healer | d5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38.exe
Size

1.0MB
MD5

7335cdf931fdbe3acc9e2e97a1209d9e
SHA1

b9e7b0fa19afcef6438282bcd22a78e2cd3a1814
SHA256

d5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38
SHA512

2018b1bf01ff09a7ecd47d35ede1d0eec2c8c3c3653b24cbb28b038b88b894159fa758191a320ff1da11d69ec8423355c593a1510ddb752f874494ae970699dc
SSDEEP

24576:Nyf7vLS8NTYasCI450AjkpL+9xa8hwaOXOiOdW3:o7LlCDCr50AjQL+HjOXOi6

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7332.exe	healer
behavioral1/memory/404-28-0x0000000000210000-0x000000000021A000-memory.dmp	healer
behavioral1/memory/436-34-0x0000000000B00000-0x0000000000B1A000-memory.dmp	healer
behavioral1/memory/436-36-0x0000000002810000-0x0000000002828000-memory.dmp	healer
behavioral1/memory/436-37-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-60-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-64-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-62-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-58-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-56-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-54-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-52-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-50-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-48-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-46-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-44-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-42-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-40-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/436-38-0x0000000002810000-0x0000000002822000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

v1868He.exetz7332.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v1868He.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v1868He.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v1868He.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7332.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7332.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7332.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v1868He.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v1868He.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v1868He.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7332.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7332.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7332.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3836-72-0x00000000025F0000-0x0000000002636000-memory.dmp	family_redline
behavioral1/memory/3836-73-0x00000000028A0000-0x00000000028E4000-memory.dmp	family_redline
behavioral1/memory/3836-93-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-97-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-107-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-105-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-103-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-101-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-99-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-95-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-91-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-89-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-87-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-85-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-83-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-81-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-79-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-77-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-75-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline
behavioral1/memory/3836-74-0x00000000028A0000-0x00000000028DF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 6 IoCs

Processes:

zap2069.exezap1639.exezap3951.exetz7332.exev1868He.exew56oQ94.exe

pid process

1884 zap2069.exe
3368 zap1639.exe
1060 zap3951.exe
404 tz7332.exe
436 v1868He.exe
3836 w56oQ94.exe

pid	process
1884	zap2069.exe
3368	zap1639.exe
1060	zap3951.exe
404	tz7332.exe
436	v1868He.exe
3836	w56oQ94.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

tz7332.exev1868He.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7332.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v1868He.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v1868He.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38.exezap2069.exezap1639.exezap3951.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2069.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1639.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3951.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3876 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2312 436 WerFault.exe v1868He.exe

pid	process
3876	sc.exe

pid	pid_target	process	target process
2312	436	WerFault.exe	v1868He.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

zap2069.exezap1639.exezap3951.exev1868He.exew56oQ94.exed5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap2069.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap1639.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap3951.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v1868He.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w56oQ94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

tz7332.exev1868He.exe

pid process

404 tz7332.exe
404 tz7332.exe
436 v1868He.exe
436 v1868He.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tz7332.exev1868He.exew56oQ94.exe

description pid process

Token: SeDebugPrivilege 404 tz7332.exe
Token: SeDebugPrivilege 436 v1868He.exe
Token: SeDebugPrivilege 3836 w56oQ94.exe

pid	process
404	tz7332.exe
404	tz7332.exe
436	v1868He.exe
436	v1868He.exe

description	pid	process
Token: SeDebugPrivilege	404	tz7332.exe
Token: SeDebugPrivilege	436	v1868He.exe
Token: SeDebugPrivilege	3836	w56oQ94.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

d5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38.exezap2069.exezap1639.exezap3951.exe

description	pid	process	target process
PID 2436 wrote to memory of 1884	2436	d5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38.exe	zap2069.exe
PID 2436 wrote to memory of 1884	2436	d5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38.exe	zap2069.exe
PID 2436 wrote to memory of 1884	2436	d5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38.exe	zap2069.exe
PID 1884 wrote to memory of 3368	1884	zap2069.exe	zap1639.exe
PID 1884 wrote to memory of 3368	1884	zap2069.exe	zap1639.exe
PID 1884 wrote to memory of 3368	1884	zap2069.exe	zap1639.exe
PID 3368 wrote to memory of 1060	3368	zap1639.exe	zap3951.exe
PID 3368 wrote to memory of 1060	3368	zap1639.exe	zap3951.exe
PID 3368 wrote to memory of 1060	3368	zap1639.exe	zap3951.exe
PID 1060 wrote to memory of 404	1060	zap3951.exe	tz7332.exe
PID 1060 wrote to memory of 404	1060	zap3951.exe	tz7332.exe
PID 1060 wrote to memory of 436	1060	zap3951.exe	v1868He.exe
PID 1060 wrote to memory of 436	1060	zap3951.exe	v1868He.exe
PID 1060 wrote to memory of 436	1060	zap3951.exe	v1868He.exe
PID 3368 wrote to memory of 3836	3368	zap1639.exe	w56oQ94.exe
PID 3368 wrote to memory of 3836	3368	zap1639.exe	w56oQ94.exe
PID 3368 wrote to memory of 3836	3368	zap1639.exe	w56oQ94.exe

C:\Users\Admin\AppData\Local\Temp\d5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38.exe
"C:\Users\Admin\AppData\Local\Temp\d5066341979c81e32ea1e253de046c17b2e61d311849d418233f599e7e8dcd38.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2069.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2069.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1639.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1639.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3951.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3951.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7332.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7332.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1868He.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1868He.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1108
6⤵
- Program crash
PID:2312

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w56oQ94.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w56oQ94.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 436 -ip 436
1⤵
PID:4260

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2069.exe

Filesize
847KB

MD5
215d292b968e8929795f8f73e3ccd663

SHA1
2c57c9701950f27f42efc934a3252a6f226cb0d5

SHA256
fc4abbcb82bb57bd15eba7bc62a70265fa10fac2df52da5eba6576efb2c0d2e6

SHA512
b2483a0dcbae1a4741af02f498df69f7e1c27a94dc7dd171694209079a7ea6bfdf4290e940e758a4f67a4cb1fcbe1c27f2f871f1cb97c1dd8078812620fff0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1639.exe

Filesize
705KB

MD5
11a5f3d5aa798e351b56c9f2a86a703e

SHA1
5d7b7ace0739705afa6a791047bffcdf554c09d8

SHA256
32df0ac07392f222b1cb0b0bd46533805b3443e891f532a422fa7ad54d81259a

SHA512
58a8893cfc8c94215339fd2780c54c5e9aa2b49e1649be233b7c41225d81cfc9d67095619976f2363220070ebe75e27c62797789bca517ee5ba4878f68cce9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w56oQ94.exe

Filesize
411KB

MD5
201504f06e0594151ee8a2b7bae3de65

SHA1
b2635ec254c74ca508018685453622de828c7326

SHA256
88a579078e1b1bb4da10227d069ae4a526e30d94379d9a6193abd04d3fb6b9d3

SHA512
0655ab7e59154b06a56417cdbd44134a1dea84c052afe1e7feacfaa4432a210943d117a935cb88c7ad6346b5f2d57be24643a107fc2d66ba387366f8efc0fb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3951.exe

Filesize
350KB

MD5
a5df4e448e4769daf3203deec19f53c9

SHA1
c587b76052cb827f305cd53afd3278544bedff58

SHA256
573935d181cb712f34f1d8daed75415002d883252026b2e57ec81bafb5e7911b

SHA512
50d1732436ea081bf6b048facc32073b2ed72e99935a4b9381ea66941b2a51e92408f66c003eb08a647d189c2b5ab65900d4667f22f67c49163c9e8d281a5371

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7332.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1868He.exe

Filesize
352KB

MD5
b32c758058997366c734385f06091a02

SHA1
81d7daf43b45a9abab5824e841c846946c53ebaa

SHA256
6ac297513ceccb8304467da6bbc9607f620c62c80aca75b2d6ed0d61fd7dffb6

SHA512
15fb0b890d4133f6a9c7ec7cafb41c1776dee56df02f1042ab5d5561bfac3be3fa5d92ee810685eef0b583282c835db6fb4832ab906508ed4a148fe42d52c65c

Download Submit
memory/404-28-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/436-67-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/436-36-0x0000000002810000-0x0000000002828000-memory.dmp

Filesize
96KB

Download
memory/436-37-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-60-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-64-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-62-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-58-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-56-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-54-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-52-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-50-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-48-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-46-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-44-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-42-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-40-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-38-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/436-65-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/436-35-0x0000000004F70000-0x0000000005514000-memory.dmp

Filesize
5.6MB

Download
memory/436-34-0x0000000000B00000-0x0000000000B1A000-memory.dmp

Filesize
104KB

Download
memory/3836-97-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-85-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-93-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-72-0x00000000025F0000-0x0000000002636000-memory.dmp

Filesize
280KB

Download
memory/3836-107-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-105-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-103-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-101-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-99-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-95-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-91-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-89-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-87-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-73-0x00000000028A0000-0x00000000028E4000-memory.dmp

Filesize
272KB

Download
memory/3836-83-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-81-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-79-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-77-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-75-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-74-0x00000000028A0000-0x00000000028DF000-memory.dmp

Filesize
252KB

Download
memory/3836-980-0x00000000054F0000-0x0000000005B08000-memory.dmp

Filesize
6.1MB

Download
memory/3836-981-0x0000000005B10000-0x0000000005C1A000-memory.dmp

Filesize
1.0MB

Download
memory/3836-982-0x0000000005C20000-0x0000000005C32000-memory.dmp

Filesize
72KB

Download
memory/3836-983-0x0000000005C40000-0x0000000005C7C000-memory.dmp

Filesize
240KB

Download
memory/3836-984-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download