healer | 43c188ce0445d5cabf4eca17e4d8631ccdb587bc22f3c34983fad361c47a2dda

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43c188ce0445d5cabf4eca17e4d8631ccdb587bc22f3c34983fad361c47a2dda.exe
Size

793KB
MD5

5cd4c98221bbd9948e411893c007f9c6
SHA1

57e47d3dc6e457b6ba2c8e46e418ffa4ad846fec
SHA256

43c188ce0445d5cabf4eca17e4d8631ccdb587bc22f3c34983fad361c47a2dda
SHA512

839520e9e403de75d7d8dc701be98831e7d899b81a7c9951285a7e549945d6980a40eac1ee787fcc6b707206387539cfda2713c2735228366e11c74f482d17aa
SSDEEP

24576:MyDaPKPv8A8c7byBciN1Ll7165xlSXaW:7UKP0w7byX1paYX

Score

10^/10

healer redline mango discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mango

193.233.20.28:4125

Attributes

auth_value
ecf79d7f5227d998a3501c972d915d23

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cb8-19.dat	healer
behavioral1/memory/3520-22-0x0000000000560000-0x000000000056A000-memory.dmp	healer
behavioral1/memory/3632-29-0x0000000002240000-0x000000000225A000-memory.dmp	healer
behavioral1/memory/3632-31-0x00000000023E0000-0x00000000023F8000-memory.dmp	healer
behavioral1/memory/3632-32-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-35-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-57-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-55-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-53-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-51-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-49-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-47-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-43-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-41-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-39-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-37-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-33-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-45-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/3632-59-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b8484zH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	c00mq97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c00mq97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	c00mq97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b8484zH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c00mq97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	c00mq97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c00mq97.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b8484zH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b8484zH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b8484zH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b8484zH.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4768-67-0x0000000002450000-0x0000000002496000-memory.dmp	family_redline
behavioral1/memory/4768-68-0x0000000002530000-0x0000000002574000-memory.dmp	family_redline
behavioral1/memory/4768-78-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-102-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-100-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-98-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-96-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-94-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-92-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-90-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-88-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-86-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-84-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-82-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-80-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-76-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-74-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-72-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-70-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline
behavioral1/memory/4768-69-0x0000000002530000-0x000000000256E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
1440	tice1418.exe
448	tice2851.exe
3520	b8484zH.exe
3632	c00mq97.exe
4768	dJXcM10.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b8484zH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	c00mq97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c00mq97.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	43c188ce0445d5cabf4eca17e4d8631ccdb587bc22f3c34983fad361c47a2dda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tice1418.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tice2851.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
968	3632	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43c188ce0445d5cabf4eca17e4d8631ccdb587bc22f3c34983fad361c47a2dda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice1418.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice2851.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c00mq97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dJXcM10.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3520	b8484zH.exe
3520	b8484zH.exe
3632	c00mq97.exe
3632	c00mq97.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	b8484zH.exe
Token: SeDebugPrivilege	3632	c00mq97.exe
Token: SeDebugPrivilege	4768	dJXcM10.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 1440	3844	43c188ce0445d5cabf4eca17e4d8631ccdb587bc22f3c34983fad361c47a2dda.exe	84
PID 3844 wrote to memory of 1440	3844	43c188ce0445d5cabf4eca17e4d8631ccdb587bc22f3c34983fad361c47a2dda.exe	84
PID 3844 wrote to memory of 1440	3844	43c188ce0445d5cabf4eca17e4d8631ccdb587bc22f3c34983fad361c47a2dda.exe	84
PID 1440 wrote to memory of 448	1440	tice1418.exe	85
PID 1440 wrote to memory of 448	1440	tice1418.exe	85
PID 1440 wrote to memory of 448	1440	tice1418.exe	85
PID 448 wrote to memory of 3520	448	tice2851.exe	86
PID 448 wrote to memory of 3520	448	tice2851.exe	86
PID 448 wrote to memory of 3632	448	tice2851.exe	101
PID 448 wrote to memory of 3632	448	tice2851.exe	101
PID 448 wrote to memory of 3632	448	tice2851.exe	101
PID 1440 wrote to memory of 4768	1440	tice1418.exe	112
PID 1440 wrote to memory of 4768	1440	tice1418.exe	112
PID 1440 wrote to memory of 4768	1440	tice1418.exe	112

C:\Users\Admin\AppData\Local\Temp\43c188ce0445d5cabf4eca17e4d8631ccdb587bc22f3c34983fad361c47a2dda.exe
"C:\Users\Admin\AppData\Local\Temp\43c188ce0445d5cabf4eca17e4d8631ccdb587bc22f3c34983fad361c47a2dda.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice1418.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice1418.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2851.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2851.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8484zH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8484zH.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c00mq97.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c00mq97.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1084
        5⤵
        Program crash
        
        PID:968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dJXcM10.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dJXcM10.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3632 -ip 3632
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice1418.exe

Filesize
647KB

MD5
693e551e40be1ed619d1ccad34166fa9

SHA1
e25234f8d9d4cb1e11ae891aef9b5c00475bb21c

SHA256
1a5b684d28066807b2af971aa8663c84cb3114401fa886188ed8267b3f4401b9

SHA512
be158bf5673b47fbca43c5c460d0043eb52348d6083aa6a67dd6012882da91aa79c76f659efbd208068823a48bdbc29dab77380e39d329270e34e19540a83917

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dJXcM10.exe

Filesize
284KB

MD5
6cf90a6cc1fd749726388183c2da238d

SHA1
10f76d6cba21963765582eb73b186bee3e25bdd6

SHA256
deae34ece587703d8b91733f25f0c9cfce2086621ab2a88b5f692bf4aaa116d7

SHA512
18125b276d4a65f62df5c938f9293e9805396ec8ec5cb474ab0dd79f0331998a5230545537500079f42b9c734275625b3bc1e7084f5868975563e16a9faa077e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2851.exe

Filesize
324KB

MD5
33e92f474b884ee7bd437800d8bedbe9

SHA1
e327d833b593bc7f1461c7154bfd083c9f7f4fe3

SHA256
aa5b502bd5e1cee40dd700d9cf936a71b7e6b49ab9c3b937ff394d0c6386e605

SHA512
976169dd836575454bcd003d7f9b09375df04b6440a08427798bebc415289be74036a2781b2fb0c94e8c75ed9b771772a9d564bfdd2d42af515d62b45763f06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8484zH.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c00mq97.exe

Filesize
226KB

MD5
f82b21f2280cd171118325683b0359d3

SHA1
7e12e3d7cc67bce62d416321b8df3df5b5aea5d1

SHA256
001d73ac5488b1f73a38c4c01b9b0d8daf55fc05de55f1b96df18efcda5accd0

SHA512
a3568d8aea158cab0a1b707a7a03ef6329329f28deeac25bcd858ad5246e8e74e8bbfee09e7054e4a11407b6c97b7b4e491845f84d95650877f09252d7a39a91

Download Submit
memory/3520-21-0x00007FFD9D423000-0x00007FFD9D425000-memory.dmp

Filesize
8KB

Download
memory/3520-22-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/3520-23-0x00007FFD9D423000-0x00007FFD9D425000-memory.dmp

Filesize
8KB

Download
memory/3632-60-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3632-31-0x00000000023E0000-0x00000000023F8000-memory.dmp

Filesize
96KB

Download
memory/3632-32-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-35-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-57-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-55-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-53-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-51-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-49-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-47-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-43-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-41-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-39-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-37-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-33-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-45-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-59-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3632-30-0x0000000004DB0000-0x0000000005354000-memory.dmp

Filesize
5.6MB

Download
memory/3632-62-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3632-29-0x0000000002240000-0x000000000225A000-memory.dmp

Filesize
104KB

Download
memory/4768-102-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-82-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-78-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-67-0x0000000002450000-0x0000000002496000-memory.dmp

Filesize
280KB

Download
memory/4768-100-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-98-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-96-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-94-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-92-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-90-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-88-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-86-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-84-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-68-0x0000000002530000-0x0000000002574000-memory.dmp

Filesize
272KB

Download
memory/4768-80-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-76-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-74-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-72-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-70-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-69-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4768-975-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/4768-976-0x0000000004BC0000-0x0000000004CCA000-memory.dmp

Filesize
1.0MB

Download
memory/4768-977-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/4768-978-0x0000000005900000-0x000000000593C000-memory.dmp

Filesize
240KB

Download
memory/4768-979-0x0000000005A50000-0x0000000005A9C000-memory.dmp

Filesize
304KB

Download