healer | 79a81e523b3975fb70a90dc17c117a1ddc587ca26fe5b812c1b5a0cf09f6736a

Analysis

max time kernel
196s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2023 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2a08446266b425a3d75ce4716d7543e0_JC.exe
Size

1.2MB
MD5

2a08446266b425a3d75ce4716d7543e0
SHA1

92c8163bb2ab5684936adb837978d25d0ecbc3f4
SHA256

79a81e523b3975fb70a90dc17c117a1ddc587ca26fe5b812c1b5a0cf09f6736a
SHA512

65bd5f3e828a26cbf8c794b4c9976102d0f3ff958815a9bf87fe821eb29534d4774f8905845316b8dc81d292a87a85701c1172c2266a85efdc509b09ae41d6ef
SSDEEP

24576:hyTHiU0yUgvV0dmyJsPCYwjYukDJ4bAiELcxpolNk2:UmU0BgvV0jJsaYwHkt4bEcgNk

Score

10^/10

healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1548-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1548-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1548-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1548-40-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/564-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 6 IoCs

Processes:

z0371290.exez9970433.exez6446300.exeq1575803.exer5704751.exes1408997.exe

pid process

2900 z0371290.exe
1736 z9970433.exe
3180 z6446300.exe
3996 q1575803.exe
1564 r5704751.exe
1620 s1408997.exe

pid	process
2900	z0371290.exe
1736	z9970433.exe
3180	z6446300.exe
3996	q1575803.exe
1564	r5704751.exe
1620	s1408997.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.2a08446266b425a3d75ce4716d7543e0_JC.exez0371290.exez9970433.exez6446300.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.2a08446266b425a3d75ce4716d7543e0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0371290.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9970433.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z6446300.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q1575803.exer5704751.exes1408997.exe

description	pid	process	target process
PID 3996 set thread context of 564	3996	q1575803.exe	AppLaunch.exe
PID 1564 set thread context of 1548	1564	r5704751.exe	AppLaunch.exe
PID 1620 set thread context of 1292	1620	s1408997.exe	AppLaunch.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3332	3996	WerFault.exe	q1575803.exe
4844	1564	WerFault.exe	r5704751.exe
832	1548	WerFault.exe	AppLaunch.exe
3060	1620	WerFault.exe	s1408997.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

564 AppLaunch.exe
564 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 564 AppLaunch.exe

pid	process
564	AppLaunch.exe
564	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	564	AppLaunch.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

NEAS.2a08446266b425a3d75ce4716d7543e0_JC.exez0371290.exez9970433.exez6446300.exeq1575803.exer5704751.exes1408997.exe

description	pid	process	target process
PID 3296 wrote to memory of 2900	3296	NEAS.2a08446266b425a3d75ce4716d7543e0_JC.exe	z0371290.exe
PID 3296 wrote to memory of 2900	3296	NEAS.2a08446266b425a3d75ce4716d7543e0_JC.exe	z0371290.exe
PID 3296 wrote to memory of 2900	3296	NEAS.2a08446266b425a3d75ce4716d7543e0_JC.exe	z0371290.exe
PID 2900 wrote to memory of 1736	2900	z0371290.exe	z9970433.exe
PID 2900 wrote to memory of 1736	2900	z0371290.exe	z9970433.exe
PID 2900 wrote to memory of 1736	2900	z0371290.exe	z9970433.exe
PID 1736 wrote to memory of 3180	1736	z9970433.exe	z6446300.exe
PID 1736 wrote to memory of 3180	1736	z9970433.exe	z6446300.exe
PID 1736 wrote to memory of 3180	1736	z9970433.exe	z6446300.exe
PID 3180 wrote to memory of 3996	3180	z6446300.exe	q1575803.exe
PID 3180 wrote to memory of 3996	3180	z6446300.exe	q1575803.exe
PID 3180 wrote to memory of 3996	3180	z6446300.exe	q1575803.exe
PID 3996 wrote to memory of 564	3996	q1575803.exe	AppLaunch.exe
PID 3996 wrote to memory of 564	3996	q1575803.exe	AppLaunch.exe
PID 3996 wrote to memory of 564	3996	q1575803.exe	AppLaunch.exe
PID 3996 wrote to memory of 564	3996	q1575803.exe	AppLaunch.exe
PID 3996 wrote to memory of 564	3996	q1575803.exe	AppLaunch.exe
PID 3996 wrote to memory of 564	3996	q1575803.exe	AppLaunch.exe
PID 3996 wrote to memory of 564	3996	q1575803.exe	AppLaunch.exe
PID 3996 wrote to memory of 564	3996	q1575803.exe	AppLaunch.exe
PID 3180 wrote to memory of 1564	3180	z6446300.exe	r5704751.exe
PID 3180 wrote to memory of 1564	3180	z6446300.exe	r5704751.exe
PID 3180 wrote to memory of 1564	3180	z6446300.exe	r5704751.exe
PID 1564 wrote to memory of 1548	1564	r5704751.exe	AppLaunch.exe
PID 1564 wrote to memory of 1548	1564	r5704751.exe	AppLaunch.exe
PID 1564 wrote to memory of 1548	1564	r5704751.exe	AppLaunch.exe
PID 1564 wrote to memory of 1548	1564	r5704751.exe	AppLaunch.exe
PID 1564 wrote to memory of 1548	1564	r5704751.exe	AppLaunch.exe
PID 1564 wrote to memory of 1548	1564	r5704751.exe	AppLaunch.exe
PID 1564 wrote to memory of 1548	1564	r5704751.exe	AppLaunch.exe
PID 1564 wrote to memory of 1548	1564	r5704751.exe	AppLaunch.exe
PID 1564 wrote to memory of 1548	1564	r5704751.exe	AppLaunch.exe
PID 1564 wrote to memory of 1548	1564	r5704751.exe	AppLaunch.exe
PID 1736 wrote to memory of 1620	1736	z9970433.exe	s1408997.exe
PID 1736 wrote to memory of 1620	1736	z9970433.exe	s1408997.exe
PID 1736 wrote to memory of 1620	1736	z9970433.exe	s1408997.exe
PID 1620 wrote to memory of 1292	1620	s1408997.exe	AppLaunch.exe
PID 1620 wrote to memory of 1292	1620	s1408997.exe	AppLaunch.exe
PID 1620 wrote to memory of 1292	1620	s1408997.exe	AppLaunch.exe
PID 1620 wrote to memory of 1292	1620	s1408997.exe	AppLaunch.exe
PID 1620 wrote to memory of 1292	1620	s1408997.exe	AppLaunch.exe
PID 1620 wrote to memory of 1292	1620	s1408997.exe	AppLaunch.exe
PID 1620 wrote to memory of 1292	1620	s1408997.exe	AppLaunch.exe
PID 1620 wrote to memory of 1292	1620	s1408997.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.2a08446266b425a3d75ce4716d7543e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2a08446266b425a3d75ce4716d7543e0_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3296

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0371290.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0371290.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2900

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9970433.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9970433.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6446300.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6446300.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q1575803.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q1575803.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 592
6⤵
- Program crash
PID:3332

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r5704751.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r5704751.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 540
7⤵
- Program crash
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 152
6⤵
- Program crash
PID:4844

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s1408997.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s1408997.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 596
5⤵
- Program crash
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3996 -ip 3996
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1564 -ip 1564
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1548 -ip 1548
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1620 -ip 1620
1⤵
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0371290.exe
Filesize
1.0MB

MD5
76b9573fc5aa2230b969a3b4a11259e2

SHA1
d395e22aa9e558484e4b55139c0e1622364a2e82

SHA256
f0aa7c93c4cfbc8384ca760314a1f611a330298861d92be38d5f8caad5b16ceb

SHA512
0d54678d144c0e210725bbdc30eef7a2f3fea8702bdad64e4ab4d9db13fd2d0de0fd0340fa1d0277af8c0ad41e638026015d66225145332bbdf52b3e3f0a1ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0371290.exe
Filesize
1.0MB

MD5
76b9573fc5aa2230b969a3b4a11259e2

SHA1
d395e22aa9e558484e4b55139c0e1622364a2e82

SHA256
f0aa7c93c4cfbc8384ca760314a1f611a330298861d92be38d5f8caad5b16ceb

SHA512
0d54678d144c0e210725bbdc30eef7a2f3fea8702bdad64e4ab4d9db13fd2d0de0fd0340fa1d0277af8c0ad41e638026015d66225145332bbdf52b3e3f0a1ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9970433.exe
Filesize
880KB

MD5
524338d3e4327fea8c52b3da4d2005e8

SHA1
90d679b4a7ec10cf5fe2240156226fded75ce8d0

SHA256
a10e36af16ddeeb7aaffea832977fbcf3eefac16e26ee4d497bce0a4c59b618e

SHA512
2044e479d7f1f2cadb3c9fc98ab4d2ade784f13d3edbefa392213dbb3c780e07c010d01e9a451356e7ff649060d5638ab715f756e58fa37bceb62232a7ae8810

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9970433.exe
Filesize
880KB

MD5
524338d3e4327fea8c52b3da4d2005e8

SHA1
90d679b4a7ec10cf5fe2240156226fded75ce8d0

SHA256
a10e36af16ddeeb7aaffea832977fbcf3eefac16e26ee4d497bce0a4c59b618e

SHA512
2044e479d7f1f2cadb3c9fc98ab4d2ade784f13d3edbefa392213dbb3c780e07c010d01e9a451356e7ff649060d5638ab715f756e58fa37bceb62232a7ae8810

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s1408997.exe
Filesize
1.0MB

MD5
c61ccb08add0ad253290547429e63d49

SHA1
217192237fe7dfab3f1766b81e33497db5ee4322

SHA256
6ba72c28e11cacf44ebeb9137104495ae4a46518b60cad5bb71a2436db9c0fb6

SHA512
8a9d404c1bd4bbc92e1c1620070613c0fedbe2f0327c0a752629c00b153102d5150717186c3ecc48b3bf12fd8f4293e85c3df890bf6b34e5bef9262c204776f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s1408997.exe
Filesize
1.0MB

MD5
c61ccb08add0ad253290547429e63d49

SHA1
217192237fe7dfab3f1766b81e33497db5ee4322

SHA256
6ba72c28e11cacf44ebeb9137104495ae4a46518b60cad5bb71a2436db9c0fb6

SHA512
8a9d404c1bd4bbc92e1c1620070613c0fedbe2f0327c0a752629c00b153102d5150717186c3ecc48b3bf12fd8f4293e85c3df890bf6b34e5bef9262c204776f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6446300.exe
Filesize
490KB

MD5
a269aeb55509715c071d68ac5d929e8a

SHA1
ab1d435685061fa873af1f52e0ae8a3547016547

SHA256
8d179a5660038a16dfd5dee3af6197edb5f046b037039461da3702019e326d7b

SHA512
3a796a6b8b85e431318d304447e29ffac80a9ec026ea68a453585d22425994f13f5a13de6883e3c59c4a4309e520b3c55098ef3bda68c2f7c0f265d1e1779832

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6446300.exe
Filesize
490KB

MD5
a269aeb55509715c071d68ac5d929e8a

SHA1
ab1d435685061fa873af1f52e0ae8a3547016547

SHA256
8d179a5660038a16dfd5dee3af6197edb5f046b037039461da3702019e326d7b

SHA512
3a796a6b8b85e431318d304447e29ffac80a9ec026ea68a453585d22425994f13f5a13de6883e3c59c4a4309e520b3c55098ef3bda68c2f7c0f265d1e1779832

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q1575803.exe
Filesize
860KB

MD5
cf37791334475813f263f72f6ad27c69

SHA1
12999d2bd6e5f0eb9642ca9836b901f130eb2564

SHA256
a1b7b342a99d7448c5bc141382a6cbd26dd65a518d668ffec46514c304894f15

SHA512
49d31bd4718bed8eb91a44f6a21bdd349f724926b3c78ca1e6fbe7a0c149e8859e4c9680b5332f36ea53a4267c3d4750395a2c293ef996e20e89632eff5aaa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q1575803.exe
Filesize
860KB

MD5
cf37791334475813f263f72f6ad27c69

SHA1
12999d2bd6e5f0eb9642ca9836b901f130eb2564

SHA256
a1b7b342a99d7448c5bc141382a6cbd26dd65a518d668ffec46514c304894f15

SHA512
49d31bd4718bed8eb91a44f6a21bdd349f724926b3c78ca1e6fbe7a0c149e8859e4c9680b5332f36ea53a4267c3d4750395a2c293ef996e20e89632eff5aaa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r5704751.exe
Filesize
1016KB

MD5
92e0f99949db4cd008b563868e44b22f

SHA1
36fe46ce03c6f6ee8ae4caa82d2b40a2a2790d92

SHA256
20069939ac76b72be2511062ab8743d07634bb3b39f68c5fea7664713f5f49e3

SHA512
af7190b2783676272c7a0136ddb02280e0dff1f645ffd0f060dbd9cf06dbe5ea00a4b5da7380a407a70edea754f4cb57637dd83c37da80b12ea5f686628f39a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r5704751.exe
Filesize
1016KB

MD5
92e0f99949db4cd008b563868e44b22f

SHA1
36fe46ce03c6f6ee8ae4caa82d2b40a2a2790d92

SHA256
20069939ac76b72be2511062ab8743d07634bb3b39f68c5fea7664713f5f49e3

SHA512
af7190b2783676272c7a0136ddb02280e0dff1f645ffd0f060dbd9cf06dbe5ea00a4b5da7380a407a70edea754f4cb57637dd83c37da80b12ea5f686628f39a2

Download Submit
memory/564-30-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/564-32-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/564-29-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/564-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1292-44-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1292-46-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/1548-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1548-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1548-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1548-40-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download