healer | f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe
Size

536KB
MD5

946ce9bbd3ec2564134ccde23c3870ad
SHA1

2053c03eb99bd9f97bf87cc2dae1d6e37e46aa8e
SHA256

f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c
SHA512

fa9e9c13356caaf47cd2548959ce3c376d3a865978885ac8f2c5355a680ea203517c4f2b2b830e05fe3cf5cc290d26ed5020fc3beee7357887509362ba7c5ce1
SSDEEP

12288:Ty90g489FMFZjIj6vXfEuixQUqr0DB62am9ElY:TyE89RgXMHRpA2aAElY

Score

10^/10

healer redline zgrat dropper evasion infostealer persistence rat trojan

Malware Config

Signatures

Detect ZGRat V1 20 IoCs

resource	yara_rule
behavioral1/memory/1108-53-0x00000000049E0000-0x0000000004A1C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-54-0x0000000005010000-0x000000000504A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-63-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-90-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-87-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-85-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-83-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-82-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-79-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-77-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-75-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-73-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-72-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-69-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-67-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-65-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-61-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-59-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-57-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1
behavioral1/memory/1108-56-0x0000000005010000-0x0000000005045000-memory.dmp	family_zgrat_v1

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3636-12-0x00000000023A0000-0x00000000023BA000-memory.dmp	healer
behavioral1/memory/3636-14-0x0000000004B40000-0x0000000004B58000-memory.dmp	healer
behavioral1/memory/3636-15-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-24-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-42-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-40-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-38-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-37-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-34-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-32-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-30-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-28-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-26-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-22-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-20-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-18-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer
behavioral1/memory/3636-16-0x0000000004B40000-0x0000000004B53000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	04447002.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	04447002.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	04447002.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	04447002.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	04447002.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	04447002.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/1108-53-0x00000000049E0000-0x0000000004A1C000-memory.dmp	family_redline
behavioral1/memory/1108-54-0x0000000005010000-0x000000000504A000-memory.dmp	family_redline
behavioral1/memory/1108-63-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-90-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-87-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-85-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-83-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-82-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-79-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-77-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-75-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-73-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-72-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-69-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-67-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-65-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-61-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-59-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-57-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline
behavioral1/memory/1108-56-0x0000000005010000-0x0000000005045000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs

resource	yara_rule
behavioral1/memory/3636-12-0x00000000023A0000-0x00000000023BA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-14-0x0000000004B40000-0x0000000004B58000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-15-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-24-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-42-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-40-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-38-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-37-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-34-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-32-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-30-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-28-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-26-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-22-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-20-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-18-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3636-16-0x0000000004B40000-0x0000000004B53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Detects executables packed with ConfuserEx Mod 20 IoCs

resource	yara_rule
behavioral1/memory/1108-53-0x00000000049E0000-0x0000000004A1C000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-54-0x0000000005010000-0x000000000504A000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-63-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-90-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-87-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-85-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-83-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-82-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-79-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-77-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-75-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-73-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-72-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-69-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-67-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-65-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-61-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-59-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-57-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1108-56-0x0000000005010000-0x0000000005045000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 2 IoCs

pid	Process
3636	04447002.exe
1108	rk664141.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	04447002.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	04447002.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	3636	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3636	04447002.exe
3636	04447002.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	04447002.exe
Token: SeDebugPrivilege	1108	rk664141.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 3636	536	f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe	83
PID 536 wrote to memory of 3636	536	f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe	83
PID 536 wrote to memory of 3636	536	f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe	83
PID 536 wrote to memory of 1108	536	f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe	97
PID 536 wrote to memory of 1108	536	f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe	97
PID 536 wrote to memory of 1108	536	f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe	97

C:\Users\Admin\AppData\Local\Temp\f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe
"C:\Users\Admin\AppData\Local\Temp\f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1100
    3⤵
    - Program crash
    PID:2504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3636 -ip 3636
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe

Filesize
259KB

MD5
70fad5d9c3ad01581c79278f9c66d972

SHA1
fb09bd9838bb98426271705ddd7a0f0c9e2584f3

SHA256
2ebcf392616d2eb2128f1cce9f537dfc98783d1595806ac0be0959fea856211c

SHA512
49c6550cde46e643754ea13bf8bfce59724e42cca08753956297f25b604d5ca89866718c66f1cc750158805fc7c74eb2f635bbb95d7d0049cbf0048813da60d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe

Filesize
341KB

MD5
3ea494f11fa64d263fa40ef7b07c6c52

SHA1
f44d0431f2a36645701e4b04509eaeb946e8e7e7

SHA256
29779782e75937b7bb2e85096c1ee4b3a7db913b0b2991c583bb2e8918c8541c

SHA512
4c1ba94a57ed4ec18be4ab91805eb574016e64953105d06c4ebf754f56411b03f7b475901a98e5f7e16885035618bedc01f79bf035adc33d9215359802530ff5

Download Submit
memory/1108-75-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-65-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-852-0x00000000024C0000-0x000000000250C000-memory.dmp

Filesize
304KB

Download
memory/1108-54-0x0000000005010000-0x000000000504A000-memory.dmp

Filesize
232KB

Download
memory/1108-53-0x00000000049E0000-0x0000000004A1C000-memory.dmp

Filesize
240KB

Download
memory/1108-851-0x0000000007D30000-0x0000000007D6C000-memory.dmp

Filesize
240KB

Download
memory/1108-52-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1108-849-0x0000000007BF0000-0x0000000007C02000-memory.dmp

Filesize
72KB

Download
memory/1108-848-0x0000000007530000-0x0000000007B48000-memory.dmp

Filesize
6.1MB

Download
memory/1108-56-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-57-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-59-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-61-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-51-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1108-67-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-69-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-72-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-73-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-77-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-79-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-82-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-83-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-85-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-87-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-850-0x0000000007C10000-0x0000000007D1A000-memory.dmp

Filesize
1.0MB

Download
memory/1108-90-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-63-0x0000000005010000-0x0000000005045000-memory.dmp

Filesize
212KB

Download
memory/1108-55-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3636-32-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-12-0x00000000023A0000-0x00000000023BA000-memory.dmp

Filesize
104KB

Download
memory/3636-13-0x0000000004C60000-0x0000000005204000-memory.dmp

Filesize
5.6MB

Download
memory/3636-9-0x0000000001F80000-0x0000000001FAD000-memory.dmp

Filesize
180KB

Download
memory/3636-46-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3636-45-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3636-16-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-18-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-20-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-10-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3636-22-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-26-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-28-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-30-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-8-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/3636-34-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-37-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-38-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-40-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-42-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-24-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-15-0x0000000004B40000-0x0000000004B53000-memory.dmp

Filesize
76KB

Download
memory/3636-14-0x0000000004B40000-0x0000000004B58000-memory.dmp

Filesize
96KB

Download
memory/3636-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download