healer | 70d8c9b6b1ca04dfb10ea4cb4a723d0667023cb50f25b9eb1ca9f06bdaad4a07

Analysis

max time kernel
128s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WEXTRACT1.exe
Size

1.3MB
MD5

8f79c16f1de3e05ee0c368cc72bed63f
SHA1

f3698f5230e09c093044e73b655fd69e25b9c3cb
SHA256

70d8c9b6b1ca04dfb10ea4cb4a723d0667023cb50f25b9eb1ca9f06bdaad4a07
SHA512

7d9053ae99a64fa974a80e7c0652faed3882d4a603aa45c1126cb51d5752c24748aaea67de66075b00c2a71720f18618316065a119a64fa1411109e2acad0bb3
SSDEEP

24576:2yrEsfi12+2waRpCZdVyNlQYRbtXcjqlfi1JoCq:FdY2hpCZdJ6bGGfi1

Score

10^/10

healer redline maza dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maza

185.161.248.73:4164

Attributes

auth_value
474d54c1c2f5291290c53f8378acd684

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2788-47-0x0000000000FD0000-0x0000000000FEA000-memory.dmp	healer
behavioral1/memory/2788-48-0x00000000010B0000-0x00000000010C8000-memory.dmp	healer
behavioral1/memory/2788-68-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-76-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-74-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-72-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-70-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-66-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-64-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-62-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-60-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-58-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-56-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-54-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-52-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-50-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer
behavioral1/memory/2788-49-0x00000000010B0000-0x00000000010C2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a96780884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a96780884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a96780884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a96780884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a96780884.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a96780884.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3040	i30920317.exe
2740	i14658364.exe
2828	i30992395.exe
2788	a96780884.exe
2972	b98853343.exe

Loads dropped DLL 11 IoCs

pid	Process
2068	WEXTRACT1.exe
3040	i30920317.exe
3040	i30920317.exe
2740	i14658364.exe
2740	i14658364.exe
2828	i30992395.exe
2828	i30992395.exe
2828	i30992395.exe
2788	a96780884.exe
2828	i30992395.exe
2972	b98853343.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a96780884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a96780884.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i30992395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	WEXTRACT1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i30920317.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i14658364.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	a96780884.exe
2788	a96780884.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	a96780884.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3040	2068	WEXTRACT1.exe	28
PID 2068 wrote to memory of 3040	2068	WEXTRACT1.exe	28
PID 2068 wrote to memory of 3040	2068	WEXTRACT1.exe	28
PID 2068 wrote to memory of 3040	2068	WEXTRACT1.exe	28
PID 2068 wrote to memory of 3040	2068	WEXTRACT1.exe	28
PID 2068 wrote to memory of 3040	2068	WEXTRACT1.exe	28
PID 2068 wrote to memory of 3040	2068	WEXTRACT1.exe	28
PID 3040 wrote to memory of 2740	3040	i30920317.exe	29
PID 3040 wrote to memory of 2740	3040	i30920317.exe	29
PID 3040 wrote to memory of 2740	3040	i30920317.exe	29
PID 3040 wrote to memory of 2740	3040	i30920317.exe	29
PID 3040 wrote to memory of 2740	3040	i30920317.exe	29
PID 3040 wrote to memory of 2740	3040	i30920317.exe	29
PID 3040 wrote to memory of 2740	3040	i30920317.exe	29
PID 2740 wrote to memory of 2828	2740	i14658364.exe	30
PID 2740 wrote to memory of 2828	2740	i14658364.exe	30
PID 2740 wrote to memory of 2828	2740	i14658364.exe	30
PID 2740 wrote to memory of 2828	2740	i14658364.exe	30
PID 2740 wrote to memory of 2828	2740	i14658364.exe	30
PID 2740 wrote to memory of 2828	2740	i14658364.exe	30
PID 2740 wrote to memory of 2828	2740	i14658364.exe	30
PID 2828 wrote to memory of 2788	2828	i30992395.exe	31
PID 2828 wrote to memory of 2788	2828	i30992395.exe	31
PID 2828 wrote to memory of 2788	2828	i30992395.exe	31
PID 2828 wrote to memory of 2788	2828	i30992395.exe	31
PID 2828 wrote to memory of 2788	2828	i30992395.exe	31
PID 2828 wrote to memory of 2788	2828	i30992395.exe	31
PID 2828 wrote to memory of 2788	2828	i30992395.exe	31
PID 2828 wrote to memory of 2972	2828	i30992395.exe	32
PID 2828 wrote to memory of 2972	2828	i30992395.exe	32
PID 2828 wrote to memory of 2972	2828	i30992395.exe	32
PID 2828 wrote to memory of 2972	2828	i30992395.exe	32
PID 2828 wrote to memory of 2972	2828	i30992395.exe	32
PID 2828 wrote to memory of 2972	2828	i30992395.exe	32
PID 2828 wrote to memory of 2972	2828	i30992395.exe	32

C:\Users\Admin\AppData\Local\Temp\WEXTRACT1.exe
"C:\Users\Admin\AppData\Local\Temp\WEXTRACT1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30920317.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30920317.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14658364.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14658364.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30992395.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30992395.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a96780884.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a96780884.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b98853343.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b98853343.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30920317.exe

Filesize
63KB

MD5
13df55ac8051a877ed73e618d6d9bef0

SHA1
1125798abc60764c635262ae6b24c998bb1fce4a

SHA256
f1d800b48bfdb246ccaeb9374a018fe7b6b1837ef7a712378d61c7c5b06f0f22

SHA512
01a94dae7636a7d4aa6d953cb865670d50f44662047638e11c074e8b295ddcb5e568c6b794e9784f5e7d1b31f18be0c322b394592cbdaffae61e5de473b4c72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30920317.exe

Filesize
45KB

MD5
16a51ce0a61bf25b8981902093292148

SHA1
1364f52a569118a1bb907bbd381db30897e73c8f

SHA256
91a314c5dbff340ebe4435fd813f9f3f77f8f9240980763591ca97b6d6c31eef

SHA512
11d516b874b91c7520b070814b28149b6f8c2edbc76b67634ae63b50effc30f94828e91090abe3fedb7130527b1c9f9d031c285a048d299317c61268b256cefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14658364.exe

Filesize
71KB

MD5
e207ab984bec897fac17ceba30248566

SHA1
25a43b0cfb8ed0eaec79b2391bd7035632f6bb09

SHA256
abbf31f58e43a4273d6bcdd252570143ddc5fc0ce95bd4638e51ba01eddfd5e9

SHA512
2320433561954096cd13ee4c6736e58d06df9261aab0d55d90b9fef03dd2458d5d24a03cede3f90f228be5366892c9a33450d13564bd663bfb15f7058913b32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14658364.exe

Filesize
57KB

MD5
9d4bb96a17277d766f8c9b650eecb91e

SHA1
f5ce6e9c12d48fdf5a0c643cb6e013186b32b5c8

SHA256
c425e5cc620a6cd87b9df9e8b2594e43d0c9119bac27a444a2a896a594aad02e

SHA512
a0bf371fa03bd160800588f1f924229ab5ec351424522f7459320ad1cfc449c18c358087fdf3e5479906c5a2968ff38eaa37f32044d163a201f8a71e683f1b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30992395.exe

Filesize
34KB

MD5
a435fb48870f0bb8bb60e92a9ee60043

SHA1
8c115dd345f49787d912249f3582f097b108d204

SHA256
747299ca0bc894f7965ebc29748a673c511df97e0192dad68f1f54f15bdf81ea

SHA512
753d7d621a352b970a9aa18b4f714a5531a45afd7bfffa683a016647d764909d4f96baf36e44d24a3c88f1931b2d5f0ffdd7b7a534019e161135284812daab8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30992395.exe

Filesize
11KB

MD5
7db26db329293ca0b966da0f67b565d7

SHA1
34040c1585b7ebf65edcea2db0a9b7397f34d43e

SHA256
b1c01e4de82cfb546421ff39ac66e86ebe2c978cdeae8738070ac605262012fd

SHA512
cab84ce361c05c7ea555a4b3755a1c3a97c80c6decfbe20a1a4ab36e7560ca51d5a7bebd7db4e0bde5ceae70b5a57a2e3d1e8aeb2ea4158d2a44520931611763

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a96780884.exe

Filesize
103KB

MD5
c5a76dcc0b5ee2a5509891ccae0faa6b

SHA1
c35622e93343500828c0790bf3bb9991ea5bfe9b

SHA256
655c54c18d8c913c7fc419693aa4d47672f32a5a5720514f0f4ef4d1441f612d

SHA512
88b5f494afdab203d744eaac4b6fba66e28adbfafa08227e62654e6603b2e3cb810848b35b5a8da19019a876a55c3c68399897c2117d522647605869e3fd6158

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a96780884.exe

Filesize
310KB

MD5
bf4e8cac60c2050d2886d696748c46fc

SHA1
a5e63d239d7b39ea1c6c563439fbbbd5559598d9

SHA256
ab34f04887f6e7be9c96affe621a57b2a8aa088f27bfeecfb694a0c6ee6ca050

SHA512
b1d0c4cedeb38c94ae8d602d424ad1ff0ed8538e91371023f8f39a329621cda69f31a21ab95c89ecc6b4e337f5cfd3a381581b4ce1ab96c80cae1f34eb85550d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a96780884.exe

Filesize
197KB

MD5
9248ffa18faf6bc2c60fed0896c40850

SHA1
808e3478a3210d73efde3a7d23c4f557e8e23c8a

SHA256
fe634dafe6027143294da3dbe001e62d6f9126652f654a82aa141a1b4ca9d355

SHA512
5957021e6042b301b83ff10dbb640071c3dc22f5ad2e8edef17cea5c37b4177863c7be47432bf914084167cab16ff191474b0ea7aff75df75a8343a47547f902

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b98853343.exe

Filesize
168KB

MD5
4deb4613e5d4be8515f2bccf2e7cd9b0

SHA1
4f1add325f65c821df49b575481f590b4d145848

SHA256
bfdbece7dfe1b422723d209274ba5129ac46e45d85fb1b22e9f92764f0ee1e76

SHA512
6916b3d22e6ed8132050fc70144f89cdba1d4dba913a14d8370fc66c5e808e199c42f35352ba60c917690d12a0109d6593d290f3f2e1a45933d73c7f7036554b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30920317.exe

Filesize
93KB

MD5
25770644cc45e22af146588a1913be5a

SHA1
cbd64df93f988fce0636ae4224de887c16d0946d

SHA256
cc119ec1ea146ee814b11a8b676d16f6a674e8ace6eba683a774bc621d10b483

SHA512
1851c1f5fcd25c505c17e12e90ec117133093d0d51ba71e5238625816c6c7f7554e0ca9a2942e9c6ce456b6bc0b6fcb61043e71c57b4bacd106aa8c5c181f9ae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30920317.exe

Filesize
135KB

MD5
ea2572d315473b6e4d8193a08c9d1b8b

SHA1
e7fe454d169598044939060e18f1b0fb88cf87f4

SHA256
eb284c5fc2a1448d2af1404a7ca0339d5375b879c9d31bc7f18b0d74105e125f

SHA512
3fbeb23ae4e17309b6e56595021a0b572d054fa62be70c08905e0b02858489fdfbd720d9914266c9ee58f83061d41428f72c635cc3535ba4d8d21b8954e122c9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14658364.exe

Filesize
79KB

MD5
3fd58b936bf070cafdad39923a5def25

SHA1
0f55d9a6222cb58482bb6aa26897043024cdba43

SHA256
ad979c3edfe6fd330b09cc48d2413fdd5ef39f30cb70a6d7d1238d1d3adb9db5

SHA512
f4d92c90aee22b751fcc26a6f064a0d0529b6556c5e5faaf02e2747a7c5b710514a3b2b5bf577282045a2543b76a9b0b4f04cadc15e847141eaf8a0fc4d5e200

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14658364.exe

Filesize
70KB

MD5
685398608cceaecdc5cf7ad452324ce9

SHA1
009a28bff6471fb8cbf19937b77e2bb5f618b217

SHA256
e365209d734ad9d34ccd100f0492bafc24850670809db03416c9fb5014cc3a69

SHA512
a8aa75b32a64ae4a8f3ebde8e7836ba94d8bc925b83d441976b78fd3a7b50372142c63c526052a1ebb8540599f881675a94bfb0ef5e6d0d21cb83f729d072fec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30992395.exe

Filesize
64KB

MD5
6104e51bf91bb072837d2a57f4c29651

SHA1
39bda3781450fb6a466f9439738a9bb62be634ff

SHA256
8fa1aa3a3fe1c784fbdaaaa05f58fcc8e353566c1434d4db8a8be04ea1a16591

SHA512
252cabcc880282e48990c76c530b561eb0a17f2ed05730d67a1105970eecb54c432a0039f6d1a5558e980bfb34b5ab5fb03ab4bd688933495bfaffd8d303c19e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30992395.exe

Filesize
92KB

MD5
b1a1ea85cd04df91a90e99f1e18f5bcb

SHA1
0281e91ef1735e7e3056b5d075b69a8de6eb7fd4

SHA256
bbacbfa96a5c7413ab6ee6026f65499c9c75600b4fdfff6f0626df8290eb623f

SHA512
5ad7e4e4f2f9f1446b0fbf51c10ffa7d983a69702f63549e3f9aaa0fab3439d634b2261abcdfef5d6488837955273d2eb37e47e12bfcbbba995a8c784dec1950

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\a96780884.exe

Filesize
14KB

MD5
e0baaf5ada1ae51c1ede80fea9f36a94

SHA1
b9e8d400d00758efaf3680b4a0db929ac40d326b

SHA256
0708f48814e5cfe32c733311b5d68be36f9e06de22177c87285ade4631ff36fa

SHA512
ff7712614e3ef56913b368b68561ec7c7670a3cf262684d1bfe86d6351d8aab6850a699f9c3126afc3eab1109ca2981c61b636c9e0816ee712be9035bde40be5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\a96780884.exe

Filesize
186KB

MD5
d7e2b249c1c0048edf9805f5db71b19a

SHA1
b0f089d9d8ac7b09dec050054b24c3f4b4e206d9

SHA256
fe3cc20676eb5b5b2eeb848c4ec790191056e25d8e245ab1e4d719b2fdb77594

SHA512
5aeb0d8f74dc5c07e0d007adda10b2eadffb045344bf7585685f79d3b739dc4907f80b3d1dca4444c95d865a23b7b66afc9d9d3db5949dc275bf9a310a3a7adf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\a96780884.exe

Filesize
71KB

MD5
6e0b45c29d44e59a8f47ff5dd0f85679

SHA1
8735865e3e2c1d72ef727fead7d622d4bc9ea78f

SHA256
433f253ba335b032d904979eea030bd4598fc6925a314dbfeca2405e7f1cc42b

SHA512
3d2f9454b4a69fccd23c2ae01f7a1fe03673781d909d0fbda2f76ab6a7d4778040f164927ea1620dd21ae6d9eb336a4341b93e3fa3da1aa907a2087d108b86b9

Download Submit
memory/2788-46-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2788-62-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-47-0x0000000000FD0000-0x0000000000FEA000-memory.dmp

Filesize
104KB

Download
memory/2788-48-0x00000000010B0000-0x00000000010C8000-memory.dmp

Filesize
96KB

Download
memory/2788-68-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-76-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-74-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-72-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-70-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-66-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-64-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-45-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/2788-60-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-58-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-56-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-54-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-52-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-50-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-49-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2788-78-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2788-44-0x0000000000B20000-0x0000000000C20000-memory.dmp

Filesize
1024KB

Download
memory/2972-85-0x0000000000F30000-0x0000000000F5E000-memory.dmp

Filesize
184KB

Download
memory/2972-86-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download