healer | 660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe
Size

765KB
MD5

96a5cea23c1716449eb15f99d93edfec
SHA1

66f58e9b63aeedfc3164a127997c6be833920146
SHA256

660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec
SHA512

2b76e77439f2d9036065a54e18666fb9f7ad92683deb1f8816bfd28bd3c9df3e1d31b9a3118b1ff91a29656155401709bfafb1e3e25510b6fa4587a275fc9e1d
SSDEEP

12288:dy90HSrtyuZkQ0VyqZnkcPU8wft/fNzIVoGp0rmi/biJg82aBeqpri6W6Q39:dyWSrtyu2Q0VtdnUhFNzIVoWqmiTMgOS

Score

10^/10

healer redline zgrat dropper evasion infostealer persistence rat trojan

Malware Config

Signatures

Detect ZGRat V1 20 IoCs

resource	yara_rule
behavioral1/memory/1496-61-0x0000000002860000-0x000000000289C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-68-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-71-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-67-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-64-0x0000000005410000-0x000000000544A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-73-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-75-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-77-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-79-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-81-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-83-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-85-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-87-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-89-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-91-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-93-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-95-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-97-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-99-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1
behavioral1/memory/1496-101-0x0000000005410000-0x0000000005445000-memory.dmp	family_zgrat_v1

Detects Healer an antivirus disabler dropper 18 IoCs

resource	yara_rule
behavioral1/memory/880-18-0x0000000002730000-0x000000000274A000-memory.dmp	healer
behavioral1/memory/880-21-0x0000000002810000-0x0000000002820000-memory.dmp	healer
behavioral1/memory/880-23-0x00000000027B0000-0x00000000027C8000-memory.dmp	healer
behavioral1/memory/880-25-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-24-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-27-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-29-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-31-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-35-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-37-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-33-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-49-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-47-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-45-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-43-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-41-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-51-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer
behavioral1/memory/880-39-0x00000000027B0000-0x00000000027C2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr481470.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr481470.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr481470.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr481470.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr481470.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr481470.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/1496-61-0x0000000002860000-0x000000000289C000-memory.dmp	family_redline
behavioral1/memory/1496-68-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-71-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-67-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-64-0x0000000005410000-0x000000000544A000-memory.dmp	family_redline
behavioral1/memory/1496-73-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-75-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-77-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-79-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-81-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-83-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-85-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-87-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-89-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-91-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-93-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-95-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-97-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-99-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline
behavioral1/memory/1496-101-0x0000000005410000-0x0000000005445000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 18 IoCs

resource	yara_rule
behavioral1/memory/880-18-0x0000000002730000-0x000000000274A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-21-0x0000000002810000-0x0000000002820000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-23-0x00000000027B0000-0x00000000027C8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-25-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-24-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-27-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-29-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-31-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-35-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-37-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-33-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-49-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-47-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-45-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-43-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-41-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-51-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/880-39-0x00000000027B0000-0x00000000027C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Detects executables packed with ConfuserEx Mod 20 IoCs

resource	yara_rule
behavioral1/memory/1496-61-0x0000000002860000-0x000000000289C000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-68-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-71-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-67-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-64-0x0000000005410000-0x000000000544A000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-73-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-75-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-77-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-79-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-81-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-83-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-85-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-87-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-89-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-91-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-93-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-95-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-97-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-99-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1496-101-0x0000000005410000-0x0000000005445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 3 IoCs

pid	Process
4444	un606167.exe
880	pr481470.exe
1496	qu272517.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr481470.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr481470.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un606167.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3644	880	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
880	pr481470.exe
880	pr481470.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	pr481470.exe
Token: SeDebugPrivilege	1496	qu272517.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 4444	1516	660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe	84
PID 1516 wrote to memory of 4444	1516	660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe	84
PID 1516 wrote to memory of 4444	1516	660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe	84
PID 4444 wrote to memory of 880	4444	un606167.exe	85
PID 4444 wrote to memory of 880	4444	un606167.exe	85
PID 4444 wrote to memory of 880	4444	un606167.exe	85
PID 4444 wrote to memory of 1496	4444	un606167.exe	100
PID 4444 wrote to memory of 1496	4444	un606167.exe	100
PID 4444 wrote to memory of 1496	4444	un606167.exe	100

C:\Users\Admin\AppData\Local\Temp\660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe
"C:\Users\Admin\AppData\Local\Temp\660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1080
      4⤵
      Program crash
      PID:3644
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu272517.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu272517.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 880 -ip 880
1⤵
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe

Filesize
610KB

MD5
b29d673ce1bb3eb24787709a2074e8fd

SHA1
92307ca2dc5f538162368381583f64f403fea29d

SHA256
2aa314b524e754edb0bd84fb3907353f6b18c1286e8d605c83b37e9080052d4f

SHA512
3a2ea68b827daf1972c9955c0205f4214168849f84202752e4acc74bdaf51b7eaad4f3fc73f68bbab700db06b6ea76fae25c6ad382aff9e244f418291421ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe

Filesize
403KB

MD5
079b082230b86057c1003d6802d5d375

SHA1
f59fb36c9bdc3d6a3b1ca10554c414f58d12d05d

SHA256
5cfb45177f2571c9467a416fa58e4d56ba18c300c693cbe8a6c248be738298c0

SHA512
9e4a7d847e9e4bf142140f2e763d84463f762c399d2578261ede93e8562b251303167c9a2894e934698e8b71fd64bd3a4e1617d6302dd8f6084885f3b9281606

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu272517.exe

Filesize
486KB

MD5
253b2ec97923381ce443a170f4df792d

SHA1
4290ccbc39a14c9615e1167cd84e20676652ef25

SHA256
c11fcc608ebd3e568c203b0a5610075a3056273908f812de1a776c282e8c35be

SHA512
9364ec8bd1819d8016374d41ea5d272bd255eee5316c3c9c7a0c300101dfb42a236ece1aef38c18601b3ebf9b7f916499b53233e23903324829cbb3ccb7cf9b0

Download Submit
memory/880-15-0x0000000000980000-0x0000000000A80000-memory.dmp

Filesize
1024KB

Download
memory/880-16-0x0000000000A80000-0x0000000000AAD000-memory.dmp

Filesize
180KB

Download
memory/880-17-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/880-19-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/880-18-0x0000000002730000-0x000000000274A000-memory.dmp

Filesize
104KB

Download
memory/880-20-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/880-21-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/880-22-0x0000000004E30000-0x00000000053D4000-memory.dmp

Filesize
5.6MB

Download
memory/880-23-0x00000000027B0000-0x00000000027C8000-memory.dmp

Filesize
96KB

Download
memory/880-25-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-24-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-27-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-29-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-31-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-35-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-37-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-33-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-49-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-47-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-45-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-43-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-41-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-51-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-39-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/880-54-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/880-55-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1496-61-0x0000000002860000-0x000000000289C000-memory.dmp

Filesize
240KB

Download
memory/1496-60-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1496-62-0x0000000000B90000-0x0000000000BD6000-memory.dmp

Filesize
280KB

Download
memory/1496-63-0x0000000000400000-0x000000000081E000-memory.dmp

Filesize
4.1MB

Download
memory/1496-65-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/1496-66-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/1496-68-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-71-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-67-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-64-0x0000000005410000-0x000000000544A000-memory.dmp

Filesize
232KB

Download
memory/1496-70-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1496-73-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-75-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-77-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-79-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-81-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-83-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-85-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-87-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-89-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-91-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-93-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-95-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-97-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-99-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-101-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/1496-860-0x0000000007910000-0x0000000007F28000-memory.dmp

Filesize
6.1MB

Download
memory/1496-861-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

Filesize
72KB

Download
memory/1496-862-0x0000000007FC0000-0x00000000080CA000-memory.dmp

Filesize
1.0MB

Download
memory/1496-863-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/1496-864-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/1496-865-0x0000000004910000-0x000000000495C000-memory.dmp

Filesize
304KB

Download
memory/1496-867-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1496-869-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/1496-870-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/1496-871-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1496-872-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/1496-873-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download