healer | 16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132

Analysis

max time kernel
144s
max time network
156s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe
Size

3.1MB
MD5

b0c402d3ffde0431353328b720814663
SHA1

382eed9c15c8508e1c96d2176e2f9209eca1b27e
SHA256

16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132
SHA512

2de984feabfcde9adff04848294d08ffe52e4179ecb6b56433e216e96f41f8ccdbccf25046cfaff99f7fb0d1cd3ea743ec9569e50f61e2e3a020121011b4d0c8
SSDEEP

49152:SqFTg0pXxVm8qBiU6a3vj459/z73GJgfVKSOFHdaiDM:SqFTi8VL5X/fvoHdND

Score

10^/10

healer redline ramon dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

ramon

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

resource	yara_rule
behavioral1/memory/2544-51-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2544-52-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2544-54-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2544-56-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2544-58-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2680	x5616068.exe
2768	x5324075.exe
292	g5541461.exe
3064	i0022949.exe

Loads dropped DLL 9 IoCs

pid	Process
2620	AppLaunch.exe
2680	x5616068.exe
2680	x5616068.exe
2768	x5324075.exe
2768	x5324075.exe
2768	x5324075.exe
292	g5541461.exe
2768	x5324075.exe
3064	i0022949.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5616068.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5324075.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1272 set thread context of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 292 set thread context of 2544	292	g5541461.exe	34

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2544	AppLaunch.exe
2544	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	AppLaunch.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 1272 wrote to memory of 2620	1272	16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe	29
PID 2620 wrote to memory of 2680	2620	AppLaunch.exe	30
PID 2620 wrote to memory of 2680	2620	AppLaunch.exe	30
PID 2620 wrote to memory of 2680	2620	AppLaunch.exe	30
PID 2620 wrote to memory of 2680	2620	AppLaunch.exe	30
PID 2620 wrote to memory of 2680	2620	AppLaunch.exe	30
PID 2620 wrote to memory of 2680	2620	AppLaunch.exe	30
PID 2620 wrote to memory of 2680	2620	AppLaunch.exe	30
PID 2680 wrote to memory of 2768	2680	x5616068.exe	31
PID 2680 wrote to memory of 2768	2680	x5616068.exe	31
PID 2680 wrote to memory of 2768	2680	x5616068.exe	31
PID 2680 wrote to memory of 2768	2680	x5616068.exe	31
PID 2680 wrote to memory of 2768	2680	x5616068.exe	31
PID 2680 wrote to memory of 2768	2680	x5616068.exe	31
PID 2680 wrote to memory of 2768	2680	x5616068.exe	31
PID 2768 wrote to memory of 292	2768	x5324075.exe	32
PID 2768 wrote to memory of 292	2768	x5324075.exe	32
PID 2768 wrote to memory of 292	2768	x5324075.exe	32
PID 2768 wrote to memory of 292	2768	x5324075.exe	32
PID 2768 wrote to memory of 292	2768	x5324075.exe	32
PID 2768 wrote to memory of 292	2768	x5324075.exe	32
PID 2768 wrote to memory of 292	2768	x5324075.exe	32
PID 292 wrote to memory of 2544	292	g5541461.exe	34
PID 292 wrote to memory of 2544	292	g5541461.exe	34
PID 292 wrote to memory of 2544	292	g5541461.exe	34
PID 292 wrote to memory of 2544	292	g5541461.exe	34
PID 292 wrote to memory of 2544	292	g5541461.exe	34
PID 292 wrote to memory of 2544	292	g5541461.exe	34
PID 292 wrote to memory of 2544	292	g5541461.exe	34
PID 292 wrote to memory of 2544	292	g5541461.exe	34
PID 292 wrote to memory of 2544	292	g5541461.exe	34
PID 292 wrote to memory of 2544	292	g5541461.exe	34
PID 292 wrote to memory of 2544	292	g5541461.exe	34
PID 292 wrote to memory of 2544	292	g5541461.exe	34
PID 2768 wrote to memory of 3064	2768	x5324075.exe	35
PID 2768 wrote to memory of 3064	2768	x5324075.exe	35
PID 2768 wrote to memory of 3064	2768	x5324075.exe	35
PID 2768 wrote to memory of 3064	2768	x5324075.exe	35
PID 2768 wrote to memory of 3064	2768	x5324075.exe	35
PID 2768 wrote to memory of 3064	2768	x5324075.exe	35
PID 2768 wrote to memory of 3064	2768	x5324075.exe	35

C:\Users\Admin\AppData\Local\Temp\16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe
"C:\Users\Admin\AppData\Local\Temp\16dce0cb4a096d566fade0b3761d95c7d45d25227a6de8aef60893b029310132.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5616068.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5616068.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5324075.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5324075.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5541461.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5541461.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:292
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0022949.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0022949.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5616068.exe

Filesize
730KB

MD5
5be6b458cd539f780032b626ae9b44ab

SHA1
523838ba0dc65323cc43d4111c3ebcd08edfa71a

SHA256
fe508b0b89bd181b75214ddad4365f70753def42557a9ffc1efc91b738d64b6b

SHA512
2d6668a6417ea5691a92609e1083dddebf64d7f6a41302dc129a20651dad0f9a025fc4255d06317009d0d081282d719811893186709341bd80a82ba4e3410006

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5616068.exe

Filesize
730KB

MD5
5be6b458cd539f780032b626ae9b44ab

SHA1
523838ba0dc65323cc43d4111c3ebcd08edfa71a

SHA256
fe508b0b89bd181b75214ddad4365f70753def42557a9ffc1efc91b738d64b6b

SHA512
2d6668a6417ea5691a92609e1083dddebf64d7f6a41302dc129a20651dad0f9a025fc4255d06317009d0d081282d719811893186709341bd80a82ba4e3410006

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5324075.exe

Filesize
564KB

MD5
b237e9fa81d0c1f710575c94d00b317a

SHA1
e7f96894185af1990a6d5da435ee90e74a51de64

SHA256
71bd979e71b8c92adef9842c5dc665b941fc54c18c936d120e99bc8e811b8dda

SHA512
a85e5c805d91068b91e366d0fc6c02e6540e07bf56ed08bc439686a8006c5211436e223d455011f065efcee3ac861f22bfa359928aabc6f6f423c456e45fb92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5324075.exe

Filesize
564KB

MD5
b237e9fa81d0c1f710575c94d00b317a

SHA1
e7f96894185af1990a6d5da435ee90e74a51de64

SHA256
71bd979e71b8c92adef9842c5dc665b941fc54c18c936d120e99bc8e811b8dda

SHA512
a85e5c805d91068b91e366d0fc6c02e6540e07bf56ed08bc439686a8006c5211436e223d455011f065efcee3ac861f22bfa359928aabc6f6f423c456e45fb92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5541461.exe

Filesize
1.6MB

MD5
71d68b0d79691788af1461551a6bd776

SHA1
946c357cc64191b3dfe552c6488b464ae09c6288

SHA256
086ad82fbf725369cdc3120f3b6d4fedc092d348f099afd907a0bd6fb97715bf

SHA512
ada6404c41c312a340401b808b3a89a7a1fa0242ce5a1f75b04d672c42f9258b4a68d0cd02cc553f59ec1d07c26d99f2ca3457bd8e8785fef55483d670382ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5541461.exe

Filesize
1.6MB

MD5
71d68b0d79691788af1461551a6bd776

SHA1
946c357cc64191b3dfe552c6488b464ae09c6288

SHA256
086ad82fbf725369cdc3120f3b6d4fedc092d348f099afd907a0bd6fb97715bf

SHA512
ada6404c41c312a340401b808b3a89a7a1fa0242ce5a1f75b04d672c42f9258b4a68d0cd02cc553f59ec1d07c26d99f2ca3457bd8e8785fef55483d670382ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5541461.exe

Filesize
1.6MB

MD5
71d68b0d79691788af1461551a6bd776

SHA1
946c357cc64191b3dfe552c6488b464ae09c6288

SHA256
086ad82fbf725369cdc3120f3b6d4fedc092d348f099afd907a0bd6fb97715bf

SHA512
ada6404c41c312a340401b808b3a89a7a1fa0242ce5a1f75b04d672c42f9258b4a68d0cd02cc553f59ec1d07c26d99f2ca3457bd8e8785fef55483d670382ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0022949.exe

Filesize
174KB

MD5
ada3b731661ba761899dbfa2329f38c7

SHA1
718216a83135c047af8ed017fc876b8f08aadae7

SHA256
508ffd661239990d84b655b43d74872bcd469f1a37be6f083fa5ce7bcfe05f23

SHA512
7eb22774982ba6571b77bb2e8dfb7828f381fe9e015b87b4f5662e89d7b44fe4db3cccf5e67ebe9fda9023f8ba2c059574ef190b7e48978c30c9ff2162e02f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0022949.exe

Filesize
174KB

MD5
ada3b731661ba761899dbfa2329f38c7

SHA1
718216a83135c047af8ed017fc876b8f08aadae7

SHA256
508ffd661239990d84b655b43d74872bcd469f1a37be6f083fa5ce7bcfe05f23

SHA512
7eb22774982ba6571b77bb2e8dfb7828f381fe9e015b87b4f5662e89d7b44fe4db3cccf5e67ebe9fda9023f8ba2c059574ef190b7e48978c30c9ff2162e02f71

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5616068.exe

Filesize
730KB

MD5
5be6b458cd539f780032b626ae9b44ab

SHA1
523838ba0dc65323cc43d4111c3ebcd08edfa71a

SHA256
fe508b0b89bd181b75214ddad4365f70753def42557a9ffc1efc91b738d64b6b

SHA512
2d6668a6417ea5691a92609e1083dddebf64d7f6a41302dc129a20651dad0f9a025fc4255d06317009d0d081282d719811893186709341bd80a82ba4e3410006

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5616068.exe

Filesize
730KB

MD5
5be6b458cd539f780032b626ae9b44ab

SHA1
523838ba0dc65323cc43d4111c3ebcd08edfa71a

SHA256
fe508b0b89bd181b75214ddad4365f70753def42557a9ffc1efc91b738d64b6b

SHA512
2d6668a6417ea5691a92609e1083dddebf64d7f6a41302dc129a20651dad0f9a025fc4255d06317009d0d081282d719811893186709341bd80a82ba4e3410006

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5324075.exe

Filesize
564KB

MD5
b237e9fa81d0c1f710575c94d00b317a

SHA1
e7f96894185af1990a6d5da435ee90e74a51de64

SHA256
71bd979e71b8c92adef9842c5dc665b941fc54c18c936d120e99bc8e811b8dda

SHA512
a85e5c805d91068b91e366d0fc6c02e6540e07bf56ed08bc439686a8006c5211436e223d455011f065efcee3ac861f22bfa359928aabc6f6f423c456e45fb92d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5324075.exe

Filesize
564KB

MD5
b237e9fa81d0c1f710575c94d00b317a

SHA1
e7f96894185af1990a6d5da435ee90e74a51de64

SHA256
71bd979e71b8c92adef9842c5dc665b941fc54c18c936d120e99bc8e811b8dda

SHA512
a85e5c805d91068b91e366d0fc6c02e6540e07bf56ed08bc439686a8006c5211436e223d455011f065efcee3ac861f22bfa359928aabc6f6f423c456e45fb92d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5541461.exe

Filesize
1.6MB

MD5
71d68b0d79691788af1461551a6bd776

SHA1
946c357cc64191b3dfe552c6488b464ae09c6288

SHA256
086ad82fbf725369cdc3120f3b6d4fedc092d348f099afd907a0bd6fb97715bf

SHA512
ada6404c41c312a340401b808b3a89a7a1fa0242ce5a1f75b04d672c42f9258b4a68d0cd02cc553f59ec1d07c26d99f2ca3457bd8e8785fef55483d670382ffb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5541461.exe

Filesize
1.6MB

MD5
71d68b0d79691788af1461551a6bd776

SHA1
946c357cc64191b3dfe552c6488b464ae09c6288

SHA256
086ad82fbf725369cdc3120f3b6d4fedc092d348f099afd907a0bd6fb97715bf

SHA512
ada6404c41c312a340401b808b3a89a7a1fa0242ce5a1f75b04d672c42f9258b4a68d0cd02cc553f59ec1d07c26d99f2ca3457bd8e8785fef55483d670382ffb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5541461.exe

Filesize
1.6MB

MD5
71d68b0d79691788af1461551a6bd776

SHA1
946c357cc64191b3dfe552c6488b464ae09c6288

SHA256
086ad82fbf725369cdc3120f3b6d4fedc092d348f099afd907a0bd6fb97715bf

SHA512
ada6404c41c312a340401b808b3a89a7a1fa0242ce5a1f75b04d672c42f9258b4a68d0cd02cc553f59ec1d07c26d99f2ca3457bd8e8785fef55483d670382ffb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0022949.exe

Filesize
174KB

MD5
ada3b731661ba761899dbfa2329f38c7

SHA1
718216a83135c047af8ed017fc876b8f08aadae7

SHA256
508ffd661239990d84b655b43d74872bcd469f1a37be6f083fa5ce7bcfe05f23

SHA512
7eb22774982ba6571b77bb2e8dfb7828f381fe9e015b87b4f5662e89d7b44fe4db3cccf5e67ebe9fda9023f8ba2c059574ef190b7e48978c30c9ff2162e02f71

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0022949.exe

Filesize
174KB

MD5
ada3b731661ba761899dbfa2329f38c7

SHA1
718216a83135c047af8ed017fc876b8f08aadae7

SHA256
508ffd661239990d84b655b43d74872bcd469f1a37be6f083fa5ce7bcfe05f23

SHA512
7eb22774982ba6571b77bb2e8dfb7828f381fe9e015b87b4f5662e89d7b44fe4db3cccf5e67ebe9fda9023f8ba2c059574ef190b7e48978c30c9ff2162e02f71

Download Submit
memory/2544-51-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2544-49-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2544-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2544-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2544-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2544-52-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2544-50-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2620-8-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/2620-7-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/2620-0-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/2620-10-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/2620-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2620-12-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/2620-14-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/2620-15-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/2620-6-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/2620-4-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/2620-2-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/2620-67-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/3064-66-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/3064-65-0x00000000013B0000-0x00000000013E0000-memory.dmp

Filesize
192KB

Download