healer | c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1

Resubmissions

24-10-2024 12:35

241024-pssa5swdma 10

14-04-2023 13:17

230414-qjqavsbd9s 10

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe
Size

1.2MB
MD5

f50317c48f53767776f84e6b1d1f965e
SHA1

8b3eddf9d8ef16d946f3d44dbcc6f26f8d81db39
SHA256

c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1
SHA512

3a57a654d7c5fe7bf61ade9622ec1a5f5e86b93f842a9194128d5d886a0c1a2612b5911fb17141cb013ed20fc0435c590b2cc53e7a67dd0cfc8f49ee31b381d7
SSDEEP

24576:BywKU/yOHbtGNBHRtH+yfB8ziKQlAscXCZUh+:0wKU/H7yRRtHdGzAK

Score

10^/10

healer redline dirx soft discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

soft

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

redline

Botnet

dirx

77.91.124.146:4121

Attributes

auth_value
522d988f763be056e53e089f74d464cc

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1468-22-0x00000000026C0000-0x00000000026DA000-memory.dmp	healer
behavioral1/memory/1468-24-0x0000000002900000-0x0000000002918000-memory.dmp	healer
behavioral1/memory/1468-52-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-50-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-49-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-46-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-44-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-42-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-40-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-38-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-36-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-34-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-32-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-30-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-28-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-26-0x0000000002900000-0x0000000002912000-memory.dmp	healer
behavioral1/memory/1468-25-0x0000000002900000-0x0000000002912000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr050884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr050884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr050884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr050884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr050884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr050884.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1924-2190-0x0000000005030000-0x0000000005062000-memory.dmp	family_redline
behavioral1/files/0x0010000000023b44-2195.dat	family_redline
behavioral1/memory/1500-2203-0x0000000000020000-0x000000000004E000-memory.dmp	family_redline
behavioral1/files/0x0007000000023c89-2212.dat	family_redline
behavioral1/memory/5568-2213-0x0000000000770000-0x00000000007A0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	qu117750.exe

Executes dropped EXE 6 IoCs

pid	Process
1504	un084722.exe
3900	un073498.exe
1468	pr050884.exe
1924	qu117750.exe
1500	1.exe
5568	rk301836.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr050884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr050884.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un084722.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un073498.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4948	1468	WerFault.exe	87
5384	1924	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un084722.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un073498.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr050884.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu117750.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk301836.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1468	pr050884.exe
1468	pr050884.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	pr050884.exe
Token: SeDebugPrivilege	1924	qu117750.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1504	2484	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe	84
PID 2484 wrote to memory of 1504	2484	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe	84
PID 2484 wrote to memory of 1504	2484	c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe	84
PID 1504 wrote to memory of 3900	1504	un084722.exe	85
PID 1504 wrote to memory of 3900	1504	un084722.exe	85
PID 1504 wrote to memory of 3900	1504	un084722.exe	85
PID 3900 wrote to memory of 1468	3900	un073498.exe	87
PID 3900 wrote to memory of 1468	3900	un073498.exe	87
PID 3900 wrote to memory of 1468	3900	un073498.exe	87
PID 3900 wrote to memory of 1924	3900	un073498.exe	93
PID 3900 wrote to memory of 1924	3900	un073498.exe	93
PID 3900 wrote to memory of 1924	3900	un073498.exe	93
PID 1924 wrote to memory of 1500	1924	qu117750.exe	95
PID 1924 wrote to memory of 1500	1924	qu117750.exe	95
PID 1924 wrote to memory of 1500	1924	qu117750.exe	95
PID 1504 wrote to memory of 5568	1504	un084722.exe	98
PID 1504 wrote to memory of 5568	1504	un084722.exe	98
PID 1504 wrote to memory of 5568	1504	un084722.exe	98

C:\Users\Admin\AppData\Local\Temp\c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe
"C:\Users\Admin\AppData\Local\Temp\c9fe85507eef89f59dba96ec7b50dd9a8a2de45f73cd62f1b8a926e3a5f99ae1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084722.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084722.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un073498.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un073498.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr050884.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr050884.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1088
        5⤵
        Program crash
        
        PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu117750.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu117750.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1500
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1460
        5⤵
        Program crash
        
        PID:5384
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk301836.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk301836.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1468 -ip 1468
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1924 -ip 1924
1⤵
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084722.exe

Filesize
863KB

MD5
579fd4538fc766d796f6be0fbb9f211d

SHA1
d8b9c5192310e8f9f8cec6f2119130a3ea4cbc23

SHA256
c7797acc248faa03db95bf14c315969a0f2f4a18a63f67071303319cf7660888

SHA512
d7ba0728f9656f55bdfb27e16e3aaefc97fea662e75b61ea6bdf6883b5d553254c745e0b31e4b7848b1b7bf9964ff7e5f6a67bc7d9341aad641c2c650c5cae9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk301836.exe

Filesize
168KB

MD5
ba8c17a6a3824c09180ea2fd84bbc365

SHA1
186d9bf51d66bb02e9edf30c345e5a0a793668a5

SHA256
818f4d1b9229ea05c481a7492240a72a248cfc631d5dfaad9aba8952c1885651

SHA512
9ddc4c37d2a4e10efdf68a7f47343e3fdca3c34d3587c7e14c2383744d1912382115f8b80e1b6c1ae7f76e6b4040667bff264736413e92bbe973dcec7651606f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un073498.exe

Filesize
710KB

MD5
51c31284296e7c02517f8a1cba189339

SHA1
18103ef35d0315e0f4400421a6bd0b8764a96982

SHA256
d9205e56d7c5a53d4736874876b32fd6d456a75975956d8b7822ae5673bc25ac

SHA512
69981adc7157820660be84bd43b0c51e8c0fc3d74d7648e5e3b12c60d5e271d56a897cfadf9a5807a8eb017d28b2105e7fc33e8cda3c2a5ba1aec289729fb41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr050884.exe

Filesize
403KB

MD5
b9c4a44e1a8586648f08620be266a8ae

SHA1
7bd3f41279d131b38ccb6cd9503e8c7663ee1265

SHA256
c6ee8b9c4e3a590596803001338e738da884532e6e19a216a3dec4c2d9bcfe93

SHA512
525c1a91dde78bd6c127265d7647a40df1b8d4a83387dc880a2acf967e4753b4e4946bac545197943147bbfec3a8416e511ffa712074d1c64360e3ef523e2314

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu117750.exe

Filesize
588KB

MD5
10a407a5fe393739001dcf7e4f24a5b1

SHA1
a6d2a4c6aa55cfddbeeb605550a7f1fe5937746e

SHA256
97bace2fbafe4af536fa145e1dfc17cb109504eee17bf4ca99a4ec1e903963ad

SHA512
7bd95a691d0f43cadbfbbdfc07608bf03a500f0b6413507f27f9dd9ef8dbd09324af7b72b01f1333c87bb694bda738bd38665f9863ffbf83d0562b56d4a7bc9d

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
memory/1468-36-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-30-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-52-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-50-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-49-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-46-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-44-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-42-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-40-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-38-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-22-0x00000000026C0000-0x00000000026DA000-memory.dmp

Filesize
104KB

Download
memory/1468-34-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-32-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-24-0x0000000002900000-0x0000000002918000-memory.dmp

Filesize
96KB

Download
memory/1468-28-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-26-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-25-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/1468-53-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/1468-55-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/1468-23-0x0000000004F80000-0x0000000005524000-memory.dmp

Filesize
5.6MB

Download
memory/1500-2204-0x00000000007A0000-0x00000000007A6000-memory.dmp

Filesize
24KB

Download
memory/1500-2206-0x0000000004AA0000-0x0000000004BAA000-memory.dmp

Filesize
1.0MB

Download
memory/1500-2203-0x0000000000020000-0x000000000004E000-memory.dmp

Filesize
184KB

Download
memory/1500-2207-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1500-2209-0x0000000004A10000-0x0000000004A4C000-memory.dmp

Filesize
240KB

Download
memory/1500-2215-0x0000000004A50000-0x0000000004A9C000-memory.dmp

Filesize
304KB

Download
memory/1500-2205-0x0000000004FB0000-0x00000000055C8000-memory.dmp

Filesize
6.1MB

Download
memory/1924-95-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-63-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-79-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-77-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-75-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-83-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-73-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-71-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-69-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-67-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-65-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-81-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-85-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-87-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-90-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-62-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-60-0x0000000002990000-0x00000000029F8000-memory.dmp

Filesize
416KB

Download
memory/1924-2190-0x0000000005030000-0x0000000005062000-memory.dmp

Filesize
200KB

Download
memory/1924-61-0x0000000004FA0000-0x0000000005006000-memory.dmp

Filesize
408KB

Download
memory/1924-93-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/1924-91-0x0000000004FA0000-0x0000000005000000-memory.dmp

Filesize
384KB

Download
memory/5568-2213-0x0000000000770000-0x00000000007A0000-memory.dmp

Filesize
192KB

Download
memory/5568-2214-0x0000000002950000-0x0000000002956000-memory.dmp

Filesize
24KB

Download