healer | 29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe
Size

1.0MB
MD5

952195bdb3f28b26ac1cfa514176b2ce
SHA1

0eec1d319d905808e61012b5942038114b4fbf87
SHA256

29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675
SHA512

9898ba3f16360532bdfd80fc7b84e0c77df8a095d18a3a84f025cacce0244083b834d68ce354f25d42e8bad02a458492847f5963fa44f1bead456d81907a8bc3
SSDEEP

12288:KMr9y90KdNQvVKKq5X72pwSiEX2yiqS2pKv/9AS5gaDCKgOrOSCJGtqVF3XarfKj:vyXiVCL9EA2UYAOJrVFarI/2S

Score

10^/10

healer redline sony discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023454-26.dat	healer
behavioral1/memory/1132-28-0x0000000000FE0000-0x0000000000FEA000-memory.dmp	healer
behavioral1/memory/920-34-0x0000000002500000-0x000000000251A000-memory.dmp	healer
behavioral1/memory/920-36-0x0000000004CB0000-0x0000000004CC8000-memory.dmp	healer
behavioral1/memory/920-46-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-64-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-62-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-60-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-58-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-57-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-54-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-52-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-50-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-48-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-44-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-42-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-40-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-38-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer
behavioral1/memory/920-37-0x0000000004CB0000-0x0000000004CC2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7684.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0871GR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0871GR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0871GR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0871GR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0871GR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0871GR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7684.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4428-72-0x00000000025F0000-0x0000000002636000-memory.dmp	family_redline
behavioral1/memory/4428-73-0x00000000027C0000-0x0000000002804000-memory.dmp	family_redline
behavioral1/memory/4428-83-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-85-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-107-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-105-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-103-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-101-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-99-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-97-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-95-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-93-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-91-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-89-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-87-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-81-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-79-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-77-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-75-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline
behavioral1/memory/4428-74-0x00000000027C0000-0x00000000027FE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3696	zap4694.exe
2204	zap9122.exe
4588	zap4254.exe
1132	tz7684.exe
920	v0871GR.exe
4428	w89QO90.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7684.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0871GR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0871GR.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap4254.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap4694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap9122.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3588	920	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w89QO90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap4694.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap9122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap4254.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v0871GR.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1132	tz7684.exe
1132	tz7684.exe
920	v0871GR.exe
920	v0871GR.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	tz7684.exe
Token: SeDebugPrivilege	920	v0871GR.exe
Token: SeDebugPrivilege	4428	w89QO90.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 3696	4816	29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe	82
PID 4816 wrote to memory of 3696	4816	29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe	82
PID 4816 wrote to memory of 3696	4816	29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe	82
PID 3696 wrote to memory of 2204	3696	zap4694.exe	83
PID 3696 wrote to memory of 2204	3696	zap4694.exe	83
PID 3696 wrote to memory of 2204	3696	zap4694.exe	83
PID 2204 wrote to memory of 4588	2204	zap9122.exe	84
PID 2204 wrote to memory of 4588	2204	zap9122.exe	84
PID 2204 wrote to memory of 4588	2204	zap9122.exe	84
PID 4588 wrote to memory of 1132	4588	zap4254.exe	85
PID 4588 wrote to memory of 1132	4588	zap4254.exe	85
PID 4588 wrote to memory of 920	4588	zap4254.exe	86
PID 4588 wrote to memory of 920	4588	zap4254.exe	86
PID 4588 wrote to memory of 920	4588	zap4254.exe	86
PID 2204 wrote to memory of 4428	2204	zap9122.exe	90
PID 2204 wrote to memory of 4428	2204	zap9122.exe	90
PID 2204 wrote to memory of 4428	2204	zap9122.exe	90

C:\Users\Admin\AppData\Local\Temp\29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe
"C:\Users\Admin\AppData\Local\Temp\29c01ad33ca786d5059307c6dc90f05fa212596f2a5906924d36886ea5837675.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1080
        6⤵
        Program crash
        
        PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w89QO90.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w89QO90.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 920 -ip 920
1⤵
PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4694.exe

Filesize
842KB

MD5
d52e020e29ac4dc44aaf18c7379768b5

SHA1
932892064d0ac9d9f209a8acef76878d985eb4df

SHA256
c29af8e595e5a0daf31a2d2ab4213c9cf321a8918b42233bf2703eb74916ebc5

SHA512
609ed4b9b903be40c816b1bb538db41d9ac6baddde74d7c04d6c49abf268c917910df14c1eca6fe5db8d83cf1993ccaaeb92f082ccd73cbda79dc6d7cb5c9baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9122.exe

Filesize
700KB

MD5
ed402590ff039ffcbcdd2b43ab75dc55

SHA1
6d4956bd6e5ea8994aa8e424731608341946cf23

SHA256
6ed9364a697efaf9608cd2745b64743f32776eac35b5344785a21b597f8e0f49

SHA512
1cd899055a40abed5483080e6c4dbf6c524198bcf644fe46253741737f2a4ef2c292a7b7aa0f65c5d13c81669377451a15a1e0e7dd7389eb0bfcca541a945113

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w89QO90.exe

Filesize
359KB

MD5
2ff54b9ce97a7993e8a90e32dae619c9

SHA1
f39ae8a1dd6f92f0c34505486802194684e5161b

SHA256
e183224970df28862498cd6f5516f6e081c41d6dceda19f2a0ae8e4e88af4f30

SHA512
bbe5ad76e51e9b295f2967c78fb63e06c0b367b3a73ae8e081d61558f2bc0ced464ffed796fc99a3b758a743d367b736b54c009a84463311fa91bf9445326175

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4254.exe

Filesize
347KB

MD5
146f4d7810661af22f98e4369e9059b6

SHA1
33bc262fde6c40cdfca91cf0037cb0a699a8e7aa

SHA256
ffcfeb6ca7d2f87a37c09f4d18baf6c0b58c3d4fb40160179d59e0c549af2bf6

SHA512
94ae0e64921727863f2addcbb1cbe4d531808c42391ef548cec006123924cea8c49f4f029114cfc559dcc72ddbb0ca6b1f1eab6edac0155a4d1a27060d7085e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7684.exe

Filesize
12KB

MD5
8f08d2e339b767178cdecb7dda3fe081

SHA1
2848cb064709300ab76f3361835d695451466ba9

SHA256
f5a02f6f36d7c968622dd2cbceb9f7856ebe3f11023a65c354aca81e8cb94aaf

SHA512
c5eaac2201ca7ba222ae4d9f2a44f467cfae1a8d37b5f87ed63431ac03af92cd41b2116eced14c611c8b128c6ea1cc4652d4eb6093e8ae46aac5f37c1fbc1b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0871GR.exe

Filesize
300KB

MD5
f4f9b13f02077cc87b4562b561dd10c8

SHA1
32478adb6ee61315b06f1f76464ceeb53f2c45fa

SHA256
2297566e52c196e2772d9ba7f2bf10b6aec0ee5c6c2c1db617865be6cb618a70

SHA512
80a5b1c76d56696d748130098bacd0a1fb4be697531d8b361288cde6b3c79ccedc889f86050f5eab7acd65e477c75eb4a36fc6e23749e596b426de5c3b4a51e2

Download Submit
memory/920-67-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/920-35-0x0000000004E60000-0x0000000005404000-memory.dmp

Filesize
5.6MB

Download
memory/920-36-0x0000000004CB0000-0x0000000004CC8000-memory.dmp

Filesize
96KB

Download
memory/920-46-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-64-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-62-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-60-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-58-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-57-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-54-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-52-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-50-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-48-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-44-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-42-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-40-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-38-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-37-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/920-65-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/920-34-0x0000000002500000-0x000000000251A000-memory.dmp

Filesize
104KB

Download
memory/1132-28-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

Filesize
40KB

Download
memory/4428-83-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-89-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-72-0x00000000025F0000-0x0000000002636000-memory.dmp

Filesize
280KB

Download
memory/4428-85-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-107-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-105-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-103-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-101-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-99-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-97-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-95-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-93-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-91-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-73-0x00000000027C0000-0x0000000002804000-memory.dmp

Filesize
272KB

Download
memory/4428-87-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-81-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-79-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-77-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-75-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-74-0x00000000027C0000-0x00000000027FE000-memory.dmp

Filesize
248KB

Download
memory/4428-980-0x00000000055D0000-0x0000000005BE8000-memory.dmp

Filesize
6.1MB

Download
memory/4428-981-0x0000000005BF0000-0x0000000005CFA000-memory.dmp

Filesize
1.0MB

Download
memory/4428-982-0x0000000004F70000-0x0000000004F82000-memory.dmp

Filesize
72KB

Download
memory/4428-983-0x0000000004F90000-0x0000000004FCC000-memory.dmp

Filesize
240KB

Download
memory/4428-984-0x0000000005E00000-0x0000000005E4C000-memory.dmp

Filesize
304KB

Download