healer | 8b5ed7c4742ff19e11bb700273f786bca36fd2c0467fdf9b666e1becefa8fa42

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b5ed7c4742ff19e11bb700273f786bca36fd2c0467fdf9b666e1becefa8fa42.exe
Size

1.2MB
MD5

ea1c5001fbb6c153ff7d1596108d8679
SHA1

220f9aa32e690f26b28e32e1fd5ee441c81525e8
SHA256

8b5ed7c4742ff19e11bb700273f786bca36fd2c0467fdf9b666e1becefa8fa42
SHA512

180574f47c41c70bcdd87ba10be9b0fd4398b7137b6d35649f950b28593e1b21f80668d9b30dfe5bb329d188bb55dc48e97f4f278280fd6bbd2dbb3d9580640d
SSDEEP

24576:hyC/WdwwlyWZtNZRtlFqRlafUtsRBGtAXQseZ82cPV:UC/WdHlyWNZtFvfUtqUTv

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ccc-32.dat	healer
behavioral1/memory/3948-35-0x00000000009A0000-0x00000000009AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	busS46Te19.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	busS46Te19.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	busS46Te19.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	busS46Te19.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	busS46Te19.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	busS46Te19.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/2596-41-0x0000000002500000-0x0000000002546000-memory.dmp	family_redline
behavioral1/memory/2596-43-0x0000000002840000-0x0000000002884000-memory.dmp	family_redline
behavioral1/memory/2596-53-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-51-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-107-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-105-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-101-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-99-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-98-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-95-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-93-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-91-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-89-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-87-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-83-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-81-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-79-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-77-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-75-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-73-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-71-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-70-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-67-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-63-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-61-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-59-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-57-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-55-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-103-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-85-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-65-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-49-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-47-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-45-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/2596-44-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
4348	plge52CJ26.exe
1160	plVR37rz47.exe
3096	plrb82Pb84.exe
3356	pltN56tw78.exe
3948	busS46Te19.exe
2596	caKQ43st96.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	busS46Te19.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8b5ed7c4742ff19e11bb700273f786bca36fd2c0467fdf9b666e1becefa8fa42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plge52CJ26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plVR37rz47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plrb82Pb84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	pltN56tw78.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plVR37rz47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plrb82Pb84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pltN56tw78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caKQ43st96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b5ed7c4742ff19e11bb700273f786bca36fd2c0467fdf9b666e1becefa8fa42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plge52CJ26.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3948	busS46Te19.exe
3948	busS46Te19.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3948	busS46Te19.exe
Token: SeDebugPrivilege	2596	caKQ43st96.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 4348	2664	8b5ed7c4742ff19e11bb700273f786bca36fd2c0467fdf9b666e1becefa8fa42.exe	84
PID 2664 wrote to memory of 4348	2664	8b5ed7c4742ff19e11bb700273f786bca36fd2c0467fdf9b666e1becefa8fa42.exe	84
PID 2664 wrote to memory of 4348	2664	8b5ed7c4742ff19e11bb700273f786bca36fd2c0467fdf9b666e1becefa8fa42.exe	84
PID 4348 wrote to memory of 1160	4348	plge52CJ26.exe	85
PID 4348 wrote to memory of 1160	4348	plge52CJ26.exe	85
PID 4348 wrote to memory of 1160	4348	plge52CJ26.exe	85
PID 1160 wrote to memory of 3096	1160	plVR37rz47.exe	86
PID 1160 wrote to memory of 3096	1160	plVR37rz47.exe	86
PID 1160 wrote to memory of 3096	1160	plVR37rz47.exe	86
PID 3096 wrote to memory of 3356	3096	plrb82Pb84.exe	87
PID 3096 wrote to memory of 3356	3096	plrb82Pb84.exe	87
PID 3096 wrote to memory of 3356	3096	plrb82Pb84.exe	87
PID 3356 wrote to memory of 3948	3356	pltN56tw78.exe	89
PID 3356 wrote to memory of 3948	3356	pltN56tw78.exe	89
PID 3356 wrote to memory of 2596	3356	pltN56tw78.exe	97
PID 3356 wrote to memory of 2596	3356	pltN56tw78.exe	97
PID 3356 wrote to memory of 2596	3356	pltN56tw78.exe	97

C:\Users\Admin\AppData\Local\Temp\8b5ed7c4742ff19e11bb700273f786bca36fd2c0467fdf9b666e1becefa8fa42.exe
"C:\Users\Admin\AppData\Local\Temp\8b5ed7c4742ff19e11bb700273f786bca36fd2c0467fdf9b666e1becefa8fa42.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plge52CJ26.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plge52CJ26.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plVR37rz47.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plVR37rz47.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plrb82Pb84.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plrb82Pb84.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pltN56tw78.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pltN56tw78.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3356
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busS46Te19.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busS46Te19.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKQ43st96.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKQ43st96.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plge52CJ26.exe

Filesize
1.0MB

MD5
bc759e802f752bc5cd872e0a7e28512a

SHA1
57d5b43486a55043fdd3ae51d9781568c8e666cc

SHA256
ee85a428e393d6fede70ef2b2f128e431dedb01fc515c94adfb64b1a334e2f02

SHA512
39985440f0678fc7923fa8fd56f7eec7e2c53736ee70822e7753e343da044ea279019a4f70babbfbf56f5ab00a4efefe985a4d93b63269216a657de9578af9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plVR37rz47.exe

Filesize
940KB

MD5
548cfc3fe099075a6191fd1ec9e0721b

SHA1
824eae920fed0b54aae629baf0464562abba9ab7

SHA256
5ce85f13097102c23ec2e11ae36d649110c00cec70ca9f904de41f8af62d67e3

SHA512
f31562a70d3e248455c28d367f71c4403f02b334eef07b921fee18ee92b60dd58bbbdd6400ddd3d0c135eb3814ce3573bfb0bc641bedf5ec8ecb42e4c5486f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plrb82Pb84.exe

Filesize
669KB

MD5
c84bde44c97d25eb6a43184504f331da

SHA1
13956ef11ddc7b88db70ac936c2dd75b2fd2d45f

SHA256
60252d143dd51d99baf7898b9dd3409afd007d71a2a97c9137551a957fe4dd3f

SHA512
7725ede25378e585771ef893ad8b0bf61e412718644ffcca666684eb5df6e73140b558cdb56c78a08e8736fcd4c85298020cebf802d22514a5b9d724f9a3e9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pltN56tw78.exe

Filesize
393KB

MD5
97b171f337698dcf76bd72328a798d9b

SHA1
a0c324ef022de5dc5d76f1a6adaa5a1c362da95f

SHA256
9232b163689b6b911d4c5f9f470c0475503ba9564a0ee46cf5fa7b272fe13cb9

SHA512
6815a1753843f14a452ab2613c5025632c7c0575e7bc4227a11b1a5a4e14e3d9d6a4a4f7b3b1f972a4280c4b8607759628dc0262b0c12efb20c5c09b4444ecda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busS46Te19.exe

Filesize
12KB

MD5
5edb651bbbc7ec7c364478fe81e43299

SHA1
8a591f63b99b1d02ddbf0a7e112605ff752475ae

SHA256
6088313e73ed6644e4c86a84fa1ab12d2f8ce31ee8dd225c79105106544fd655

SHA512
74c78b59f7c14eb5747381c0f87b26a3548017e222aeebf11e6b687c858c36eda665ad1e23260089c79e843b6cadd9e80ae33e51b46e6052f15926a1b1e0b9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKQ43st96.exe

Filesize
304KB

MD5
e8a74f8947be8861da483f9a1b725bea

SHA1
c9485cc022bb2ee5eb15bc98e1aa5330b1b5c09a

SHA256
b27c4b8cc67abed8e257f5b43a656dbfafea50833d2aae5b7fe545ac82d74727

SHA512
4ac48c039d81d9b6f5dd9cd4700855bc27efec45bb167fbf0268ec56c238138865a9d9b9575b2e71f2ab204f29da0daff1e78f5ac12cb54d0383766b7c82e2e8

Download Submit
memory/2596-79-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-73-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-42-0x0000000004D30000-0x00000000052D4000-memory.dmp

Filesize
5.6MB

Download
memory/2596-43-0x0000000002840000-0x0000000002884000-memory.dmp

Filesize
272KB

Download
memory/2596-53-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-51-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-107-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-105-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-101-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-99-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-98-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-95-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-93-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-91-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-89-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-87-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-83-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-81-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/2596-77-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-75-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-41-0x0000000002500000-0x0000000002546000-memory.dmp

Filesize
280KB

Download
memory/2596-71-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-70-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-67-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-63-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-61-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-59-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-57-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-55-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-103-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-85-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-65-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-49-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-47-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-45-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-44-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/2596-950-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/2596-951-0x0000000005900000-0x0000000005A0A000-memory.dmp

Filesize
1.0MB

Download
memory/2596-952-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2596-953-0x0000000004CD0000-0x0000000004D0C000-memory.dmp

Filesize
240KB

Download
memory/3948-35-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download