healer | b998f35e11870439fa254b89623b18af3780b36289fa31cdedbb2f330d4f14c8

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b998f35e11870439fa254b89623b18af3780b36289fa31cdedbb2f330d4f14c8.exe
Size

1.1MB
MD5

4a2b7e4cb00dc26c2cced644bca24b16
SHA1

6dc383372a3bd22a1f3f91b95f1a7348383db4d8
SHA256

b998f35e11870439fa254b89623b18af3780b36289fa31cdedbb2f330d4f14c8
SHA512

00601946d272737237cd34db9c7487b4b9c1e28dd4205cbc3744a978f96c29c52370e39dad13b5850dd5d7102857e128584b0eff4738fbae77b28767d963e760
SSDEEP

24576:6ymur6lNZZHZ2cjR67DY93F5tOyJZ/i1IThQ5x:BmS6lfZHZBjR6G3vtOAhIYq5

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023ba2-32.dat	healer
behavioral1/memory/2588-35-0x00000000000F0000-0x00000000000FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	buKA51eR66.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	buKA51eR66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	buKA51eR66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	buKA51eR66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	buKA51eR66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	buKA51eR66.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/2508-41-0x0000000002450000-0x0000000002496000-memory.dmp	family_redline
behavioral1/memory/2508-43-0x00000000052A0000-0x00000000052E4000-memory.dmp	family_redline
behavioral1/memory/2508-45-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-55-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-105-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-103-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-102-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-99-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-97-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-95-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-93-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-91-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-87-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-85-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-84-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-82-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-79-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-77-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-75-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-73-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-71-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-69-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-67-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-63-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-61-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-59-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-57-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-53-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-51-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-49-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-48-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-107-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-89-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-65-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline
behavioral1/memory/2508-44-0x00000000052A0000-0x00000000052DE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
32	plgf37Wy88.exe
4080	plQr15cJ29.exe
2096	plyv08Jh94.exe
2932	plmq61pu79.exe
2588	buKA51eR66.exe
2508	caiW49Dj74.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	buKA51eR66.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b998f35e11870439fa254b89623b18af3780b36289fa31cdedbb2f330d4f14c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plgf37Wy88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plQr15cJ29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plyv08Jh94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	plmq61pu79.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
264	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plgf37Wy88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plQr15cJ29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plyv08Jh94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plmq61pu79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caiW49Dj74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b998f35e11870439fa254b89623b18af3780b36289fa31cdedbb2f330d4f14c8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2588	buKA51eR66.exe
2588	buKA51eR66.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	buKA51eR66.exe
Token: SeDebugPrivilege	2508	caiW49Dj74.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 32	2020	b998f35e11870439fa254b89623b18af3780b36289fa31cdedbb2f330d4f14c8.exe	84
PID 2020 wrote to memory of 32	2020	b998f35e11870439fa254b89623b18af3780b36289fa31cdedbb2f330d4f14c8.exe	84
PID 2020 wrote to memory of 32	2020	b998f35e11870439fa254b89623b18af3780b36289fa31cdedbb2f330d4f14c8.exe	84
PID 32 wrote to memory of 4080	32	plgf37Wy88.exe	86
PID 32 wrote to memory of 4080	32	plgf37Wy88.exe	86
PID 32 wrote to memory of 4080	32	plgf37Wy88.exe	86
PID 4080 wrote to memory of 2096	4080	plQr15cJ29.exe	87
PID 4080 wrote to memory of 2096	4080	plQr15cJ29.exe	87
PID 4080 wrote to memory of 2096	4080	plQr15cJ29.exe	87
PID 2096 wrote to memory of 2932	2096	plyv08Jh94.exe	89
PID 2096 wrote to memory of 2932	2096	plyv08Jh94.exe	89
PID 2096 wrote to memory of 2932	2096	plyv08Jh94.exe	89
PID 2932 wrote to memory of 2588	2932	plmq61pu79.exe	90
PID 2932 wrote to memory of 2588	2932	plmq61pu79.exe	90
PID 2932 wrote to memory of 2508	2932	plmq61pu79.exe	96
PID 2932 wrote to memory of 2508	2932	plmq61pu79.exe	96
PID 2932 wrote to memory of 2508	2932	plmq61pu79.exe	96

C:\Users\Admin\AppData\Local\Temp\b998f35e11870439fa254b89623b18af3780b36289fa31cdedbb2f330d4f14c8.exe
"C:\Users\Admin\AppData\Local\Temp\b998f35e11870439fa254b89623b18af3780b36289fa31cdedbb2f330d4f14c8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgf37Wy88.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgf37Wy88.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plQr15cJ29.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plQr15cJ29.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plyv08Jh94.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plyv08Jh94.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plmq61pu79.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plmq61pu79.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buKA51eR66.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buKA51eR66.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiW49Dj74.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiW49Dj74.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgf37Wy88.exe

Filesize
1.0MB

MD5
fc6c17e579d6c3d6b4df3f61a526c567

SHA1
01c0ffb674cad7c7767f954b65fb55f289f18738

SHA256
a7fa03f92ca92ef6cd6ab85712a17d32c1acf9de413175daec10e0f2f2417d8a

SHA512
a027c431462e6e0e3c281c7e9a97f67558d858c057ab68c757fb3de1b00aa94592872586e70949d2e4ff4f1298dc6f189eda73f3e6620e6041c747609ddeca7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plQr15cJ29.exe

Filesize
926KB

MD5
55dd15e66bed5002e8cc08a05f42c54f

SHA1
09b6e67dd78f66cabb3163dd0e35a27decc23807

SHA256
d8f90107b3d24eb62fab59c1e44b01ffc54749b442024d3d946f3b9a30e0ff37

SHA512
ae0b0ad794fb0753a96b3017e95aae3cd58726ab8760b0117efb9dfc6945cff616f2fea08fea88a300836d8501f2919f0e24c85a7c6c114a0a564afb691c8989

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plyv08Jh94.exe

Filesize
660KB

MD5
9bb7017d1ffcb5ac9fcabc9d058ee6b0

SHA1
1c5b662ed9c93990426b41fb96bf525d3f960328

SHA256
67d315fffa123a9d67e0d2e421bdedda79856e9e456cb313bcb4b849e08da816

SHA512
54f43647e6aef7b8f4b5bc92f9813d33968d9b37b1f0864fd1b4e5ea5e815b4ff2893a4a2f03cf07d406600897fc32500c705a962cd769e170e1fc4730ad60fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plmq61pu79.exe

Filesize
388KB

MD5
9cee1bd7ff1843198b03856f0586df41

SHA1
8d3b0cfaaac00d2ebadff1830fb47de424c0675f

SHA256
470903436b9e5f76ce6c26ea7d1d39c2541c17c1c549bb7a3751548667f28391

SHA512
fb59818c6faf1d60eef286d963581e24c23c12f934f1bcad77724d985ab2d750a17207769aee71b938758e360d64592efaa03a6bfd9cc362dd63d52172e01daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buKA51eR66.exe

Filesize
11KB

MD5
d97c7c5b39de9b6792ca318d796b512b

SHA1
0f0ec0621e8b4a7e3a79b7b85e65168675279eaa

SHA256
9410938297d9cbcec3ff420b46239a18fd0da4e15cb14d8e788056adc616a221

SHA512
eabed4daacd917e21ec6741cf94104ef8731800caefb71750538b32f9317a936489bff35388eaca08cb0092d204f630a89fb9d2a9fd2bfecea8723b4c684a1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiW49Dj74.exe

Filesize
305KB

MD5
e11ed6fc64ebc2ac86e3a4e39aa0b6b6

SHA1
ad61736c537f06c5eda7ae7064b55a37b514eea1

SHA256
8b09887654b84d73fdaf0d421b2d5910529cbfcd5a4848a23111c2612d3a1695

SHA512
43e07b129d1b0269027fca92c05cd28fcecd5c9469df0b414ad24ba1b3270f6e55c2e5b67bc4734ec43d72e0609d58c068c23560716db14cd468031cb7b6b880

Download Submit
memory/2508-79-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-73-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-42-0x0000000004CB0000-0x0000000005254000-memory.dmp

Filesize
5.6MB

Download
memory/2508-43-0x00000000052A0000-0x00000000052E4000-memory.dmp

Filesize
272KB

Download
memory/2508-45-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-55-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-105-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-103-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-102-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-99-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-97-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-95-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-93-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-91-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-87-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-85-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-84-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-82-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-954-0x0000000005C50000-0x0000000005C9C000-memory.dmp

Filesize
304KB

Download
memory/2508-77-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-75-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-41-0x0000000002450000-0x0000000002496000-memory.dmp

Filesize
280KB

Download
memory/2508-71-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-69-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-67-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-63-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-61-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-59-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-57-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-53-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-51-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-49-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-48-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-107-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-89-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-65-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-44-0x00000000052A0000-0x00000000052DE000-memory.dmp

Filesize
248KB

Download
memory/2508-950-0x0000000005300000-0x0000000005918000-memory.dmp

Filesize
6.1MB

Download
memory/2508-951-0x00000000059A0000-0x0000000005AAA000-memory.dmp

Filesize
1.0MB

Download
memory/2508-952-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

Filesize
72KB

Download
memory/2508-953-0x0000000005B00000-0x0000000005B3C000-memory.dmp

Filesize
240KB

Download
memory/2588-35-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download