healer | 1c8b88ac4adebbf7f58b8a3e8ed37575b8a763689efcc659f34a10c58057ca8e

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2024, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c8b88ac4adebbf7f58b8a3e8ed37575b8a763689efcc659f34a10c58057ca8e.exe
Size

794KB
MD5

c6fa0ede7fd8d7614d143fa15d4cdf76
SHA1

d72a4190bfd7af569ff3487057c0653c27e826d5
SHA256

1c8b88ac4adebbf7f58b8a3e8ed37575b8a763689efcc659f34a10c58057ca8e
SHA512

861d230c0b4f4f6603a2043f19a36866f3855df45df0e11ffaf77d17f46fffb765d5de6b612b02f11df047d62b537d1149ef14a1474072ce61e8ea31aab53533
SSDEEP

24576:kynaAOJVt/bCRqcg0xByaTx2DHxaJvn7:znatJ7TCRFDB9TsDH8Z

Score

10^/10

healer redline mango discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mango

193.233.20.28:4125

Attributes

auth_value
ecf79d7f5227d998a3501c972d915d23

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b83-19.dat	healer
behavioral1/memory/1284-22-0x0000000000E00000-0x0000000000E0A000-memory.dmp	healer
behavioral1/memory/924-29-0x00000000023E0000-0x00000000023FA000-memory.dmp	healer
behavioral1/memory/924-31-0x0000000002420000-0x0000000002438000-memory.dmp	healer
behavioral1/memory/924-32-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-37-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-57-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-55-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-53-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-51-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-49-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-47-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-45-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-43-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-59-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-41-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-39-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-35-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral1/memory/924-33-0x0000000002420000-0x0000000002432000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b7350Kl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b7350Kl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	c25Se54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c25Se54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	c25Se54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c25Se54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b7350Kl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b7350Kl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b7350Kl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b7350Kl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	c25Se54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c25Se54.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2312-67-0x00000000022D0000-0x0000000002316000-memory.dmp	family_redline
behavioral1/memory/2312-68-0x0000000004B00000-0x0000000004B44000-memory.dmp	family_redline
behavioral1/memory/2312-80-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-102-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-100-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-98-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-96-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-94-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-92-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-90-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-88-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-86-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-84-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-82-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-78-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-76-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-74-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-72-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-70-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral1/memory/2312-69-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
4156	tice9984.exe
264	tice9857.exe
1284	b7350Kl.exe
924	c25Se54.exe
2312	dMFec95.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c25Se54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b7350Kl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	c25Se54.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1c8b88ac4adebbf7f58b8a3e8ed37575b8a763689efcc659f34a10c58057ca8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tice9984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tice9857.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5536	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3424	924	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dMFec95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c8b88ac4adebbf7f58b8a3e8ed37575b8a763689efcc659f34a10c58057ca8e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice9984.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice9857.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c25Se54.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1284	b7350Kl.exe
1284	b7350Kl.exe
924	c25Se54.exe
924	c25Se54.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	b7350Kl.exe
Token: SeDebugPrivilege	924	c25Se54.exe
Token: SeDebugPrivilege	2312	dMFec95.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 4156	436	1c8b88ac4adebbf7f58b8a3e8ed37575b8a763689efcc659f34a10c58057ca8e.exe	84
PID 436 wrote to memory of 4156	436	1c8b88ac4adebbf7f58b8a3e8ed37575b8a763689efcc659f34a10c58057ca8e.exe	84
PID 436 wrote to memory of 4156	436	1c8b88ac4adebbf7f58b8a3e8ed37575b8a763689efcc659f34a10c58057ca8e.exe	84
PID 4156 wrote to memory of 264	4156	tice9984.exe	85
PID 4156 wrote to memory of 264	4156	tice9984.exe	85
PID 4156 wrote to memory of 264	4156	tice9984.exe	85
PID 264 wrote to memory of 1284	264	tice9857.exe	86
PID 264 wrote to memory of 1284	264	tice9857.exe	86
PID 264 wrote to memory of 924	264	tice9857.exe	95
PID 264 wrote to memory of 924	264	tice9857.exe	95
PID 264 wrote to memory of 924	264	tice9857.exe	95
PID 4156 wrote to memory of 2312	4156	tice9984.exe	100
PID 4156 wrote to memory of 2312	4156	tice9984.exe	100
PID 4156 wrote to memory of 2312	4156	tice9984.exe	100

C:\Users\Admin\AppData\Local\Temp\1c8b88ac4adebbf7f58b8a3e8ed37575b8a763689efcc659f34a10c58057ca8e.exe
"C:\Users\Admin\AppData\Local\Temp\1c8b88ac4adebbf7f58b8a3e8ed37575b8a763689efcc659f34a10c58057ca8e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9984.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9984.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9857.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9857.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7350Kl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7350Kl.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c25Se54.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c25Se54.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1084
        5⤵
        Program crash
        
        PID:3424
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMFec95.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMFec95.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 924 -ip 924
1⤵
PID:2304

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9984.exe

Filesize
649KB

MD5
cfde4c93399e3457004747227f28b0b8

SHA1
b972a17cedda3b2393b003d0fd503cecd0ba4457

SHA256
068b439880ca7336250f5b4427056da4486e6fe550084fb9b5ccd731d04b9608

SHA512
fa1d157deecd95949b007020c35b6f23bcfd7c15504d7606b5c03be55bfb18eb6b5053083f998b72499677c4ed02de697c6844ad26fc3751491a6316803f8d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMFec95.exe

Filesize
284KB

MD5
6ee48919c4bca2706693deae885023eb

SHA1
4394c57c12e6540968b6971479775ac136b6307b

SHA256
c2ff13a781d2b66f6b5df48b2cbecbef8638584a2df1f90e1cef363a008cc4a4

SHA512
dabf96acaa417291660f9915658e056e532a574f8a64b9f7d6eafdc7dec008728bb895b6d214f143a793c8bcda88edca7af07ea82e1bd4204afb57040d9b9aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9857.exe

Filesize
324KB

MD5
b462d44f88bacec9a53f96b1c130b493

SHA1
73507d3c6cc682be1969fa1360d0765d6a4f8921

SHA256
b3fc865bf7a25de353dc2570d38ab8266d3d8887ba4c9bb1c8c568aa63cd001a

SHA512
e8102e3af2724ef18bde514d5b121ff89452cb32d9b22da1f0f1cdfdf3cf51c9361dd15b8bd812d7db3620cc5581d64b68e9a63e7b86de941a35a999bb07e3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7350Kl.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c25Se54.exe

Filesize
226KB

MD5
a4b2433ec8db6d447c194999f5aff5cb

SHA1
57e474d44cae71d37a3b47e2280d2771d7773b4b

SHA256
73ad5ebc66a60b0e095373cb6b3487d219dada6cec892b5647b6e5b6eb1053b2

SHA512
62c79580064d00c3f8016128defebfc2f1a212639f9ebe9dcd58b5f4419e28cf7b01232c1c24929f7bac5e998e642eb4ee096789a4fe46bdb547b38e4d047123

Download Submit
memory/924-60-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/924-51-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-29-0x00000000023E0000-0x00000000023FA000-memory.dmp

Filesize
104KB

Download
memory/924-30-0x0000000004AC0000-0x0000000005064000-memory.dmp

Filesize
5.6MB

Download
memory/924-31-0x0000000002420000-0x0000000002438000-memory.dmp

Filesize
96KB

Download
memory/924-32-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-37-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-57-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-55-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-53-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-62-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/924-49-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-47-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-45-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-43-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-59-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-41-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-39-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-35-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/924-33-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/1284-21-0x00007FFB49103000-0x00007FFB49105000-memory.dmp

Filesize
8KB

Download
memory/1284-22-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/1284-23-0x00007FFB49103000-0x00007FFB49105000-memory.dmp

Filesize
8KB

Download
memory/2312-76-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-82-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-80-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-102-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-100-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-98-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-96-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-94-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-92-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-90-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-67-0x00000000022D0000-0x0000000002316000-memory.dmp

Filesize
280KB

Download
memory/2312-84-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-88-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-68-0x0000000004B00000-0x0000000004B44000-memory.dmp

Filesize
272KB

Download
memory/2312-78-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-86-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-74-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-72-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-70-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-69-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/2312-975-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/2312-976-0x0000000005810000-0x000000000591A000-memory.dmp

Filesize
1.0MB

Download
memory/2312-977-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/2312-978-0x0000000005920000-0x000000000595C000-memory.dmp

Filesize
240KB

Download
memory/2312-979-0x0000000005A60000-0x0000000005AAC000-memory.dmp

Filesize
304KB

Download