healer | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4577205375947aa64ee39ff4d1938582d51a0f54aa5db974cf2942d70642f84.exe
Size

1.3MB
MD5

7f93422a0105054fdf3104e91f1cf9dc
SHA1

5d1e5a9ac39269f2221e37337887268c6e243694
SHA256

a4577205375947aa64ee39ff4d1938582d51a0f54aa5db974cf2942d70642f84
SHA512

6ff253dab845e027d3fcb48f82161100573b309194fd25389e2e3b008aa9d3f24cb0d762d137ac13a540cccd6e1ed25f18a233cfe2d09d31736cdecefc0a75fa
SSDEEP

24576:dyaQP2HcftpxC8y2loSwFJkGI7bIYL6hZpTdmDUd/loMI:4au3VnploSwFJkGK8DpZOUd/lo

Score

10^/10

healer mystic redline darts kendo dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

darts

77.91.124.82:19071

Attributes

auth_value
3c8818da7045365845f15ec0946ebf11

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral11/memory/4048-49-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral11/memory/4048-47-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral11/memory/4048-46-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral11/files/0x0007000000023443-57.dat	mystic_family

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral11/memory/532-42-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral11/memory/5576-53-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral11/files/0x0007000000023440-60.dat	family_redline
behavioral11/memory/6132-63-0x0000000000980000-0x00000000009B0000-memory.dmp	family_redline

Executes dropped EXE 10 IoCs

pid	Process
2632	v5441965.exe
740	v1302736.exe
1148	v7048669.exe
1292	v3369099.exe
576	v3445258.exe
4340	a3809032.exe
1172	b8993613.exe
5584	c0477636.exe
5688	d5472132.exe
6132	e9199856.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3369099.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	v3445258.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a4577205375947aa64ee39ff4d1938582d51a0f54aa5db974cf2942d70642f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5441965.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1302736.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7048669.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4340 set thread context of 532	4340	a3809032.exe	89
PID 1172 set thread context of 4048	1172	b8993613.exe	98
PID 5584 set thread context of 5576	5584	c0477636.exe	102

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2380	4340	WerFault.exe	88
3932	1172	WerFault.exe	95
2080	5584	WerFault.exe	101

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
532	AppLaunch.exe
532	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	AppLaunch.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 2632	3148	a4577205375947aa64ee39ff4d1938582d51a0f54aa5db974cf2942d70642f84.exe	83
PID 3148 wrote to memory of 2632	3148	a4577205375947aa64ee39ff4d1938582d51a0f54aa5db974cf2942d70642f84.exe	83
PID 3148 wrote to memory of 2632	3148	a4577205375947aa64ee39ff4d1938582d51a0f54aa5db974cf2942d70642f84.exe	83
PID 2632 wrote to memory of 740	2632	v5441965.exe	84
PID 2632 wrote to memory of 740	2632	v5441965.exe	84
PID 2632 wrote to memory of 740	2632	v5441965.exe	84
PID 740 wrote to memory of 1148	740	v1302736.exe	85
PID 740 wrote to memory of 1148	740	v1302736.exe	85
PID 740 wrote to memory of 1148	740	v1302736.exe	85
PID 1148 wrote to memory of 1292	1148	v7048669.exe	86
PID 1148 wrote to memory of 1292	1148	v7048669.exe	86
PID 1148 wrote to memory of 1292	1148	v7048669.exe	86
PID 1292 wrote to memory of 576	1292	v3369099.exe	87
PID 1292 wrote to memory of 576	1292	v3369099.exe	87
PID 1292 wrote to memory of 576	1292	v3369099.exe	87
PID 576 wrote to memory of 4340	576	v3445258.exe	88
PID 576 wrote to memory of 4340	576	v3445258.exe	88
PID 576 wrote to memory of 4340	576	v3445258.exe	88
PID 4340 wrote to memory of 532	4340	a3809032.exe	89
PID 4340 wrote to memory of 532	4340	a3809032.exe	89
PID 4340 wrote to memory of 532	4340	a3809032.exe	89
PID 4340 wrote to memory of 532	4340	a3809032.exe	89
PID 4340 wrote to memory of 532	4340	a3809032.exe	89
PID 4340 wrote to memory of 532	4340	a3809032.exe	89
PID 4340 wrote to memory of 532	4340	a3809032.exe	89
PID 4340 wrote to memory of 532	4340	a3809032.exe	89
PID 576 wrote to memory of 1172	576	v3445258.exe	95
PID 576 wrote to memory of 1172	576	v3445258.exe	95
PID 576 wrote to memory of 1172	576	v3445258.exe	95
PID 1172 wrote to memory of 3600	1172	b8993613.exe	97
PID 1172 wrote to memory of 3600	1172	b8993613.exe	97
PID 1172 wrote to memory of 3600	1172	b8993613.exe	97
PID 1172 wrote to memory of 4048	1172	b8993613.exe	98
PID 1172 wrote to memory of 4048	1172	b8993613.exe	98
PID 1172 wrote to memory of 4048	1172	b8993613.exe	98
PID 1172 wrote to memory of 4048	1172	b8993613.exe	98
PID 1172 wrote to memory of 4048	1172	b8993613.exe	98
PID 1172 wrote to memory of 4048	1172	b8993613.exe	98
PID 1172 wrote to memory of 4048	1172	b8993613.exe	98
PID 1172 wrote to memory of 4048	1172	b8993613.exe	98
PID 1172 wrote to memory of 4048	1172	b8993613.exe	98
PID 1172 wrote to memory of 4048	1172	b8993613.exe	98
PID 1292 wrote to memory of 5584	1292	v3369099.exe	101
PID 1292 wrote to memory of 5584	1292	v3369099.exe	101
PID 1292 wrote to memory of 5584	1292	v3369099.exe	101
PID 5584 wrote to memory of 5576	5584	c0477636.exe	102
PID 5584 wrote to memory of 5576	5584	c0477636.exe	102
PID 5584 wrote to memory of 5576	5584	c0477636.exe	102
PID 5584 wrote to memory of 5576	5584	c0477636.exe	102
PID 5584 wrote to memory of 5576	5584	c0477636.exe	102
PID 5584 wrote to memory of 5576	5584	c0477636.exe	102
PID 5584 wrote to memory of 5576	5584	c0477636.exe	102
PID 5584 wrote to memory of 5576	5584	c0477636.exe	102
PID 1148 wrote to memory of 5688	1148	v7048669.exe	105
PID 1148 wrote to memory of 5688	1148	v7048669.exe	105
PID 1148 wrote to memory of 5688	1148	v7048669.exe	105
PID 740 wrote to memory of 6132	740	v1302736.exe	106
PID 740 wrote to memory of 6132	740	v1302736.exe	106
PID 740 wrote to memory of 6132	740	v1302736.exe	106

C:\Users\Admin\AppData\Local\Temp\a4577205375947aa64ee39ff4d1938582d51a0f54aa5db974cf2942d70642f84.exe
"C:\Users\Admin\AppData\Local\Temp\a4577205375947aa64ee39ff4d1938582d51a0f54aa5db974cf2942d70642f84.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5441965.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5441965.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1302736.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1302736.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7048669.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7048669.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3369099.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3369099.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v3445258.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v3445258.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a3809032.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a3809032.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 556
        8⤵
        Program crash
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b8993613.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b8993613.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 540
        8⤵
        Program crash
        
        PID:3932
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\c0477636.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\c0477636.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 580
        7⤵
        Program crash
        
        PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d5472132.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d5472132.exe
        5⤵
        Executes dropped EXE
        
        PID:5688
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\e9199856.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\e9199856.exe
      4⤵
      Executes dropped EXE
      PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4340 -ip 4340
1⤵
PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1172 -ip 1172
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5584 -ip 5584
1⤵
PID:6140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5441965.exe

Filesize
1.2MB

MD5
65816a8619e7a8c450eb999ec7f08550

SHA1
6914201bbffb926c963974e015f23fbe9d8dcd29

SHA256
02616ee5c362d17cc7b1a3249e5839ee7759037ab2703a50be34017cd5b4c86d

SHA512
558c39e7e79f706fc858e271ad43d3b1562395583650b802039beab368fecbfe5c9c585f3fc052a306c47867565140643e7be528f525dacf78e0f644b9af53d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1302736.exe

Filesize
941KB

MD5
f44c62211cae8654c3a4f101dd22985a

SHA1
a3bb5fe99ed901e4f6da49031e09c3bd49d871b8

SHA256
c6d8e3a1f184f06423a5814aba96634b9d07fdfceab0040515467490f1957749

SHA512
b5be6b063abbb2beeb4ed767298d82455cb5016d05bb0061a5175f7010949f4e1440c83a46fb6da7beb40d7269b105ddf565fbc4e12cf1a92735df2d0a20425a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\e9199856.exe

Filesize
173KB

MD5
b33da44c3d0e6a7388d3b1743ed0ba4f

SHA1
6b038b85c30cd39057a355816c10a45c0e0e0518

SHA256
c06edc85267fbafbc6bf5541d720a2efe48d8ca1879097d7c45a9070ed764bbc

SHA512
78299d89b8a7f896707f55cc4750d0a0128c8f963550fd69b16ec26af489b526690a7a4d1cd795ff695183b31036d6b7a030025e9bc3d67e943c83e98f28fe2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7048669.exe

Filesize
784KB

MD5
5598dd29a0e162d76d0ae8597cd0d0a1

SHA1
3ba3462cb9e194d40084a19562bf35ba4ab1acb7

SHA256
57007f19dc3601b4734b839d0dd7bed76fc6cbfd3d0c72f82cc0469513427190

SHA512
c66f7eacbb89247e7085ca92b86b0b841143a69b8631b1dd0c3dcd2cca65096c6061f3e0681cc712c84a59399176f2d3b58af072bc3be34b7fdd6f88ee3a48f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d5472132.exe

Filesize
140KB

MD5
eb6395af5a5a5e803c01755cbe5aaed3

SHA1
e3c1076953aae0535f2004e087a23acc0290f8a6

SHA256
f8455ac763e113c2ab95f8c6b0cf0fd522ed7d141977216750ec540174e70fe8

SHA512
78b2f3396d007a368102fe30c3708720b35713d277f54305591761b039200783c32b11408bcb0a3d7208b93bef89eed0a4b9125a7765c1b0e08974dbc89147fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3369099.exe

Filesize
619KB

MD5
d3570866e6475e113a3ad3477a9a1145

SHA1
777518d40bc61200f178ddc8703f3bf9f6816461

SHA256
8253d9b153c99e82617848476808f503818a2e241e67aa12d248cf7d0cf65f1b

SHA512
e0ea344f9c03b36a2ca74b7dcf8d8e5c48d2a00de31e360b7f9b41efda9de72c9d1a7ffc9bd21b342b20462fc80447b443836e225f4cd1a1522763b8ca8ee5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\c0477636.exe

Filesize
398KB

MD5
c0c2fa0b53eda8ef9d176683a08fd6b6

SHA1
29593ab89c7f2349603341f201fee3ee6cf8a55f

SHA256
315edc4c237279b457c35c3952825cbf67979ce09147d8421cb4c40c53de0d3d

SHA512
580fae03843522f66cb42a72be26b5ff61e1fbe3f33154087dabbc66cac14b542124e99ad4215d5184b1c9904f9e86e01ca0b46805b935372a8ddd2a0ccdd760

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v3445258.exe

Filesize
348KB

MD5
8c4509a4730d0262ace7f5f7ed1aa288

SHA1
b6a32bb57ba149a06e61b5d8131dee3857f2d5ee

SHA256
bb59f770d509e4d51f93db1e42c909d802aedf155a95a66cccb1f77159f11a53

SHA512
adfcea0b96e8d454d90e29a8fa54f051a54ea00204664e8cc88a62f062b546ca2ed3c831d7f3dd72e5b8d91fbaf4a44f65940eeb775509147c1ecccfc437dd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a3809032.exe

Filesize
235KB

MD5
a1bf57d40cd1de70243bb740018cc1f1

SHA1
adfacc186f536be02e990720bc0459c41593d254

SHA256
299a3bce2ba45678a1030338f2d35846280b49e32f258f3bf94ee407cda09dd4

SHA512
f8c704a8cdf18808d639e4f4f300afec3c9ba1373da14a0fa9d1c06be2f1c5a44be4a68bd93202e09ff70d922d77226ae39a921ed463d7d9895d65798ede9132

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b8993613.exe

Filesize
364KB

MD5
aa3dd783f14e32133bafdbcb16bbb84d

SHA1
3b029ed3d3ce531288c3db16cba27d32ca947578

SHA256
7e13562499d2bc03cfd52959ef2ce8532458b40cec4c1d52e2a8d6ddd02de35a

SHA512
114e75fea81ee78dee3695f8286db8d01855d6a7d5cee21ef9494a44c0d1b47176a464df37df5d004831f41ceddf0e6a3ae2a8d7f18ffa968c23eeb2e46ad945

Download Submit
memory/532-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4048-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4048-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4048-49-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5576-53-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5576-54-0x00000000031B0000-0x00000000031B6000-memory.dmp

Filesize
24KB

Download
memory/5576-62-0x00000000059A0000-0x0000000005AAA000-memory.dmp

Filesize
1.0MB

Download
memory/5576-64-0x0000000005890000-0x00000000058A2000-memory.dmp

Filesize
72KB

Download
memory/5576-58-0x0000000005EB0000-0x00000000064C8000-memory.dmp

Filesize
6.1MB

Download
memory/5576-66-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/5576-67-0x0000000005930000-0x000000000597C000-memory.dmp

Filesize
304KB

Download
memory/6132-65-0x0000000005160000-0x0000000005166000-memory.dmp

Filesize
24KB

Download
memory/6132-63-0x0000000000980000-0x00000000009B0000-memory.dmp

Filesize
192KB

Download