healer | 7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe
Size

696KB
MD5

4ca06158407b9d95c86f42dbb09487f4
SHA1

d16920e8b6a12e631d3be57be69d2038f1236813
SHA256

7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354
SHA512

1b0f9cc86ae32c4789349edaa17b75b8dde3e500a97b32db5c55db4d4ca8bbc17c5aa4dbc5ea0bfc89ca6d8267bd21754236bb0e4e09de1bc84428d7fe005324
SSDEEP

12288:jy90CgQx7nUfjX/OPqVQqT3hxKjOuYYEcYrUHVJH4:jyBKjX/OSVlD9uY12s

Score

10^/10

healer redline zgrat dropper evasion infostealer persistence rat trojan

Malware Config

Signatures

Detect ZGRat V1 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2352-61-0x0000000004940000-0x000000000497C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-63-0x0000000004B20000-0x0000000004B5A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-64-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-65-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-67-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-74-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-71-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-77-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-79-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-83-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-81-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-85-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-87-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-89-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-91-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-93-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-95-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-97-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-99-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-101-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_zgrat_v1

Detects Healer an antivirus disabler dropper 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1068-17-0x0000000004BC0000-0x0000000004BDA000-memory.dmp	healer
behavioral1/memory/1068-19-0x0000000004C50000-0x0000000004C68000-memory.dmp	healer
behavioral1/memory/1068-21-0x0000000007210000-0x0000000007220000-memory.dmp	healer
behavioral1/memory/1068-24-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-23-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-26-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-29-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-31-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-33-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-35-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-37-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-39-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-41-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-43-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-45-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-47-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-49-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer
behavioral1/memory/1068-51-0x0000000004C50000-0x0000000004C62000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pr399239.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr399239.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr399239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr399239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr399239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr399239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr399239.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2352-61-0x0000000004940000-0x000000000497C000-memory.dmp	family_redline
behavioral1/memory/2352-63-0x0000000004B20000-0x0000000004B5A000-memory.dmp	family_redline
behavioral1/memory/2352-64-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-65-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-67-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-74-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-71-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-77-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-79-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-83-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-81-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-85-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-87-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-89-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-91-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-93-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-95-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-97-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-99-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline
behavioral1/memory/2352-101-0x0000000004B20000-0x0000000004B55000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1068-17-0x0000000004BC0000-0x0000000004BDA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-19-0x0000000004C50000-0x0000000004C68000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-21-0x0000000007210000-0x0000000007220000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-24-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-23-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-26-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-29-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-31-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-33-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-35-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-37-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-39-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-41-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-43-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-45-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-47-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-49-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/1068-51-0x0000000004C50000-0x0000000004C62000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Detects executables packed with ConfuserEx Mod 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2352-61-0x0000000004940000-0x000000000497C000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-63-0x0000000004B20000-0x0000000004B5A000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-64-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-65-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-67-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-74-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-71-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-77-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-79-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-83-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-81-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-85-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-87-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-89-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-91-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-93-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-95-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-97-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-99-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2352-101-0x0000000004B20000-0x0000000004B55000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 3 IoCs

Processes:

un639802.exepr399239.exequ051503.exe

pid process

3604 un639802.exe
1068 pr399239.exe
2352 qu051503.exe

pid	process
3604	un639802.exe
1068	pr399239.exe
2352	qu051503.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pr399239.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr399239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr399239.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exeun639802.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un639802.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1236 1068 WerFault.exe pr399239.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pr399239.exe

pid process

1068 pr399239.exe
1068 pr399239.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pr399239.exequ051503.exe

description pid process

Token: SeDebugPrivilege 1068 pr399239.exe
Token: SeDebugPrivilege 2352 qu051503.exe

pid	pid_target	process	target process
1236	1068	WerFault.exe	pr399239.exe

pid	process
1068	pr399239.exe
1068	pr399239.exe

description	pid	process
Token: SeDebugPrivilege	1068	pr399239.exe
Token: SeDebugPrivilege	2352	qu051503.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exeun639802.exe

description	pid	process	target process
PID 3156 wrote to memory of 3604	3156	7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe	un639802.exe
PID 3156 wrote to memory of 3604	3156	7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe	un639802.exe
PID 3156 wrote to memory of 3604	3156	7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe	un639802.exe
PID 3604 wrote to memory of 1068	3604	un639802.exe	pr399239.exe
PID 3604 wrote to memory of 1068	3604	un639802.exe	pr399239.exe
PID 3604 wrote to memory of 1068	3604	un639802.exe	pr399239.exe
PID 3604 wrote to memory of 2352	3604	un639802.exe	qu051503.exe
PID 3604 wrote to memory of 2352	3604	un639802.exe	qu051503.exe
PID 3604 wrote to memory of 2352	3604	un639802.exe	qu051503.exe

C:\Users\Admin\AppData\Local\Temp\7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe
"C:\Users\Admin\AppData\Local\Temp\7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3156

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1080
4⤵
- Program crash
PID:1236

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu051503.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu051503.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1068 -ip 1068
1⤵
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe
Filesize
543KB

MD5
00878ae94239027c6ac0ce0456c9a361

SHA1
54f29558ab5f63bf62a4a83e66f69d863eafe4fb

SHA256
01b702685250315679d5eb07cde349e2410e2acd7c2c2678b53f9eb99a50ff2e

SHA512
ba477fef4c1996c60b6d7fdc958bba53e9c3da9d82f5030dec2cde287ae4841a94eb5bfb98d5b7b00813ce5b2449b45bc11e16a73fb4a3454571d1a0c20d6af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe
Filesize
269KB

MD5
51760ce0e328ced19f6df0b15917e990

SHA1
51de00adfc945ff585e8748a19c73f51a3ce1851

SHA256
41ea0044cbcb091b71e51cac039e51bd1f64b071240062f32c0f7dbd910f8cf1

SHA512
0141440edd082d8f662a63dfcd54796b08145d578adcd7c9de37b12141ae342ae4999654ec466e7da3688e1938c1b0e440e769068968a91b019ca70622a50108

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu051503.exe
Filesize
351KB

MD5
f91e92e49af44f1855c1d733f7407c09

SHA1
e0893c65b0af985549de8d17e76712407527aa60

SHA256
a4b94c14067a61e830a27d71ef0a2630a64b64f5dd59576ad5ed13cf0b4eefc5

SHA512
68bef83cdc2a87260fb79bfa350777fab4935c3ef6fe68deeeab99729b692f5589ee53bec031383b6180f55cfe323bd89753e616d5979f51ddad9071ba3a4929

Download Submit
memory/1068-15-0x0000000002C90000-0x0000000002D90000-memory.dmp

Filesize
1024KB

Download
memory/1068-16-0x0000000004540000-0x000000000456D000-memory.dmp

Filesize
180KB

Download
memory/1068-17-0x0000000004BC0000-0x0000000004BDA000-memory.dmp

Filesize
104KB

Download
memory/1068-18-0x0000000007220000-0x00000000077C4000-memory.dmp

Filesize
5.6MB

Download
memory/1068-20-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/1068-19-0x0000000004C50000-0x0000000004C68000-memory.dmp

Filesize
96KB

Download
memory/1068-21-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1068-22-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1068-24-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-23-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-26-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-29-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-28-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1068-31-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-33-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-35-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-37-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-39-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-41-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-43-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-45-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-47-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-49-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-51-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1068-54-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/1068-55-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/2352-61-0x0000000004940000-0x000000000497C000-memory.dmp

Filesize
240KB

Download
memory/2352-60-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

Filesize
1024KB

Download
memory/2352-63-0x0000000004B20000-0x0000000004B5A000-memory.dmp

Filesize
232KB

Download
memory/2352-64-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-62-0x0000000002BD0000-0x0000000002C16000-memory.dmp

Filesize
280KB

Download
memory/2352-65-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-67-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-68-0x0000000000400000-0x0000000002BC2000-memory.dmp

Filesize
39.8MB

Download
memory/2352-70-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/2352-72-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/2352-75-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/2352-74-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-71-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-77-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-79-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-83-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-81-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-85-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-87-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-89-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-91-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-93-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-95-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-97-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-99-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-101-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/2352-860-0x0000000009DF0000-0x000000000A408000-memory.dmp

Filesize
6.1MB

Download
memory/2352-861-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

Filesize
72KB

Download
memory/2352-862-0x000000000A410000-0x000000000A51A000-memory.dmp

Filesize
1.0MB

Download
memory/2352-863-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/2352-864-0x0000000007340000-0x000000000737C000-memory.dmp

Filesize
240KB

Download
memory/2352-865-0x0000000004760000-0x00000000047AC000-memory.dmp

Filesize
304KB

Download
memory/2352-868-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

Filesize
1024KB

Download
memory/2352-869-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/2352-870-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/2352-871-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/2352-872-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/2352-873-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download