healer | e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe
Size

765KB
MD5

f199c8c303f55c5d18842e1997e13208
SHA1

3dc56a32a2af84cf60c9fb950f2e7d249230c733
SHA256

e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f
SHA512

44e7557a3e818a2d1cc6a8a0cd627faebbc798bc783c4b4587ce1fd6486b71f6070068b190a64af64cc54f65c5edadd5500480d1f5cb8ebc5c5e05ae39ddfa24
SSDEEP

12288:3Mrwy90mS9Dg3lfQBjO5gZ054jnt5XSDpUA3eesuEnWmnWS8dRzAaNUBXXugutsW:DyVLp5gnt5Spn3eeqn9Wt2aOBugutstc

Score

10^/10

healer redline down dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Signatures

Detects Healer an antivirus disabler dropper 20 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bus2264.exe	healer
behavioral1/memory/3608-14-0x00000000009F0000-0x00000000009FA000-memory.dmp	healer
behavioral1/memory/3224-25-0x0000000002780000-0x000000000279A000-memory.dmp	healer
behavioral1/memory/3224-27-0x0000000004E50000-0x0000000004E60000-memory.dmp	healer
behavioral1/memory/3224-30-0x0000000004E00000-0x0000000004E18000-memory.dmp	healer
behavioral1/memory/3224-31-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-32-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-34-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-36-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-38-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-40-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-42-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-44-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-48-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-46-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-50-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-54-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-56-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-58-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral1/memory/3224-52-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

con5744.exebus2264.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	con5744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	con5744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	con5744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus2264.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus2264.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus2264.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	con5744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	con5744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	con5744.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus2264.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus2264.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus2264.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3384-69-0x0000000002520000-0x0000000002566000-memory.dmp	family_redline
behavioral1/memory/3384-71-0x0000000004D10000-0x0000000004D54000-memory.dmp	family_redline
behavioral1/memory/3384-73-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-74-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-81-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-83-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-78-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-85-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-87-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-89-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-91-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-93-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-95-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-97-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-99-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-101-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-103-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-105-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-107-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/3384-109-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 20 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bus2264.exe	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3608-14-0x00000000009F0000-0x00000000009FA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-25-0x0000000002780000-0x000000000279A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-27-0x0000000004E50000-0x0000000004E60000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-30-0x0000000004E00000-0x0000000004E18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-31-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-32-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-34-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-36-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-38-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-40-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-42-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-44-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-48-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-46-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-50-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-54-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-56-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-58-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3224-52-0x0000000004E00000-0x0000000004E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Executes dropped EXE 4 IoCs

Processes:

kino1116.exebus2264.execon5744.exedMM62s56.exe

pid process

4744 kino1116.exe
3608 bus2264.exe
3224 con5744.exe
3384 dMM62s56.exe

pid	process
4744	kino1116.exe
3608	bus2264.exe
3224	con5744.exe
3384	dMM62s56.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bus2264.execon5744.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus2264.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	con5744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	con5744.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exekino1116.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino1116.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

bus2264.execon5744.exe

pid process

3608 bus2264.exe
3608 bus2264.exe
3224 con5744.exe
3224 con5744.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bus2264.execon5744.exedMM62s56.exe

description pid process

Token: SeDebugPrivilege 3608 bus2264.exe
Token: SeDebugPrivilege 3224 con5744.exe
Token: SeDebugPrivilege 3384 dMM62s56.exe

pid	process
3608	bus2264.exe
3608	bus2264.exe
3224	con5744.exe
3224	con5744.exe

description	pid	process
Token: SeDebugPrivilege	3608	bus2264.exe
Token: SeDebugPrivilege	3224	con5744.exe
Token: SeDebugPrivilege	3384	dMM62s56.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exekino1116.exe

description	pid	process	target process
PID 1300 wrote to memory of 4744	1300	e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe	kino1116.exe
PID 1300 wrote to memory of 4744	1300	e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe	kino1116.exe
PID 1300 wrote to memory of 4744	1300	e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe	kino1116.exe
PID 4744 wrote to memory of 3608	4744	kino1116.exe	bus2264.exe
PID 4744 wrote to memory of 3608	4744	kino1116.exe	bus2264.exe
PID 4744 wrote to memory of 3224	4744	kino1116.exe	con5744.exe
PID 4744 wrote to memory of 3224	4744	kino1116.exe	con5744.exe
PID 4744 wrote to memory of 3224	4744	kino1116.exe	con5744.exe
PID 1300 wrote to memory of 3384	1300	e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe	dMM62s56.exe
PID 1300 wrote to memory of 3384	1300	e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe	dMM62s56.exe
PID 1300 wrote to memory of 3384	1300	e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe	dMM62s56.exe

C:\Users\Admin\AppData\Local\Temp\e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe
"C:\Users\Admin\AppData\Local\Temp\e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1116.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1116.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4744

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bus2264.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bus2264.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\con5744.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\con5744.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dMM62s56.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dMM62s56.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dMM62s56.exe
Filesize
456KB

MD5
0c2e81e96daed9fb11c235211c6ef382

SHA1
5f7653c0dd8ed0f766fae28f371f28ea40930604

SHA256
0bd0c51da385286ec3582bfad6f10ed45404f914082586f5a3a3a21de8f6f7c5

SHA512
90360a7d7a9458198ac91ed25833b3158c7f62af7c55f5275ede6ab49c8c1db6a25956da28590eb8d03a9e074b1a290f003640d22b3384bbfdbd400d6fad7f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1116.exe
Filesize
378KB

MD5
37638fcc272bb63bc2fbaee5eed08bc7

SHA1
b02dcc1be58b7edc84c8f56c9574f416ed260e7e

SHA256
8a3414fc223a9b9b3ea453a50deaffb004f79916c8445097e93fda052c9b8666

SHA512
d222020673aa5a714da3f24808b2636317b324b5ad4e008161e0e2738c97daa3beb9c1338373cfaa5db4b5aa9bfdc98110add9253b90e83f2f48d9d8597877b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bus2264.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\con5744.exe
Filesize
398KB

MD5
ba6d82ef0b33ee1ab51cfff0ba010577

SHA1
a71d760ec6cc90b8e44b373ea4eb89bb35bd9a66

SHA256
b28dafcb8dd2c8548db0aecdec318ae1fd5af1568691d12a6c03763a719e9e0e

SHA512
88459a0b24af44ee9725360abe4f7ea31f6ba28255f45d8cf903ed8f1fa35801a8e1b6dc8670d59a7f44f65df8ce226c97429e8c80a77e08f29dbb5345e30dd4

Download Submit
memory/3224-22-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/3224-23-0x0000000000840000-0x000000000086D000-memory.dmp

Filesize
180KB

Download
memory/3224-24-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/3224-25-0x0000000002780000-0x000000000279A000-memory.dmp

Filesize
104KB

Download
memory/3224-26-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/3224-27-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/3224-28-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/3224-29-0x0000000004E60000-0x0000000005404000-memory.dmp

Filesize
5.6MB

Download
memory/3224-30-0x0000000004E00000-0x0000000004E18000-memory.dmp

Filesize
96KB

Download
memory/3224-31-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-32-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-34-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-36-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-38-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-40-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-42-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-44-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-48-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-46-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-50-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-54-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-56-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-58-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-52-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3224-59-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/3224-60-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/3224-62-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/3224-63-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/3384-69-0x0000000002520000-0x0000000002566000-memory.dmp

Filesize
280KB

Download
memory/3384-68-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/3384-71-0x0000000004D10000-0x0000000004D54000-memory.dmp

Filesize
272KB

Download
memory/3384-70-0x0000000000740000-0x000000000078B000-memory.dmp

Filesize
300KB

Download
memory/3384-73-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-75-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/3384-77-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/3384-74-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-72-0x0000000000400000-0x0000000000734000-memory.dmp

Filesize
3.2MB

Download
memory/3384-79-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/3384-81-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-83-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-78-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-85-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-87-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-89-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-91-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-93-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-95-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-97-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-99-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-101-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-103-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-105-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-107-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-109-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/3384-982-0x00000000054B0000-0x0000000005AC8000-memory.dmp

Filesize
6.1MB

Download
memory/3384-983-0x0000000005B50000-0x0000000005C5A000-memory.dmp

Filesize
1.0MB

Download
memory/3384-984-0x0000000005C90000-0x0000000005CA2000-memory.dmp

Filesize
72KB

Download
memory/3384-985-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/3384-986-0x0000000005CB0000-0x0000000005CEC000-memory.dmp

Filesize
240KB

Download
memory/3384-987-0x0000000005E00000-0x0000000005E4C000-memory.dmp

Filesize
304KB

Download
memory/3384-989-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/3384-991-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/3384-992-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/3384-993-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/3384-994-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/3608-14-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/3608-15-0x00007FFA318C0000-0x00007FFA32381000-memory.dmp

Filesize
10.8MB

Download
memory/3608-17-0x00007FFA318C0000-0x00007FFA32381000-memory.dmp

Filesize
10.8MB

Download