healer | 60fcc3045e1b1073753937ff8c184c464a45ea76225a406024335c07f898cf7b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe
Size

1.3MB
MD5

1da52a515fcdb048ad76d7864464cfb0
SHA1

e473f6794205d1deb62b752a3fc6ab1ee2b117ae
SHA256

aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6
SHA512

a2b3123a6f2693a9d5ebff9c23949cdd342ddf34e534c88a99e5e178cbb35d2e20e7dc79d61b2ededbde0a65bb04f06a4ef363842d60e06f05b8b2b92f581d40
SSDEEP

24576:HyDpyG2BdeCmEa6MW0uUCfd5J45NAxLzlN/8C5Z23cHYKWKMxHbE1X9lr4:SmYCfMWDUskNoXM534YqMuB

Score

10^/10

healer mystic redline smokeloader trush backdoor dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral15/memory/2780-33-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family
behavioral15/memory/2780-34-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family
behavioral15/memory/2780-36-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral15/files/0x0008000000023446-26.dat	healer
behavioral15/memory/1164-28-0x00000000000F0000-0x00000000000FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6776859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6776859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6776859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6776859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6776859.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6776859.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral15/memory/1036-44-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 8 IoCs

pid	Process
4728	v5832951.exe
5024	v2254232.exe
1772	v8380457.exe
1164	a6776859.exe
1212	b4942427.exe
4744	c5470569.exe
1000	d4457621.exe
4732	e8864796.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6776859.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5832951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2254232.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8380457.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 2780	1212	b4942427.exe	98
PID 4744 set thread context of 3860	4744	c5470569.exe	107
PID 1000 set thread context of 1036	1000	d4457621.exe	112

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1660	1212	WerFault.exe	96
4344	4744	WerFault.exe	102
3772	1000	WerFault.exe	110

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1164	a6776859.exe
1164	a6776859.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	a6776859.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4728	4208	aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe	82
PID 4208 wrote to memory of 4728	4208	aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe	82
PID 4208 wrote to memory of 4728	4208	aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe	82
PID 4728 wrote to memory of 5024	4728	v5832951.exe	83
PID 4728 wrote to memory of 5024	4728	v5832951.exe	83
PID 4728 wrote to memory of 5024	4728	v5832951.exe	83
PID 5024 wrote to memory of 1772	5024	v2254232.exe	84
PID 5024 wrote to memory of 1772	5024	v2254232.exe	84
PID 5024 wrote to memory of 1772	5024	v2254232.exe	84
PID 1772 wrote to memory of 1164	1772	v8380457.exe	85
PID 1772 wrote to memory of 1164	1772	v8380457.exe	85
PID 1772 wrote to memory of 1212	1772	v8380457.exe	96
PID 1772 wrote to memory of 1212	1772	v8380457.exe	96
PID 1772 wrote to memory of 1212	1772	v8380457.exe	96
PID 1212 wrote to memory of 2780	1212	b4942427.exe	98
PID 1212 wrote to memory of 2780	1212	b4942427.exe	98
PID 1212 wrote to memory of 2780	1212	b4942427.exe	98
PID 1212 wrote to memory of 2780	1212	b4942427.exe	98
PID 1212 wrote to memory of 2780	1212	b4942427.exe	98
PID 1212 wrote to memory of 2780	1212	b4942427.exe	98
PID 1212 wrote to memory of 2780	1212	b4942427.exe	98
PID 1212 wrote to memory of 2780	1212	b4942427.exe	98
PID 1212 wrote to memory of 2780	1212	b4942427.exe	98
PID 1212 wrote to memory of 2780	1212	b4942427.exe	98
PID 5024 wrote to memory of 4744	5024	v2254232.exe	102
PID 5024 wrote to memory of 4744	5024	v2254232.exe	102
PID 5024 wrote to memory of 4744	5024	v2254232.exe	102
PID 4744 wrote to memory of 748	4744	c5470569.exe	104
PID 4744 wrote to memory of 748	4744	c5470569.exe	104
PID 4744 wrote to memory of 748	4744	c5470569.exe	104
PID 4744 wrote to memory of 3048	4744	c5470569.exe	105
PID 4744 wrote to memory of 3048	4744	c5470569.exe	105
PID 4744 wrote to memory of 3048	4744	c5470569.exe	105
PID 4744 wrote to memory of 4140	4744	c5470569.exe	106
PID 4744 wrote to memory of 4140	4744	c5470569.exe	106
PID 4744 wrote to memory of 4140	4744	c5470569.exe	106
PID 4744 wrote to memory of 3860	4744	c5470569.exe	107
PID 4744 wrote to memory of 3860	4744	c5470569.exe	107
PID 4744 wrote to memory of 3860	4744	c5470569.exe	107
PID 4744 wrote to memory of 3860	4744	c5470569.exe	107
PID 4744 wrote to memory of 3860	4744	c5470569.exe	107
PID 4744 wrote to memory of 3860	4744	c5470569.exe	107
PID 4728 wrote to memory of 1000	4728	v5832951.exe	110
PID 4728 wrote to memory of 1000	4728	v5832951.exe	110
PID 4728 wrote to memory of 1000	4728	v5832951.exe	110
PID 1000 wrote to memory of 1036	1000	d4457621.exe	112
PID 1000 wrote to memory of 1036	1000	d4457621.exe	112
PID 1000 wrote to memory of 1036	1000	d4457621.exe	112
PID 1000 wrote to memory of 1036	1000	d4457621.exe	112
PID 1000 wrote to memory of 1036	1000	d4457621.exe	112
PID 1000 wrote to memory of 1036	1000	d4457621.exe	112
PID 1000 wrote to memory of 1036	1000	d4457621.exe	112
PID 1000 wrote to memory of 1036	1000	d4457621.exe	112
PID 4208 wrote to memory of 4732	4208	aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe	115
PID 4208 wrote to memory of 4732	4208	aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe	115
PID 4208 wrote to memory of 4732	4208	aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe	115

C:\Users\Admin\AppData\Local\Temp\aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe
"C:\Users\Admin\AppData\Local\Temp\aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5832951.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5832951.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2254232.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2254232.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8380457.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8380457.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6776859.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6776859.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4942427.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4942427.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1212
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 148
        6⤵
        Program crash
        
        PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5470569.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5470569.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:748
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3048
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4140
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        
        PID:3860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 612
        5⤵
        Program crash
        
        PID:4344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4457621.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4457621.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 148
      4⤵
      Program crash
      PID:3772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8864796.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8864796.exe
  2⤵
  - Executes dropped EXE
  PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1212 -ip 1212
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4744 -ip 4744
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1000 -ip 1000
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8864796.exe

Filesize
17KB

MD5
de9367f72e48f43edc2f1979ace7a2bc

SHA1
5219e61d941a421315e32eabc7ac9c3944f80181

SHA256
c7b26d2ebb210eca38eed90eefe474b254f53dca6496fd044a87ccfe7bbe6c86

SHA512
7a3d286cae4bb3816dd1af0bb46ea6591568c28ca8cee0eb5aeb1caafb6886476183159041d367201077d8ab2d22be827af5e95ca39eedb457e01ba9be4c768e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5832951.exe

Filesize
1.2MB

MD5
eb4f12e3eb5a61a3cc43c606b04e85fb

SHA1
2955eac7466e41dfb9d70ccb708eab600b1b2d9a

SHA256
be58893697215a2384e1b6d915971e46a6506757718ff8d92be24e4c043f119e

SHA512
82ee482088c38ca825ce89a41a10fa17be3664a8856f2897a7588a4d2e69030b19bc7003062599158c988d890308688dd2ed82a41b70aafaf51a67f17b2146c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4457621.exe

Filesize
1.0MB

MD5
1b30e2b46651a132dce68651e98312de

SHA1
f98fe544db67756111c5f49dfce5ee748a933c61

SHA256
1374fb694ed022d7cc221b2bdab447cb28368914ad2e0715c663de26001fe541

SHA512
bba3099f9d12ba4f1e5c2513bb2cbb918b170e678f536ad21f6e8e7f127cc35082a2394957d4d3c7311a80b56c59c3c0ee1db158fac4f79e1f60bd5bb84b3ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2254232.exe

Filesize
835KB

MD5
77da02fd3836daf3a716b5f15188c8a6

SHA1
644abdb953e857a803ad5d7edc9a2f25949cac92

SHA256
01888d19433a22cf8d9fb00c2617568e9423878c9a189e2f8fc8ea51b70a90ab

SHA512
ae9a1a729178db70ea86ae355f0be777d94f7390473aad2fd5afc4971fbc7198e5a76391b6f406861648c29654855195134bcfdc67f593ef7e372b81def622e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5470569.exe

Filesize
884KB

MD5
f9ebf61a1a4bfd8251d830ce1959b4a3

SHA1
b13e8f00d0438f8304c6c1da3549977e0803287e

SHA256
20a34a5b3ea0182f831dbc7b48ea03223daeb2afdd3540fcaef6cca6fe2972b9

SHA512
00c336e2de833be8d227994644cd2cbcf665d7f36aa93de0647ddc67bb5a80098aadc902ac71d0953dccae2bfb109ec1a6e0d581949833a9346331a3ed732db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8380457.exe

Filesize
475KB

MD5
8414aa5388c54ecc9045c0fc78b7b3bd

SHA1
8ca702c68c1b6dd02e8f4759e13e102e91ea23eb

SHA256
8bbd0f18ff7becb8601892364ac8a96951b915493898de58e5e9b43c906c814a

SHA512
6469e5953798db16ac294588b0febc10af3af74c2fadd006cf6920cc993a6bec77cb91e416f551598671fedf13587550f33600342e18dafa56e838aaa60cbc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6776859.exe

Filesize
11KB

MD5
40366aa5d4e7524ca65f8188a6c13b2e

SHA1
b5d52afb53bb31d7aea23bd1c89b98820ab8e329

SHA256
f34d4e4cb5012c143d25055a9b7a899ddbfbd5e88c6fb3979bb382a3f5b1b69b

SHA512
7bffbd6f30f4b0b15cd4e27152e6ec46ad3efc25e3b47318d3e893f6ec7f2336107e03d091660c660e79844e5b49d804b993093b7bd09c726a21d4ff37c977a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4942427.exe

Filesize
1.0MB

MD5
fc4c90f9a7556f7f9d380000559aa293

SHA1
c558b17befdd5747afe5552ff0676f15299efe44

SHA256
5d2f8086eaf672566d2b7950b0681773ba7568b742e4d6c05657af9192b103ac

SHA512
f4f9ef3694fef80e5702d1a97b8bd6d335c6042998ad51267c67a13b40901613001971d9b0379e0ae8da7f47808db7ca7d617d04979b0d9cd551383c5f6f8082

Download Submit
memory/1036-49-0x000000000B400000-0x000000000BA18000-memory.dmp

Filesize
6.1MB

Download
memory/1036-44-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1036-45-0x0000000003240000-0x0000000003246000-memory.dmp

Filesize
24KB

Download
memory/1036-50-0x000000000AEF0000-0x000000000AFFA000-memory.dmp

Filesize
1.0MB

Download
memory/1036-51-0x000000000AE00000-0x000000000AE12000-memory.dmp

Filesize
72KB

Download
memory/1036-52-0x000000000AE60000-0x000000000AE9C000-memory.dmp

Filesize
240KB

Download
memory/1036-53-0x00000000053A0000-0x00000000053EC000-memory.dmp

Filesize
304KB

Download
memory/1164-28-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/2780-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3860-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download