-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-63-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-60-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-59-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-56-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-54-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-112-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-84-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-52-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-51-0x00000000071B0000-0x00000000071EE000-memory.dmp

memory/212-957-0x0000000007850000-0x0000000007E68000-memory.dmp

memory/212-958-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

memory/212-959-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

memory/212-960-0x0000000008000000-0x000000000803C000-memory.dmp

memory/212-961-0x0000000008150000-0x000000000819C000-memory.dmp