healer | 8cc6679c34691a07ca82dfa2e42bb4cb80b8f3283bad650d6e3818ac030c32d3

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42.exe
Size

954KB
MD5

b65641f23eead5be7a64228632048588
SHA1

25ec492c675c5f9178e22fe9987de28188932252
SHA256

e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42
SHA512

b41516ed28383054bbd9e89868a8294317ca6b6ff4ff4ca5769246a6e9ad3b87e7f9b3f6ef0b03ec650723e5454d1db809357b875243bf273071d97eea71b2bb
SSDEEP

24576:HyHsLsUsIRbO+L/PSIR9CX/1HKxCJKglO:S7UsadLU/1nJ

Score

10^/10

healer mystic redline darts kendo dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

darts

77.91.124.82:19071

Attributes

auth_value
3c8818da7045365845f15ec0946ebf11

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral20/memory/1732-33-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral20/memory/1732-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral20/memory/1732-32-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2488744.exe	mystic_family

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral20/memory/556-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral20/memory/2660-39-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0642196.exe	family_redline
behavioral20/memory/4612-49-0x00000000005B0000-0x00000000005E0000-memory.dmp	family_redline

Executes dropped EXE 8 IoCs

Processes:

v5896512.exev8216649.exev6159038.exea0200309.exeb0121758.exec3580159.exed2488744.exee0642196.exe

pid process

4988 v5896512.exe
4756 v8216649.exe
1012 v6159038.exe
3224 a0200309.exe
1684 b0121758.exe
4992 c3580159.exe
4452 d2488744.exe
4612 e0642196.exe

pid	process
4988	v5896512.exe
4756	v8216649.exe
1012	v6159038.exe
3224	a0200309.exe
1684	b0121758.exe
4992	c3580159.exe
4452	d2488744.exe
4612	e0642196.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42.exev5896512.exev8216649.exev6159038.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5896512.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8216649.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6159038.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

a0200309.exeb0121758.exec3580159.exe

description	pid	process	target process
PID 3224 set thread context of 556	3224	a0200309.exe	AppLaunch.exe
PID 1684 set thread context of 1732	1684	b0121758.exe	AppLaunch.exe
PID 4992 set thread context of 2660	4992	c3580159.exe	AppLaunch.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1676 3224 WerFault.exe a0200309.exe
2016 1684 WerFault.exe b0121758.exe
3408 4992 WerFault.exe c3580159.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

556 AppLaunch.exe
556 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 556 AppLaunch.exe

pid	pid_target	process	target process
1676	3224	WerFault.exe	a0200309.exe
2016	1684	WerFault.exe	b0121758.exe
3408	4992	WerFault.exe	c3580159.exe

pid	process
556	AppLaunch.exe
556	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	556	AppLaunch.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42.exev5896512.exev8216649.exev6159038.exea0200309.exeb0121758.exec3580159.exe

description	pid	process	target process
PID 3172 wrote to memory of 4988	3172	e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42.exe	v5896512.exe
PID 3172 wrote to memory of 4988	3172	e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42.exe	v5896512.exe
PID 3172 wrote to memory of 4988	3172	e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42.exe	v5896512.exe
PID 4988 wrote to memory of 4756	4988	v5896512.exe	v8216649.exe
PID 4988 wrote to memory of 4756	4988	v5896512.exe	v8216649.exe
PID 4988 wrote to memory of 4756	4988	v5896512.exe	v8216649.exe
PID 4756 wrote to memory of 1012	4756	v8216649.exe	v6159038.exe
PID 4756 wrote to memory of 1012	4756	v8216649.exe	v6159038.exe
PID 4756 wrote to memory of 1012	4756	v8216649.exe	v6159038.exe
PID 1012 wrote to memory of 3224	1012	v6159038.exe	a0200309.exe
PID 1012 wrote to memory of 3224	1012	v6159038.exe	a0200309.exe
PID 1012 wrote to memory of 3224	1012	v6159038.exe	a0200309.exe
PID 3224 wrote to memory of 556	3224	a0200309.exe	AppLaunch.exe
PID 3224 wrote to memory of 556	3224	a0200309.exe	AppLaunch.exe
PID 3224 wrote to memory of 556	3224	a0200309.exe	AppLaunch.exe
PID 3224 wrote to memory of 556	3224	a0200309.exe	AppLaunch.exe
PID 3224 wrote to memory of 556	3224	a0200309.exe	AppLaunch.exe
PID 3224 wrote to memory of 556	3224	a0200309.exe	AppLaunch.exe
PID 3224 wrote to memory of 556	3224	a0200309.exe	AppLaunch.exe
PID 3224 wrote to memory of 556	3224	a0200309.exe	AppLaunch.exe
PID 1012 wrote to memory of 1684	1012	v6159038.exe	b0121758.exe
PID 1012 wrote to memory of 1684	1012	v6159038.exe	b0121758.exe
PID 1012 wrote to memory of 1684	1012	v6159038.exe	b0121758.exe
PID 1684 wrote to memory of 1732	1684	b0121758.exe	AppLaunch.exe
PID 1684 wrote to memory of 1732	1684	b0121758.exe	AppLaunch.exe
PID 1684 wrote to memory of 1732	1684	b0121758.exe	AppLaunch.exe
PID 1684 wrote to memory of 1732	1684	b0121758.exe	AppLaunch.exe
PID 1684 wrote to memory of 1732	1684	b0121758.exe	AppLaunch.exe
PID 1684 wrote to memory of 1732	1684	b0121758.exe	AppLaunch.exe
PID 1684 wrote to memory of 1732	1684	b0121758.exe	AppLaunch.exe
PID 1684 wrote to memory of 1732	1684	b0121758.exe	AppLaunch.exe
PID 1684 wrote to memory of 1732	1684	b0121758.exe	AppLaunch.exe
PID 1684 wrote to memory of 1732	1684	b0121758.exe	AppLaunch.exe
PID 4756 wrote to memory of 4992	4756	v8216649.exe	c3580159.exe
PID 4756 wrote to memory of 4992	4756	v8216649.exe	c3580159.exe
PID 4756 wrote to memory of 4992	4756	v8216649.exe	c3580159.exe
PID 4992 wrote to memory of 2660	4992	c3580159.exe	AppLaunch.exe
PID 4992 wrote to memory of 2660	4992	c3580159.exe	AppLaunch.exe
PID 4992 wrote to memory of 2660	4992	c3580159.exe	AppLaunch.exe
PID 4992 wrote to memory of 2660	4992	c3580159.exe	AppLaunch.exe
PID 4992 wrote to memory of 2660	4992	c3580159.exe	AppLaunch.exe
PID 4992 wrote to memory of 2660	4992	c3580159.exe	AppLaunch.exe
PID 4992 wrote to memory of 2660	4992	c3580159.exe	AppLaunch.exe
PID 4992 wrote to memory of 2660	4992	c3580159.exe	AppLaunch.exe
PID 4988 wrote to memory of 4452	4988	v5896512.exe	d2488744.exe
PID 4988 wrote to memory of 4452	4988	v5896512.exe	d2488744.exe
PID 4988 wrote to memory of 4452	4988	v5896512.exe	d2488744.exe
PID 3172 wrote to memory of 4612	3172	e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42.exe	e0642196.exe
PID 3172 wrote to memory of 4612	3172	e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42.exe	e0642196.exe
PID 3172 wrote to memory of 4612	3172	e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42.exe	e0642196.exe

C:\Users\Admin\AppData\Local\Temp\e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42.exe
"C:\Users\Admin\AppData\Local\Temp\e9a8b4bb4dd37e699485236af8b9f652f2d7a93c83e9ce906ac2e6ffe1fb5e42.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5896512.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5896512.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8216649.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8216649.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6159038.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6159038.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0200309.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0200309.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 596
6⤵
- Program crash
PID:1676

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0121758.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0121758.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 200
6⤵
- Program crash
PID:2016

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3580159.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3580159.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 564
5⤵
- Program crash
PID:3408

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2488744.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2488744.exe
3⤵
- Executes dropped EXE
PID:4452

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0642196.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0642196.exe
2⤵
- Executes dropped EXE
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3224 -ip 3224
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1684 -ip 1684
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4992 -ip 4992
1⤵
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0642196.exe
Filesize
174KB

MD5
8b9bf31d8e207495437076944a8dbb67

SHA1
a287d6cf36e4f7901cd91242fb25bba5d8a1bcbd

SHA256
313b23d1bb9b6b95b200e2920f38e76e0ae988d9002ed8230f34e54403a59dc7

SHA512
799780f3c129c0dc208d0e9efcc7158dba48dee6ac983e21564d2ac31836d043f43d98042a6a173a4c2f5671d037e7a858583062d3ccbef09070f15d71966b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5896512.exe
Filesize
798KB

MD5
157ab8c360f13fbd7aa37b85a0af7060

SHA1
4aa259321877a246488466bc5d7d5fecb17942b2

SHA256
27a7a018dc01d3d0b66183d8c8669275ecf9ce7f44e0b4bdb1c252998fe3e5d6

SHA512
72d9b19e0b2dffe2bc848cf0a8bd72ca579535dc9b962ed4f86a0cfcc587c7b17092b3b971a2b6e16c33723c72da356c9a07f1f520015a34f2d62cd437010ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2488744.exe
Filesize
140KB

MD5
0743d3c069dff8ef1e63c9c1445e43f0

SHA1
fee96314ba8cc5561416b0cdd9f652bc1b53a142

SHA256
dea1571eb5140c6c96dbdb0aa1fdd30667a68f29201955fbf3b2aac916a6ac03

SHA512
bcf8058d5bdcb91221bc226819c08975b0aac18fdd53c0de9a0595988b3b593448f8b026d9c275f7be9e40b77753137a5a0b4aee78df216130eba75e1d3dd9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8216649.exe
Filesize
632KB

MD5
c1f230f17299e0549b94ec105eb2dc67

SHA1
0f169a3b824a614035798defde6955174f6432a0

SHA256
7e6a9c35e171d255a239a3b2bbf9c45fadf790ba0104a97f10025b3a9ff0326f

SHA512
62063f8f556299d4a8cd59d66885b55ba47b9b510adb14a579642da8a56f3ed7ec4e383f3a763a4202f531095f472709c4cc78720ca53f31fe52286a3f34c933

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3580159.exe
Filesize
413KB

MD5
4194c47b6c9aeed281684b3baca54c00

SHA1
7b7eaa6280651c59ab1d8564aed99ccff61bb806

SHA256
c69089d89b558ca26811ccfd634c207beee99bcc632b35e525bab7e7bf7e1a6b

SHA512
0e9dde3fa4de8ebb1d4a98dce410857d48a78759fbd268729a0a8c83750052c35717c851279426883d715a353d892a8e0239964a29a853a58d3684e11ac7ecbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6159038.exe
Filesize
354KB

MD5
7a82dd144bd06a57be4a8385190e87f3

SHA1
74347f053565642637582b580c119559691515d1

SHA256
4841179e098d20e4801a326d96829782005dc8123c3aac86c32feb5640a21d74

SHA512
6500bf243a0f5aa71980cddcd2f8d5624acdaee728bf375f663b2d1c43ae7ab1d005076447eeb576a5f6bcb345c0dfb9fd5141ae023f9d96065b9a0b568a643c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0200309.exe
Filesize
250KB

MD5
ba346e32088370ccf2fee5d5a39398d3

SHA1
db269802cb045e74b1774547cadab962d7c644ba

SHA256
08bbfcc52e973f31cc32a1f25d267c089ccc592ae1be4cc5292deffe88bf2ab1

SHA512
b377079ac4cea57c20b7fe44a565904bbac067d5730b1af6283c87c5024742205e1b8fac70c70c6634d4b54f5ea16c4e8c49161b7ab7956edc1afb73e37eb6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0121758.exe
Filesize
379KB

MD5
a8264268827085c6753e39f4db34e979

SHA1
faffdb84ff338bb64c1fffe35579a64b140d4ab2

SHA256
8dbc880fe0be842c8f8e6ae3137e6f8c81b417d0992bde8720fcffe1b43d124b

SHA512
46889f4257f04f94b277a5cfaff183fc1a4efad7472648c2f9b5e7fc8f9463549b6dfefb721477a21dac2a39d1753c4302226aad46fb61bed1dc5218f942ec4f

Download Submit
memory/556-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1732-33-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1732-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1732-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2660-39-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2660-44-0x0000000005520000-0x0000000005B38000-memory.dmp

Filesize
6.1MB

Download
memory/2660-40-0x0000000000DE0000-0x0000000000DE6000-memory.dmp

Filesize
24KB

Download
memory/2660-48-0x0000000005010000-0x000000000511A000-memory.dmp

Filesize
1.0MB

Download
memory/2660-50-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/2660-52-0x0000000004FA0000-0x0000000004FDC000-memory.dmp

Filesize
240KB

Download
memory/2660-53-0x0000000005120000-0x000000000516C000-memory.dmp

Filesize
304KB

Download
memory/4612-49-0x00000000005B0000-0x00000000005E0000-memory.dmp

Filesize
192KB

Download
memory/4612-51-0x0000000002760000-0x0000000002766000-memory.dmp

Filesize
24KB

Download