healer | 400a6d7b57053b34e5d9b99f4a6c16f7c71accdf98926cd6e88e4d7ccb4b0748

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

400a6d7b57053b34e5d9b99f4a6c16f7c71accdf98926cd6e88e4d7ccb4b0748.exe
Size

1.1MB
MD5

741c0555a170248aba9d97b60505b02f
SHA1

4f8e1b4de8577f80f39633a92b7700ec2cb89788
SHA256

400a6d7b57053b34e5d9b99f4a6c16f7c71accdf98926cd6e88e4d7ccb4b0748
SHA512

a668432cd31a9702293004456f6a37db274620b47906364ee02ec6c61502a72b09ebc915c657762aab8805d8033e40ab86189c16436ee561221a691a9eea7ac7
SSDEEP

24576:hyuR9COYqYbLB9ixfBPp+YfBpMzSKesujFLL5O:U0COYqYXOB+YP0yJLL

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c9e-32.dat	healer
behavioral1/memory/2428-35-0x0000000000F00000-0x0000000000F0A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	icj89xG87.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	icj89xG87.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	icj89xG87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	icj89xG87.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	icj89xG87.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	icj89xG87.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4104-41-0x0000000002380000-0x00000000023C6000-memory.dmp	family_redline
behavioral1/memory/4104-43-0x0000000002650000-0x0000000002694000-memory.dmp	family_redline
behavioral1/memory/4104-55-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-57-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-107-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-105-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-103-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-101-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-99-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-95-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-93-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-91-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-89-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-87-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-85-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-81-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-79-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-77-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-75-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-73-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-69-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-67-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-65-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-63-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-61-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-59-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-53-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-51-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-49-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-47-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-97-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-83-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-71-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-45-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline
behavioral1/memory/4104-44-0x0000000002650000-0x000000000268E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
3208	vmBN74BN92.exe
4596	vmsE95LD43.exe
2860	vmmi44mY04.exe
3652	vmLI71bF74.exe
2428	icj89xG87.exe
4104	kKO85CT45.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	icj89xG87.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vmsE95LD43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	vmmi44mY04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	vmLI71bF74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	400a6d7b57053b34e5d9b99f4a6c16f7c71accdf98926cd6e88e4d7ccb4b0748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vmBN74BN92.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	400a6d7b57053b34e5d9b99f4a6c16f7c71accdf98926cd6e88e4d7ccb4b0748.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmBN74BN92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmsE95LD43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmmi44mY04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmLI71bF74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kKO85CT45.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2428	icj89xG87.exe
2428	icj89xG87.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	icj89xG87.exe
Token: SeDebugPrivilege	4104	kKO85CT45.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 3208	3384	400a6d7b57053b34e5d9b99f4a6c16f7c71accdf98926cd6e88e4d7ccb4b0748.exe	84
PID 3384 wrote to memory of 3208	3384	400a6d7b57053b34e5d9b99f4a6c16f7c71accdf98926cd6e88e4d7ccb4b0748.exe	84
PID 3384 wrote to memory of 3208	3384	400a6d7b57053b34e5d9b99f4a6c16f7c71accdf98926cd6e88e4d7ccb4b0748.exe	84
PID 3208 wrote to memory of 4596	3208	vmBN74BN92.exe	85
PID 3208 wrote to memory of 4596	3208	vmBN74BN92.exe	85
PID 3208 wrote to memory of 4596	3208	vmBN74BN92.exe	85
PID 4596 wrote to memory of 2860	4596	vmsE95LD43.exe	86
PID 4596 wrote to memory of 2860	4596	vmsE95LD43.exe	86
PID 4596 wrote to memory of 2860	4596	vmsE95LD43.exe	86
PID 2860 wrote to memory of 3652	2860	vmmi44mY04.exe	87
PID 2860 wrote to memory of 3652	2860	vmmi44mY04.exe	87
PID 2860 wrote to memory of 3652	2860	vmmi44mY04.exe	87
PID 3652 wrote to memory of 2428	3652	vmLI71bF74.exe	88
PID 3652 wrote to memory of 2428	3652	vmLI71bF74.exe	88
PID 3652 wrote to memory of 4104	3652	vmLI71bF74.exe	99
PID 3652 wrote to memory of 4104	3652	vmLI71bF74.exe	99
PID 3652 wrote to memory of 4104	3652	vmLI71bF74.exe	99

C:\Users\Admin\AppData\Local\Temp\400a6d7b57053b34e5d9b99f4a6c16f7c71accdf98926cd6e88e4d7ccb4b0748.exe
"C:\Users\Admin\AppData\Local\Temp\400a6d7b57053b34e5d9b99f4a6c16f7c71accdf98926cd6e88e4d7ccb4b0748.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmBN74BN92.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmBN74BN92.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmsE95LD43.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmsE95LD43.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmmi44mY04.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmmi44mY04.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmLI71bF74.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmLI71bF74.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\icj89xG87.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\icj89xG87.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kKO85CT45.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kKO85CT45.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmBN74BN92.exe

Filesize
980KB

MD5
fcaecb51514b498fd03577bd6c0029c4

SHA1
d72445df91670ef0dcd21392eee0bf83d2edb63b

SHA256
6c4767a185b66ad6e82455f5e0df70c415c61088dde75af1025110d0b607f361

SHA512
2b580d8ce642f4f3d4ebf66c2910647dbcec3ddbf889db8ba4298e4ce2c1892131a2b9356f0610a0720802d79d4ff54e840148b71e340530f05cf008bfb4b230

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmsE95LD43.exe

Filesize
889KB

MD5
2b2e84a38220cb2e4d9fb1ee8b4c9514

SHA1
c70f671c780f70497c9ec5d1fa1d36c1c918af3f

SHA256
443e7d42a9d2067b03ea918b7ca92adec5544d32f3893dafac7b08dffce29c6e

SHA512
01184223cc8e57db0c68d0d08c27048be2f23937d156965f3c744e1c2e1f8b9cf61ef40824a627e936922a4ae24959792b29ca7245aae9fbad3243f6b8aaff2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmmi44mY04.exe

Filesize
666KB

MD5
927a0a48d86b187376e5fac1379b0aec

SHA1
6b323156b37103a1994db56bd224f04114f3acd1

SHA256
9bb945dadafbad271d7e2fc2d41528ec9d5ac84dba911e540d0dc3c7c925bf5a

SHA512
b504744f3000492a8da46af6f9644e13b3a00bfb24a4eba2bce6b98603ce4b65eb229c6d04dd88bd911dbe2f882ae658fc152cd442d4a3bfb6fd9bcc6ab23427

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmLI71bF74.exe

Filesize
386KB

MD5
566c15457705ed0221772f34189d9301

SHA1
130e621596d6ca71cccb2393cc5eb8ea616de735

SHA256
5894b3a29d03d51115277d310dca64988852ee38a427fe705e3da534cbb6d1bb

SHA512
4a09dccbe4cc7a3b7d04cf1ecb7c6f2382266a7498ee6858e81e7c7768b62429e9c17386cfa4519cdc5c58b58ef59833f4036180d0483a8b671ec2305e97e4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\icj89xG87.exe

Filesize
11KB

MD5
60f6b342af751b06cb233fa91538006f

SHA1
b4055971a9c669798a18426cab7a800ecea907ee

SHA256
ed4522161bc53e073a4db6b6333c7ad02aa01b65a141dee2b30a25c94fbfdb4f

SHA512
d31ca9ce6cd1721ce939ba1a3864a072936f6d5d8f90baf298ff83db44d8cbb032a582c166b21221c81af67b2ec56b78f6bbe57f88bb0e502e26df91528c5087

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kKO85CT45.exe

Filesize
300KB

MD5
bc06501e2cbbcfd5b533d51c6a5ef3fb

SHA1
7caa42a1b56383b958098d71bdffbe0b69b1ba93

SHA256
1ea5e787e9d231e9e5c0ebc4a058e587a9b37057469fc949d6458acef78a6c16

SHA512
98da782c0b87b2b6dca516a98a86a0bd90966be55b40ed55cb61975277efbb366d3fb7d3ef8fbbb841cf62d2c39c842db8180013667193caff98285dd3769970

Download Submit
memory/2428-35-0x0000000000F00000-0x0000000000F0A000-memory.dmp

Filesize
40KB

Download
memory/4104-79-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-69-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-43-0x0000000002650000-0x0000000002694000-memory.dmp

Filesize
272KB

Download
memory/4104-55-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-57-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-107-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-105-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-103-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-101-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-99-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-95-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-93-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-91-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-89-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-87-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-85-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-81-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-41-0x0000000002380000-0x00000000023C6000-memory.dmp

Filesize
280KB

Download
memory/4104-77-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-75-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-73-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-42-0x0000000004D70000-0x0000000005314000-memory.dmp

Filesize
5.6MB

Download
memory/4104-67-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-65-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-63-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-61-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-59-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-53-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-51-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-49-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-47-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-97-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-83-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-71-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-45-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-44-0x0000000002650000-0x000000000268E000-memory.dmp

Filesize
248KB

Download
memory/4104-950-0x0000000005320000-0x0000000005938000-memory.dmp

Filesize
6.1MB

Download
memory/4104-951-0x0000000005940000-0x0000000005A4A000-memory.dmp

Filesize
1.0MB

Download
memory/4104-952-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/4104-953-0x0000000004CD0000-0x0000000004D0C000-memory.dmp

Filesize
240KB

Download
memory/4104-954-0x0000000005B50000-0x0000000005B9C000-memory.dmp

Filesize
304KB

Download