healer | 754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e

Resubmissions

28-10-2024 23:03

241028-2127jaxkgr 10

21-03-2023 01:55

230321-ccfk7agd36 10

Analysis

max time kernel
141s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe
Size

779KB
MD5

6c7b6f945d9c685bab02bd41eb30d868
SHA1

0aa978cc4e9592040db95c7a34a241c31da51018
SHA256

754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e
SHA512

12da401b4fa468695905e10be71fd3cc12e7c3b0e2e912dbaddc46b968123468419c4e5fb5b65dbc4766bc9b3e62d8b00583dfdca4df6f583931302cb7a8254e
SSDEEP

12288:8Mrdy90k4QqkMnF4T+hYYLgzge+f6FMsTlf8Q5TWiClpcUhvHhz:Byn45vSTmlLghyKMsTlfDRWflJvHl

Score

10^/10

healer redline gena discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

resource	yara_rule
behavioral1/files/0x00080000000191fd-24.dat	healer
behavioral1/memory/2724-28-0x0000000000C70000-0x0000000000C7A000-memory.dmp	healer
behavioral1/memory/2788-39-0x0000000000500000-0x000000000051A000-memory.dmp	healer
behavioral1/memory/2788-40-0x0000000000570000-0x0000000000588000-memory.dmp	healer
behavioral1/memory/2788-52-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-44-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-62-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-68-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-66-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-64-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-60-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-58-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-56-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-54-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-50-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-48-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-46-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-42-0x0000000000570000-0x0000000000582000-memory.dmp	healer
behavioral1/memory/2788-41-0x0000000000570000-0x0000000000582000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	pro1057.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1057.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1057.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1057.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	qu1302.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	qu1302.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1057.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1057.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	qu1302.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	qu1302.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	qu1302.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2204-81-0x0000000000C70000-0x0000000000CB6000-memory.dmp	family_redline
behavioral1/memory/2204-82-0x00000000025C0000-0x0000000002604000-memory.dmp	family_redline
behavioral1/memory/2204-83-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-84-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-86-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-88-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-90-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-92-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-106-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-95-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-114-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-116-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-112-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-110-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-108-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-104-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-102-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-100-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-98-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline
behavioral1/memory/2204-96-0x00000000025C0000-0x00000000025FE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
2112	unio4989.exe
1704	unio8873.exe
2724	pro1057.exe
2788	qu1302.exe
2204	rQB45s41.exe

Loads dropped DLL 11 IoCs

pid	Process
2560	754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe
2112	unio4989.exe
2112	unio4989.exe
1704	unio8873.exe
1704	unio8873.exe
1704	unio8873.exe
1704	unio8873.exe
2788	qu1302.exe
2112	unio4989.exe
2112	unio4989.exe
2204	rQB45s41.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	qu1302.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	qu1302.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	pro1057.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1057.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	unio4989.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	unio8873.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rQB45s41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unio4989.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unio8873.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu1302.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2724	pro1057.exe
2724	pro1057.exe
2788	qu1302.exe
2788	qu1302.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	pro1057.exe
Token: SeDebugPrivilege	2788	qu1302.exe
Token: SeDebugPrivilege	2204	rQB45s41.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2112	2560	754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe	30
PID 2560 wrote to memory of 2112	2560	754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe	30
PID 2560 wrote to memory of 2112	2560	754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe	30
PID 2560 wrote to memory of 2112	2560	754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe	30
PID 2560 wrote to memory of 2112	2560	754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe	30
PID 2560 wrote to memory of 2112	2560	754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe	30
PID 2560 wrote to memory of 2112	2560	754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe	30
PID 2112 wrote to memory of 1704	2112	unio4989.exe	31
PID 2112 wrote to memory of 1704	2112	unio4989.exe	31
PID 2112 wrote to memory of 1704	2112	unio4989.exe	31
PID 2112 wrote to memory of 1704	2112	unio4989.exe	31
PID 2112 wrote to memory of 1704	2112	unio4989.exe	31
PID 2112 wrote to memory of 1704	2112	unio4989.exe	31
PID 2112 wrote to memory of 1704	2112	unio4989.exe	31
PID 1704 wrote to memory of 2724	1704	unio8873.exe	32
PID 1704 wrote to memory of 2724	1704	unio8873.exe	32
PID 1704 wrote to memory of 2724	1704	unio8873.exe	32
PID 1704 wrote to memory of 2724	1704	unio8873.exe	32
PID 1704 wrote to memory of 2724	1704	unio8873.exe	32
PID 1704 wrote to memory of 2724	1704	unio8873.exe	32
PID 1704 wrote to memory of 2724	1704	unio8873.exe	32
PID 1704 wrote to memory of 2788	1704	unio8873.exe	34
PID 1704 wrote to memory of 2788	1704	unio8873.exe	34
PID 1704 wrote to memory of 2788	1704	unio8873.exe	34
PID 1704 wrote to memory of 2788	1704	unio8873.exe	34
PID 1704 wrote to memory of 2788	1704	unio8873.exe	34
PID 1704 wrote to memory of 2788	1704	unio8873.exe	34
PID 1704 wrote to memory of 2788	1704	unio8873.exe	34
PID 2112 wrote to memory of 2204	2112	unio4989.exe	35
PID 2112 wrote to memory of 2204	2112	unio4989.exe	35
PID 2112 wrote to memory of 2204	2112	unio4989.exe	35
PID 2112 wrote to memory of 2204	2112	unio4989.exe	35
PID 2112 wrote to memory of 2204	2112	unio4989.exe	35
PID 2112 wrote to memory of 2204	2112	unio4989.exe	35
PID 2112 wrote to memory of 2204	2112	unio4989.exe	35

C:\Users\Admin\AppData\Local\Temp\754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe
"C:\Users\Admin\AppData\Local\Temp\754c8228a8f90fa5aad24c1af9b6061b6763a4f274f86f8c420dfb380c613f2e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4989.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4989.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio8873.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio8873.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro1057.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro1057.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu1302.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu1302.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2788
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rQB45s41.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rQB45s41.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4989.exe

Filesize
636KB

MD5
a4cd4086c4e93e87e0761b4f6fb9fc78

SHA1
8cfb88724e17e0dacccc6dac7106cd36deeddcb5

SHA256
36ae4e2e0cd6f3744cc3697f1aa8d36fbc23988753d59488f4bd256214b989fb

SHA512
e9129e1366886c753321757bafaea7700e12a821c5c86c028a126eae1f1c744a408fc76b5a3328c0da30461b0497b315cb08e138cd53e6f9ad7b1cced580112c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rQB45s41.exe

Filesize
290KB

MD5
3d531558bb283ffc7de26db762e30214

SHA1
bb15a326518068e2b6fb088255d5e40c52291945

SHA256
dd8ff93d93aa3642c9f4f9c98f7ab9c326c61a7bbb48885d569d2cb047efe9c4

SHA512
0efd1f32dc5b0478a0cec20f3e2797e0821a88152025bad2d8c02227753e8530e71522e2fe561b8514d9130cca0d10aeb31b36adab82edc718bf66b6b886b49f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio8873.exe

Filesize
315KB

MD5
215b0d11f6de55e2abd48763b3458715

SHA1
c739b056ed16dae84359f8ddde80458db6066bf2

SHA256
b60d7b687c709a3b4d698fd3403cb7aa8ec863ee25cea8d0df40a8ae7e03c358

SHA512
a126031fe8595eba460fe9ee445e7546b4e599e465bde7440163679b850119d730c349e4d2b5f47f787b9414a5eca316f2e80a8b79e59290e45d8159e71786df

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro1057.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu1302.exe

Filesize
232KB

MD5
c551fb83d13c2611a5364cadc91cd8e4

SHA1
a2cc49a0783c6cb0775b87fb5d9bfbef514b7825

SHA256
1e7267c8f9d41b535375fc339a362340b9b463c673f7f10f5feb5931fc3e9109

SHA512
ae0aeae3d67b7546a7f5e34fc005ccc19ece692d3dc2833de04114284eca9a23d7c859de9b7fd4b0701e49a3d1ccfb9feb9c4942e4cae81e67f5370bf2353db4

Download Submit
memory/2204-110-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-95-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-100-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-102-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-104-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-108-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-96-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-82-0x00000000025C0000-0x0000000002604000-memory.dmp

Filesize
272KB

Download
memory/2204-112-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-116-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-114-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-98-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-106-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-92-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-90-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-88-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-86-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-84-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-83-0x00000000025C0000-0x00000000025FE000-memory.dmp

Filesize
248KB

Download
memory/2204-81-0x0000000000C70000-0x0000000000CB6000-memory.dmp

Filesize
280KB

Download
memory/2724-28-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download
memory/2788-66-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-70-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2788-69-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2788-41-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-42-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-46-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-48-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-50-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-54-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-56-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-58-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-60-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-64-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-68-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-62-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-44-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-52-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2788-40-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/2788-39-0x0000000000500000-0x000000000051A000-memory.dmp

Filesize
104KB

Download