healer | 0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410

Analysis

max time kernel
178s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410.exe
Size

689KB
MD5

9c2d2d65e9a4499e90b4f36b688b778e
SHA1

3dda6ca7c341eab0cce5fb8f72fc82de2379fe78
SHA256

0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410
SHA512

eef0b089b4e3dfa7f71d7a71cdb0052b50d4332700e3c1469ed0fd43384fbd17da0f265f7d69dca290c9aed5696cd4dbddc83b79249e0a363f4a82f608724f59
SSDEEP

12288:eMrmy90oWU2EyEZ18KU2PBUDIfUJlPOAeOxs1krf:cycU2rEZGKVPWD7JlPkIs6

Score

10^/10

healer redline rosn dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1804-19-0x00000000025D0000-0x00000000025EA000-memory.dmp	healer
behavioral1/memory/1804-23-0x0000000002920000-0x0000000002938000-memory.dmp	healer
behavioral1/memory/1804-24-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-25-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-27-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-29-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-31-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-33-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-35-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-37-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-39-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-41-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-43-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-45-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-47-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-49-0x0000000002920000-0x0000000002932000-memory.dmp	healer
behavioral1/memory/1804-51-0x0000000002920000-0x0000000002932000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro4858.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4858.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4858.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4858.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4858.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4858.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4858.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1616-63-0x00000000025C0000-0x0000000002606000-memory.dmp	family_redline
behavioral1/memory/1616-67-0x0000000002AE0000-0x0000000002B24000-memory.dmp	family_redline
behavioral1/memory/1616-72-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-71-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-74-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-76-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-78-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-80-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-82-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-84-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-86-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-88-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-90-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-92-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-94-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-96-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-98-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-100-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline
behavioral1/memory/1616-102-0x0000000002AE0000-0x0000000002B1F000-memory.dmp	family_redline

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1804-19-0x00000000025D0000-0x00000000025EA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-23-0x0000000002920000-0x0000000002938000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-24-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-25-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-27-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-29-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-31-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-33-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-35-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-37-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-39-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-41-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-43-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-45-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-47-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-49-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1804-51-0x0000000002920000-0x0000000002932000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Executes dropped EXE 3 IoCs

Processes:

un460833.exepro4858.exequ3563.exe

pid process

2448 un460833.exe
1804 pro4858.exe
1616 qu3563.exe

pid	process
2448	un460833.exe
1804	pro4858.exe
1616	qu3563.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro4858.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4858.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4858.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410.exeun460833.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un460833.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro4858.exe

pid process

1804 pro4858.exe
1804 pro4858.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro4858.exequ3563.exe

description pid process

Token: SeDebugPrivilege 1804 pro4858.exe
Token: SeDebugPrivilege 1616 qu3563.exe

pid	process
1804	pro4858.exe
1804	pro4858.exe

description	pid	process
Token: SeDebugPrivilege	1804	pro4858.exe
Token: SeDebugPrivilege	1616	qu3563.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410.exeun460833.exe

description	pid	process	target process
PID 1192 wrote to memory of 2448	1192	0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410.exe	un460833.exe
PID 1192 wrote to memory of 2448	1192	0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410.exe	un460833.exe
PID 1192 wrote to memory of 2448	1192	0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410.exe	un460833.exe
PID 2448 wrote to memory of 1804	2448	un460833.exe	pro4858.exe
PID 2448 wrote to memory of 1804	2448	un460833.exe	pro4858.exe
PID 2448 wrote to memory of 1804	2448	un460833.exe	pro4858.exe
PID 2448 wrote to memory of 1616	2448	un460833.exe	qu3563.exe
PID 2448 wrote to memory of 1616	2448	un460833.exe	qu3563.exe
PID 2448 wrote to memory of 1616	2448	un460833.exe	qu3563.exe

C:\Users\Admin\AppData\Local\Temp\0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410.exe
"C:\Users\Admin\AppData\Local\Temp\0cc1d72ad0f5dbe199bcb7ccf8073ff9662358254b059f7e9391359dd69ae410.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un460833.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un460833.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4858.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4858.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3563.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3563.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un460833.exe
Filesize
535KB

MD5
49b438e7a0267a4be444f3813f469b1b

SHA1
def27ee6bb3fafa8ebfc6cac51e5f659007e2e0e

SHA256
9d22ed9375a8e1bb6715f94027e7c5957322d197fbbf27c4b1a7e89dc6ff5113

SHA512
a4fd8f7ce7db877280331f31e26014cb71623c7e32ad160f98d1998e3990b161b2a6337fa99236626c49a7bab74e5030469e5f98f05445e6e4c5703538c5b4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4858.exe
Filesize
312KB

MD5
ea30b3777e9f5a69691d02a96b0a18c1

SHA1
5c74d770f650859756097247c30d12722bb4f874

SHA256
77f53d8da901f29778636d46db2203061c6c0a2157c6b027ccaad7a4bbb2b70e

SHA512
939904b57736e7ba32b368f1b1874cc478a6c8fc152c7b2d1730146dab9c44e0afe047a8b06ebacc715adc81002102f8d8fb856a79c634ef7301b41a5907a517

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3563.exe
Filesize
370KB

MD5
4f395c9c33d09c1f199b2512f3c31184

SHA1
08f83c7ffa12fc7f5cbeb618b37334d359936f13

SHA256
07f74d40cd0a9c4df52e09f47759f45a18ca43d05d249cd2ba660877cb44c9cf

SHA512
ed88c33507bafe82a88f4aa1e1a8def993efc6618e573ff219fdd1907c610261070d728cb3f0a57bfe7e4c36ea4036b1613dc1295e3347e9150f136e09734fdc

Download Submit
memory/1616-92-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-98-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-990-0x0000000002BF0000-0x0000000002C00000-memory.dmp

Filesize
64KB

Download
memory/1616-987-0x0000000002BF0000-0x0000000002C00000-memory.dmp

Filesize
64KB

Download
memory/1616-988-0x0000000002BF0000-0x0000000002C00000-memory.dmp

Filesize
64KB

Download
memory/1616-65-0x0000000000D60000-0x0000000000DAB000-memory.dmp

Filesize
300KB

Download
memory/1616-986-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/1616-985-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/1616-982-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

Filesize
304KB

Download
memory/1616-981-0x0000000005C50000-0x0000000005C8C000-memory.dmp

Filesize
240KB

Download
memory/1616-980-0x0000000002BF0000-0x0000000002C00000-memory.dmp

Filesize
64KB

Download
memory/1616-979-0x0000000002D10000-0x0000000002D22000-memory.dmp

Filesize
72KB

Download
memory/1616-978-0x0000000002C00000-0x0000000002D0A000-memory.dmp

Filesize
1.0MB

Download
memory/1616-68-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/1616-977-0x0000000005630000-0x0000000005C48000-memory.dmp

Filesize
6.1MB

Download
memory/1616-102-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-100-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-70-0x0000000002BF0000-0x0000000002C00000-memory.dmp

Filesize
64KB

Download
memory/1616-96-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-94-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-90-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-88-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-86-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-84-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-82-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-69-0x0000000002BF0000-0x0000000002C00000-memory.dmp

Filesize
64KB

Download
memory/1616-80-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-78-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-76-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-63-0x00000000025C0000-0x0000000002606000-memory.dmp

Filesize
280KB

Download
memory/1616-64-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/1616-66-0x0000000000400000-0x0000000000811000-memory.dmp

Filesize
4.1MB

Download
memory/1616-74-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-71-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-72-0x0000000002AE0000-0x0000000002B1F000-memory.dmp

Filesize
252KB

Download
memory/1616-67-0x0000000002AE0000-0x0000000002B24000-memory.dmp

Filesize
272KB

Download
memory/1804-41-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-54-0x0000000000A70000-0x0000000000A9D000-memory.dmp

Filesize
180KB

Download
memory/1804-33-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-21-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1804-16-0x0000000000A70000-0x0000000000A9D000-memory.dmp

Filesize
180KB

Download
memory/1804-58-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/1804-57-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/1804-53-0x0000000000860000-0x0000000000960000-memory.dmp

Filesize
1024KB

Download
memory/1804-52-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/1804-51-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-49-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-47-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-15-0x0000000000860000-0x0000000000960000-memory.dmp

Filesize
1024KB

Download
memory/1804-45-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-43-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-17-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/1804-39-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-37-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-35-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-31-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-29-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-27-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-25-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-24-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/1804-23-0x0000000002920000-0x0000000002938000-memory.dmp

Filesize
96KB

Download
memory/1804-22-0x0000000004E40000-0x00000000053E4000-memory.dmp

Filesize
5.6MB

Download
memory/1804-20-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/1804-19-0x00000000025D0000-0x00000000025EA000-memory.dmp

Filesize
104KB

Download
memory/1804-18-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download