healer | 5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe
Size

690KB
MD5

ad4014cc2568c355da9f9f860d6c42e4
SHA1

296377a589dab944f543eeb8433b29d957b22d4a
SHA256

5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5
SHA512

ea71866536a8200be49e0edcc86e5cb78a1844692f97bb19f7d62008201babc6fdae26218be186375aea7d5d6c2897e7e81724b0481aec7897c7e3e2aa2c350b
SSDEEP

12288:cy90wPk7S6Fq6asuoGcOSsQV7vhmzWGM0/S2XB1wldCikLNUZNvoa:cyGXq6asuornNPGM0a2KgiK4Rn

Score

10^/10

healer redline zgrat dropper evasion infostealer persistence rat trojan

Malware Config

Signatures

Detect ZGRat V1 20 IoCs

resource	yara_rule
behavioral1/memory/2032-58-0x00000000023C0000-0x00000000023FC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-59-0x0000000004A50000-0x0000000004A8A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-67-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-73-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-93-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-91-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-89-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-87-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-85-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-83-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-81-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-79-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-77-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-71-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-69-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-75-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-65-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-63-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-61-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1
behavioral1/memory/2032-60-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_zgrat_v1

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3520-19-0x0000000002360000-0x000000000237A000-memory.dmp	healer
behavioral1/memory/3520-21-0x0000000004A00000-0x0000000004A18000-memory.dmp	healer
behavioral1/memory/3520-49-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-47-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-45-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-43-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-41-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-39-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-37-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-35-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-33-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-32-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-29-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-27-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-26-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-22-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer
behavioral1/memory/3520-23-0x0000000004A00000-0x0000000004A13000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	12869306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	12869306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	12869306.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	12869306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	12869306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	12869306.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2032-58-0x00000000023C0000-0x00000000023FC000-memory.dmp	family_redline
behavioral1/memory/2032-59-0x0000000004A50000-0x0000000004A8A000-memory.dmp	family_redline
behavioral1/memory/2032-67-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-73-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-93-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-91-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-89-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-87-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-85-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-83-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-81-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-79-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-77-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-71-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-69-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-75-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-65-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-63-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-61-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline
behavioral1/memory/2032-60-0x0000000004A50000-0x0000000004A85000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs

resource	yara_rule
behavioral1/memory/3520-19-0x0000000002360000-0x000000000237A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-21-0x0000000004A00000-0x0000000004A18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-49-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-47-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-45-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-43-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-41-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-39-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-37-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-35-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-33-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-32-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-29-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-27-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-26-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-22-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3520-23-0x0000000004A00000-0x0000000004A13000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Detects executables packed with ConfuserEx Mod 20 IoCs

resource	yara_rule
behavioral1/memory/2032-58-0x00000000023C0000-0x00000000023FC000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-59-0x0000000004A50000-0x0000000004A8A000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-67-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-73-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-93-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-91-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-89-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-87-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-85-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-83-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-81-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-79-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-77-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-71-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-69-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-75-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-65-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-63-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-61-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2032-60-0x0000000004A50000-0x0000000004A85000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 3 IoCs

pid	Process
4564	un084450.exe
3520	12869306.exe
2032	rk622902.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	12869306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	12869306.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un084450.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5020	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1992	3520	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3520	12869306.exe
3520	12869306.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	12869306.exe
Token: SeDebugPrivilege	2032	rk622902.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4564	4808	5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe	83
PID 4808 wrote to memory of 4564	4808	5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe	83
PID 4808 wrote to memory of 4564	4808	5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe	83
PID 4564 wrote to memory of 3520	4564	un084450.exe	84
PID 4564 wrote to memory of 3520	4564	un084450.exe	84
PID 4564 wrote to memory of 3520	4564	un084450.exe	84
PID 4564 wrote to memory of 2032	4564	un084450.exe	98
PID 4564 wrote to memory of 2032	4564	un084450.exe	98
PID 4564 wrote to memory of 2032	4564	un084450.exe	98

C:\Users\Admin\AppData\Local\Temp\5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe
"C:\Users\Admin\AppData\Local\Temp\5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 1084
      4⤵
      Program crash
      PID:1992
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk622902.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk622902.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3520 -ip 3520
1⤵
PID:1780

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe

Filesize
536KB

MD5
dae959df45789f5b236e3a40afc1e883

SHA1
4402007f23f98aef46561ae692ee621f385f9515

SHA256
35a069bcc4a210210de2b15c982322ef0d0811245a9672686c4e03c413f38b90

SHA512
2aaa3bca7dfccb6d4deecb85d3d8f34bac9ffd4b66cba9f5b8282079aa67a0b6b443a7eb1a5cdc2210df67be9e1f68d01ae1dd5068944053cd4f4d328284c4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe

Filesize
259KB

MD5
ecae5f726f6cce6e2cd107f5cd4dfa1f

SHA1
1c7e13eb906e6228f9c4e20de78e25377a397b9c

SHA256
37a9dab840d162807b33e936f86438dbeab8e05cf443db80b01d2ebb39f22569

SHA512
e891aa12a70f05105fb2139196a6ca0614c851ed4b8c4b20ae32cbb98b2167eb0058c53f28ec1f44be587b2a5d3007f3e327f91aea22459e253e4c9f542611e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk622902.exe

Filesize
341KB

MD5
adf4151b56d6dd60291ebeabf8ba48c2

SHA1
478fc6ea02c926dbe947840c6d15e176ee314a63

SHA256
21e115253f2f66729e3e31c0484d8a9d2dc9ed08701d84fe382fac0ebab07d76

SHA512
3a1b5e5c39de91267b80a4d3d2dab007f8f83d169e5fd765c38861a5eb4d249ba1aa245a7cb8093b54f5e997d8b39d7ddcda302496dc50e6b9b138c2bcb898d1

Download Submit
memory/2032-77-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-75-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-856-0x0000000004580000-0x00000000045CC000-memory.dmp

Filesize
304KB

Download
memory/2032-855-0x0000000007D30000-0x0000000007D6C000-memory.dmp

Filesize
240KB

Download
memory/2032-854-0x0000000007C10000-0x0000000007D1A000-memory.dmp

Filesize
1.0MB

Download
memory/2032-853-0x0000000007BF0000-0x0000000007C02000-memory.dmp

Filesize
72KB

Download
memory/2032-59-0x0000000004A50000-0x0000000004A8A000-memory.dmp

Filesize
232KB

Download
memory/2032-852-0x0000000007540000-0x0000000007B58000-memory.dmp

Filesize
6.1MB

Download
memory/2032-60-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-61-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-63-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-67-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-65-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-73-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-69-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-71-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-79-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-81-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-83-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-85-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-58-0x00000000023C0000-0x00000000023FC000-memory.dmp

Filesize
240KB

Download
memory/2032-87-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-89-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-91-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2032-93-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/3520-35-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-39-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-49-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-23-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3520-53-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3520-52-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3520-22-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-26-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-27-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-29-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-16-0x0000000000500000-0x000000000052D000-memory.dmp

Filesize
180KB

Download
memory/3520-32-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-33-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-15-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/3520-37-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-41-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-43-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-45-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-47-0x0000000004A00000-0x0000000004A13000-memory.dmp

Filesize
76KB

Download
memory/3520-21-0x0000000004A00000-0x0000000004A18000-memory.dmp

Filesize
96KB

Download
memory/3520-20-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/3520-19-0x0000000002360000-0x000000000237A000-memory.dmp

Filesize
104KB

Download
memory/3520-18-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download