healer | cd6b42df418c54a291b058fd2900cc3d2519376461a9d1a11b108f3a389caab9

Analysis

max time kernel
140s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WX3.exe
Size

916KB
MD5

9ac6079806fb87b0f396b7af773db257
SHA1

ef3ad6fe0aa54146701c57424d0efb6b62abdb6c
SHA256

cd6b42df418c54a291b058fd2900cc3d2519376461a9d1a11b108f3a389caab9
SHA512

3b68b75593d22bec2b12bde480ab7c434a9c47cdc90fc79a23a6744ba7027a376bbce9809b18e09e290627cee122952b8a57598ffcaf4bc38698a19eebc82a63
SSDEEP

12288:2Mrby906ebnGZA2B4FGP25i6A24wVkI3LFacF48DTwWYIierlXPsw1VUyz6WfbVF:tyS92B32Uu4wiAHxPxLnirC

Score

10^/10

healer redline maxi norm dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

maxi

77.91.124.145:4125

Attributes

auth_value
6e90da232d4c2e35c1a36c250f5f8904

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu035792.exe	healer
behavioral2/memory/2156-21-0x0000000000910000-0x000000000091A000-memory.dmp	healer
behavioral2/memory/4288-34-0x0000000004B20000-0x0000000004B3A000-memory.dmp	healer
behavioral2/memory/4288-37-0x0000000004B80000-0x0000000004B98000-memory.dmp	healer
behavioral2/memory/4288-39-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-40-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-42-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-44-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-46-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-48-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-50-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-56-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-54-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-52-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-58-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-60-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-62-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-64-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral2/memory/4288-66-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

bu035792.execor0582.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu035792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu035792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu035792.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor0582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor0582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor0582.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu035792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu035792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu035792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor0582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor0582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor0582.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2000-2169-0x0000000005430000-0x0000000005462000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral2/memory/3256-2182-0x0000000000050000-0x0000000000080000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en015455.exe	family_redline
behavioral2/memory/5000-2197-0x0000000000330000-0x000000000035E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dmO95s84.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	dmO95s84.exe

Executes dropped EXE 7 IoCs

Processes:

kina0373.exekina8931.exebu035792.execor0582.exedmO95s84.exe1.exeen015455.exe

pid process

4576 kina0373.exe
3192 kina8931.exe
2156 bu035792.exe
4288 cor0582.exe
2000 dmO95s84.exe
3256 1.exe
5000 en015455.exe

pid	process
4576	kina0373.exe
3192	kina8931.exe
2156	bu035792.exe
4288	cor0582.exe
2000	dmO95s84.exe
3256	1.exe
5000	en015455.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bu035792.execor0582.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu035792.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor0582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor0582.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WX3.exekina0373.exekina8931.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	WX3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina0373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina8931.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1948 2000 WerFault.exe dmO95s84.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

bu035792.execor0582.exe

pid process

2156 bu035792.exe
2156 bu035792.exe
4288 cor0582.exe
4288 cor0582.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bu035792.execor0582.exedmO95s84.exe

description pid process

Token: SeDebugPrivilege 2156 bu035792.exe
Token: SeDebugPrivilege 4288 cor0582.exe
Token: SeDebugPrivilege 2000 dmO95s84.exe

pid	pid_target	process	target process
1948	2000	WerFault.exe	dmO95s84.exe

pid	process
2156	bu035792.exe
2156	bu035792.exe
4288	cor0582.exe
4288	cor0582.exe

description	pid	process
Token: SeDebugPrivilege	2156	bu035792.exe
Token: SeDebugPrivilege	4288	cor0582.exe
Token: SeDebugPrivilege	2000	dmO95s84.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WX3.exekina0373.exekina8931.exedmO95s84.exe

description	pid	process	target process
PID 1620 wrote to memory of 4576	1620	WX3.exe	kina0373.exe
PID 1620 wrote to memory of 4576	1620	WX3.exe	kina0373.exe
PID 1620 wrote to memory of 4576	1620	WX3.exe	kina0373.exe
PID 4576 wrote to memory of 3192	4576	kina0373.exe	kina8931.exe
PID 4576 wrote to memory of 3192	4576	kina0373.exe	kina8931.exe
PID 4576 wrote to memory of 3192	4576	kina0373.exe	kina8931.exe
PID 3192 wrote to memory of 2156	3192	kina8931.exe	bu035792.exe
PID 3192 wrote to memory of 2156	3192	kina8931.exe	bu035792.exe
PID 3192 wrote to memory of 4288	3192	kina8931.exe	cor0582.exe
PID 3192 wrote to memory of 4288	3192	kina8931.exe	cor0582.exe
PID 3192 wrote to memory of 4288	3192	kina8931.exe	cor0582.exe
PID 4576 wrote to memory of 2000	4576	kina0373.exe	dmO95s84.exe
PID 4576 wrote to memory of 2000	4576	kina0373.exe	dmO95s84.exe
PID 4576 wrote to memory of 2000	4576	kina0373.exe	dmO95s84.exe
PID 2000 wrote to memory of 3256	2000	dmO95s84.exe	1.exe
PID 2000 wrote to memory of 3256	2000	dmO95s84.exe	1.exe
PID 2000 wrote to memory of 3256	2000	dmO95s84.exe	1.exe
PID 1620 wrote to memory of 5000	1620	WX3.exe	en015455.exe
PID 1620 wrote to memory of 5000	1620	WX3.exe	en015455.exe
PID 1620 wrote to memory of 5000	1620	WX3.exe	en015455.exe

C:\Users\Admin\AppData\Local\Temp\WX3.exe
"C:\Users\Admin\AppData\Local\Temp\WX3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina0373.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina0373.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina8931.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina8931.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu035792.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu035792.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor0582.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor0582.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dmO95s84.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dmO95s84.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1372
4⤵
- Program crash
PID:1948

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en015455.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en015455.exe
2⤵
- Executes dropped EXE
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2000 -ip 2000
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en015455.exe
Filesize
168KB

MD5
9d86063fc7de11762516c0e39a895cdc

SHA1
ecab5814409a278e305dda153a7a58f4057f282d

SHA256
24ccce9355286d59cbb8fefc1de4c8115dab62747bf2a868fca792060816f361

SHA512
24a2339d7a8a5a69e3faa641ef65d4dad444a0c637bdc8650120e1c0af73ef8ae002e5ea11b5e2aace495162fd72f42afb6ba843288ac5e252dcdc4af3bf6a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina0373.exe
Filesize
762KB

MD5
f876d8769b0abf367823f01afc87f65a

SHA1
957a66e805c61f60c6b820e2fb8ca67dae3fbed5

SHA256
fbec8ee70fb0156a1c0591f271ce602693d35ce4621e5d588bbe6aa1c44fc487

SHA512
c4dc20b2aa8878d4f359b05af51c976f43b47581d69aa2e602f5df7cf9d41f65b241c49801c667298768632d4116d6c567512b369bfe88119a881ebaf705638c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dmO95s84.exe
Filesize
417KB

MD5
9f440200db1ef238efcf4f1d486d5b4f

SHA1
d6f3608fed2cfd6fce641d67462e6c85705b93dc

SHA256
2b25c6ba02dbb797af2a65d358543b64627ebcc16a8f5361ba18a95402e7f434

SHA512
48a311c11713bcd1bc6f28defc17dfee6c612da2fa659549335eea549b8b9da7169ca842480c96d7757644c42f504caad086c1085132e595c5073ac29ee65e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina8931.exe
Filesize
315KB

MD5
d7b3fd8dc7bee73705a82a30f37d2021

SHA1
eb6e8d763a83a08ff7f5dcfdbd89911419651901

SHA256
1a60fc409319e0d1b88870ad787512c4926f6a667a7576859238aa2b93143829

SHA512
45bc46c550b254c3f160020c51c0f835d929def6ccba0b38f2562285fba212961267dbbfa92a11120232c1d6f46f4b97b1ae4c45e6e977b2f7877dc809135113

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu035792.exe
Filesize
12KB

MD5
1cd26b99e5e0ac90baa24c25deb05985

SHA1
fe2d38868cfabd33ea06b30b2c8362d53f5d841e

SHA256
b33847e5d19af70672a49b8a34d1ba576fdc4f054835dfe6f424441b2caa9a72

SHA512
889f3724d758a55f7f17b61d74e04a0392765ddf8f03acaceca2317affb7c34a655efee18c14c3a52f67e6a0bc33521b686acebc10dcfb7fa128e72b326baddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor0582.exe
Filesize
233KB

MD5
93915da06ce64c4f01792696d8bac219

SHA1
ab0245ba9fee65cc76ea21f8ca52d7b74ee39eae

SHA256
34111d4f8888f21f4090d2321aa9aa8e4568916aef0f640523c95592efdef514

SHA512
4c2c7b547bd19bdf1713ded521155d68546fb867428b7bc2d8f49aedf66dabf61d14d9199ec7698c01b4f8f3f8fbae16b29a2ef092027228cba6daa8e68807a2

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/2000-2169-0x0000000005430000-0x0000000005462000-memory.dmp

Filesize
200KB

Download
memory/2000-104-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-81-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2000-2193-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2000-2192-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2000-2187-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2000-88-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-78-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/2000-2168-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2000-118-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-116-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-114-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-112-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-110-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-108-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-90-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-106-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-82-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2000-102-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-100-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-98-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-96-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-94-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-92-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-79-0x0000000000600000-0x000000000065B000-memory.dmp

Filesize
364KB

Download
memory/2000-85-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2000-86-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2000-87-0x0000000004B70000-0x0000000004BCF000-memory.dmp

Filesize
380KB

Download
memory/2000-84-0x0000000004B70000-0x0000000004BD6000-memory.dmp

Filesize
408KB

Download
memory/2000-80-0x0000000002540000-0x00000000025A6000-memory.dmp

Filesize
408KB

Download
memory/2000-83-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2156-24-0x00007FFCA74C0000-0x00007FFCA7F81000-memory.dmp

Filesize
10.8MB

Download
memory/2156-22-0x00007FFCA74C0000-0x00007FFCA7F81000-memory.dmp

Filesize
10.8MB

Download
memory/2156-21-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download
memory/3256-2183-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3256-2182-0x0000000000050000-0x0000000000080000-memory.dmp

Filesize
192KB

Download
memory/3256-2203-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3256-2202-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3256-2200-0x0000000004A90000-0x0000000004ADC000-memory.dmp

Filesize
304KB

Download
memory/3256-2190-0x0000000004A20000-0x0000000004A5C000-memory.dmp

Filesize
240KB

Download
memory/3256-2189-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/3256-2188-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3256-2186-0x0000000004BA0000-0x0000000004CAA000-memory.dmp

Filesize
1.0MB

Download
memory/3256-2185-0x00000000050B0000-0x00000000056C8000-memory.dmp

Filesize
6.1MB

Download
memory/3256-2184-0x00000000021F0000-0x00000000021F6000-memory.dmp

Filesize
24KB

Download
memory/4288-58-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-62-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-52-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-54-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-56-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-50-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-46-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-44-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-42-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-40-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-39-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-38-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4288-37-0x0000000004B80000-0x0000000004B98000-memory.dmp

Filesize
96KB

Download
memory/4288-36-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/4288-35-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/4288-60-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-30-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/4288-29-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/4288-64-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-48-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-34-0x0000000004B20000-0x0000000004B3A000-memory.dmp

Filesize
104KB

Download
memory/4288-66-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4288-67-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/4288-68-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/4288-33-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/4288-32-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4288-31-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4288-73-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4288-72-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4288-70-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/5000-2199-0x0000000002520000-0x0000000002526000-memory.dmp

Filesize
24KB

Download
memory/5000-2201-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/5000-2198-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/5000-2197-0x0000000000330000-0x000000000035E000-memory.dmp

Filesize
184KB

Download
memory/5000-2204-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/5000-2205-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download