healer | 1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exe
Size

787KB
MD5

f9854a58981ef7fe64be29c3e00f9811
SHA1

0c3f97b10c9673c9f76ee7af98b04a66a23a548a
SHA256

1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a
SHA512

8f460e2274a4507da33b2c9e0df4fb66d306170f45e53eb6551712d67361588c261218fb888ccf7b5f070ea75aeb996702c997d82095386f1e9c2db13e654ead
SSDEEP

12288:vMroy90n73c0lMUIHwGQqUmMlq5xnJisUjps7d1mXZd+SvWYYnP:Py4Y0bGQqUmMlK9JisUq/mpdt4P

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1392-19-0x0000000002150000-0x000000000216A000-memory.dmp	healer
behavioral1/memory/1392-21-0x0000000004B80000-0x0000000004B98000-memory.dmp	healer
behavioral1/memory/1392-49-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-48-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-45-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-43-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-41-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-39-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-37-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-35-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-33-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-31-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-29-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-27-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-25-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-23-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/1392-22-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro3077.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro3077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro3077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro3077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro3077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro3077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro3077.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4392-2143-0x0000000005400000-0x0000000005432000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/5824-2156-0x0000000000AC0000-0x0000000000AF0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si120669.exe	family_redline
behavioral1/memory/4176-2167-0x00000000001D0000-0x00000000001FE000-memory.dmp	family_redline

Redline family
redline
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

qu9778.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation qu9778.exe
Executes dropped EXE 5 IoCs

Processes:

un501633.exepro3077.exequ9778.exe1.exesi120669.exe

pid process

3520 un501633.exe
1392 pro3077.exe
4392 qu9778.exe
5824 1.exe
4176 si120669.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	qu9778.exe

pid	process
3520	un501633.exe
1392	pro3077.exe
4392	qu9778.exe
5824	1.exe
4176	si120669.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro3077.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro3077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro3077.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exeun501633.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un501633.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1432 1392 WerFault.exe pro3077.exe
2960 4392 WerFault.exe qu9778.exe

pid	pid_target	process	target process
1432	1392	WerFault.exe	pro3077.exe
2960	4392	WerFault.exe	qu9778.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exeun501633.exepro3077.exequ9778.exe1.exesi120669.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un501633.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro3077.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu9778.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si120669.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro3077.exe

pid process

1392 pro3077.exe
1392 pro3077.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro3077.exequ9778.exe

description pid process

Token: SeDebugPrivilege 1392 pro3077.exe
Token: SeDebugPrivilege 4392 qu9778.exe

pid	process
1392	pro3077.exe
1392	pro3077.exe

description	pid	process
Token: SeDebugPrivilege	1392	pro3077.exe
Token: SeDebugPrivilege	4392	qu9778.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exeun501633.exequ9778.exe

description	pid	process	target process
PID 3692 wrote to memory of 3520	3692	1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exe	un501633.exe
PID 3692 wrote to memory of 3520	3692	1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exe	un501633.exe
PID 3692 wrote to memory of 3520	3692	1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exe	un501633.exe
PID 3520 wrote to memory of 1392	3520	un501633.exe	pro3077.exe
PID 3520 wrote to memory of 1392	3520	un501633.exe	pro3077.exe
PID 3520 wrote to memory of 1392	3520	un501633.exe	pro3077.exe
PID 3520 wrote to memory of 4392	3520	un501633.exe	qu9778.exe
PID 3520 wrote to memory of 4392	3520	un501633.exe	qu9778.exe
PID 3520 wrote to memory of 4392	3520	un501633.exe	qu9778.exe
PID 4392 wrote to memory of 5824	4392	qu9778.exe	1.exe
PID 4392 wrote to memory of 5824	4392	qu9778.exe	1.exe
PID 4392 wrote to memory of 5824	4392	qu9778.exe	1.exe
PID 3692 wrote to memory of 4176	3692	1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exe	si120669.exe
PID 3692 wrote to memory of 4176	3692	1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exe	si120669.exe
PID 3692 wrote to memory of 4176	3692	1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exe	si120669.exe

C:\Users\Admin\AppData\Local\Temp\1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exe
"C:\Users\Admin\AppData\Local\Temp\1fc632dab67824da0b781d41a320f21d76740f147e98b15e2ab5ddbbb578eb2a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un501633.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un501633.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3520

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3077.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3077.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1084
4⤵
- Program crash
PID:1432

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9778.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9778.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1384
4⤵
- Program crash
PID:2960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si120669.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si120669.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1392 -ip 1392
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4392 -ip 4392
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si120669.exe

Filesize
168KB

MD5
a3d2c67ac53836f2beff6daa46eb5d3e

SHA1
a3fc78ac875bafa039f5daa25a183ab056ee92d0

SHA256
f2d9be6f1e359dae5fc95308eba53c1bb8d97088e995d0d8929f8e0d150fff08

SHA512
64c5f05550937539eaa1b5f532ba7a23483afa38a8efbd679cc268d87238e6dfb465668289948a3d2dde3c251376010c8559d0304fb89e9fd31ce70794b5f520

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un501633.exe

Filesize
633KB

MD5
4e9dd0b5e0f75194b209d8a07f835752

SHA1
3a5a0b47677af7dbccf429bdd719a56902f789e2

SHA256
710e4b6d2cda333eadb342f2dc26c64930823dc16bcba09eeaf73d7da2965b62

SHA512
9f4201074b64e3111d9a80af7590abc8b668dc1fa2185d4e52a77a5d6015e5cfc738b9f50a54424fa14741ec37d6d939b4c7cfd0b78dbad2e9e583741c737ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3077.exe

Filesize
231KB

MD5
202f4069ebb0f22e1840533e5ad65fea

SHA1
44cc1ac0d1fa74a64f74c2447500cf1fe01a2918

SHA256
736178c51d40b5964fd01f09eaebdfa7b3854141733373c281bb3794d36c56a8

SHA512
c0628888d4cf957fec690825dc90979927602e567cb7d8c01e58ff5546e29ba91f508df59d20f3b0e948f686e067d6caef2b583d649507fd34f7fae2a0eb5623

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9778.exe

Filesize
414KB

MD5
24f41bb01e515f0ffc464b27dba98deb

SHA1
17ae5ba5be0ccc92c073fee0f04f5fd84c1c4093

SHA256
73ea37d53019cc570d44815c1b756a83bdc22bd04d68b2d03bb704183aacd5a3

SHA512
c090292304d513021cea8735f3fb28b65a58cb02df1560861c4adcfacd35548d71abc60461bd3bf006b62f9cca51fff4471ae224f45a9799015477768818cbad

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/1392-55-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1392-25-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1392-18-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1392-19-0x0000000002150000-0x000000000216A000-memory.dmp

Filesize
104KB

Download
memory/1392-20-0x0000000004BD0000-0x0000000005174000-memory.dmp

Filesize
5.6MB

Download
memory/1392-16-0x00000000004C0000-0x00000000004ED000-memory.dmp

Filesize
180KB

Download
memory/1392-49-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-48-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-45-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-43-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-41-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-39-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-37-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-35-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-33-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-31-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-29-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-27-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-21-0x0000000004B80000-0x0000000004B98000-memory.dmp

Filesize
96KB

Download
memory/1392-23-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-22-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1392-50-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/1392-51-0x00000000004C0000-0x00000000004ED000-memory.dmp

Filesize
180KB

Download
memory/1392-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1392-15-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/1392-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4176-2168-0x0000000000A00000-0x0000000000A06000-memory.dmp

Filesize
24KB

Download
memory/4176-2167-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download
memory/4392-63-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-72-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-74-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-82-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-96-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-94-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-92-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-88-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-86-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-84-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-80-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-62-0x0000000004BF0000-0x0000000004C56000-memory.dmp

Filesize
408KB

Download
memory/4392-76-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-78-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-90-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-68-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-66-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-64-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-70-0x0000000004BF0000-0x0000000004C4F000-memory.dmp

Filesize
380KB

Download
memory/4392-61-0x0000000004B80000-0x0000000004BE6000-memory.dmp

Filesize
408KB

Download
memory/4392-2143-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/5824-2156-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

Filesize
192KB

Download
memory/5824-2157-0x00000000053A0000-0x00000000053A6000-memory.dmp

Filesize
24KB

Download
memory/5824-2158-0x00000000059F0000-0x0000000006008000-memory.dmp

Filesize
6.1MB

Download
memory/5824-2159-0x0000000005510000-0x000000000561A000-memory.dmp

Filesize
1.0MB

Download
memory/5824-2160-0x0000000005440000-0x0000000005452000-memory.dmp

Filesize
72KB

Download
memory/5824-2161-0x00000000054A0000-0x00000000054DC000-memory.dmp

Filesize
240KB

Download
memory/5824-2166-0x0000000005620000-0x000000000566C000-memory.dmp

Filesize
304KB

Download