healer | f6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857.exe
Size

976KB
MD5

070c14533f6177d06ec830ffddf74116
SHA1

48a00ac07909ff4871eeacd847b0252a5bcf6bbf
SHA256

f6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857
SHA512

9c71d384a6bd9776130956c20ea8be19fcc822c210cf5f2bcaaf377e34cf775e466eeef4b5537499a3c1acb867a2ed65b77b70c297417c464fa8eca9b15f0332
SSDEEP

24576:jy8vRm03KUZqGNW4RTwjE4VAa+aV8VzR083s:285v3KUV9RAPAG8VzRR

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7376.exe	healer
behavioral1/memory/5020-28-0x00000000007E0000-0x00000000007EA000-memory.dmp	healer
behavioral1/memory/3312-34-0x00000000026A0000-0x00000000026BA000-memory.dmp	healer
behavioral1/memory/3312-36-0x0000000004B80000-0x0000000004B98000-memory.dmp	healer
behavioral1/memory/3312-37-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-42-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-64-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-62-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-60-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-58-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-56-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-54-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-52-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-50-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-48-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-46-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-44-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-40-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3312-38-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

v3024Cl.exetz7376.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v3024Cl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3024Cl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3024Cl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3024Cl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7376.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7376.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7376.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3024Cl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3024Cl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7376.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7376.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7376.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4136-72-0x00000000024F0000-0x0000000002536000-memory.dmp	family_redline
behavioral1/memory/4136-73-0x00000000050D0000-0x0000000005114000-memory.dmp	family_redline
behavioral1/memory/4136-75-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-74-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-87-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-107-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-105-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-103-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-101-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-99-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-97-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-93-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-91-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-90-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-85-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-84-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-81-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-79-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-77-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline
behavioral1/memory/4136-95-0x00000000050D0000-0x000000000510F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 6 IoCs

Processes:

zap6201.exezap3923.exezap8030.exetz7376.exev3024Cl.exew77LY20.exe

pid process

2548 zap6201.exe
4988 zap3923.exe
4916 zap8030.exe
5020 tz7376.exe
3312 v3024Cl.exe
4136 w77LY20.exe

pid	process
2548	zap6201.exe
4988	zap3923.exe
4916	zap8030.exe
5020	tz7376.exe
3312	v3024Cl.exe
4136	w77LY20.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

tz7376.exev3024Cl.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7376.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3024Cl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3024Cl.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

zap6201.exezap3923.exezap8030.exef6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3923.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4372 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3580 3312 WerFault.exe v3024Cl.exe

pid	process
4372	sc.exe

pid	pid_target	process	target process
3580	3312	WerFault.exe	v3024Cl.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

w77LY20.exef6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857.exezap6201.exezap3923.exezap8030.exev3024Cl.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w77LY20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap6201.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap3923.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap8030.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v3024Cl.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

tz7376.exev3024Cl.exe

pid process

5020 tz7376.exe
5020 tz7376.exe
3312 v3024Cl.exe
3312 v3024Cl.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tz7376.exev3024Cl.exew77LY20.exe

description pid process

Token: SeDebugPrivilege 5020 tz7376.exe
Token: SeDebugPrivilege 3312 v3024Cl.exe
Token: SeDebugPrivilege 4136 w77LY20.exe

pid	process
5020	tz7376.exe
5020	tz7376.exe
3312	v3024Cl.exe
3312	v3024Cl.exe

description	pid	process
Token: SeDebugPrivilege	5020	tz7376.exe
Token: SeDebugPrivilege	3312	v3024Cl.exe
Token: SeDebugPrivilege	4136	w77LY20.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

f6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857.exezap6201.exezap3923.exezap8030.exe

description	pid	process	target process
PID 5008 wrote to memory of 2548	5008	f6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857.exe	zap6201.exe
PID 5008 wrote to memory of 2548	5008	f6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857.exe	zap6201.exe
PID 5008 wrote to memory of 2548	5008	f6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857.exe	zap6201.exe
PID 2548 wrote to memory of 4988	2548	zap6201.exe	zap3923.exe
PID 2548 wrote to memory of 4988	2548	zap6201.exe	zap3923.exe
PID 2548 wrote to memory of 4988	2548	zap6201.exe	zap3923.exe
PID 4988 wrote to memory of 4916	4988	zap3923.exe	zap8030.exe
PID 4988 wrote to memory of 4916	4988	zap3923.exe	zap8030.exe
PID 4988 wrote to memory of 4916	4988	zap3923.exe	zap8030.exe
PID 4916 wrote to memory of 5020	4916	zap8030.exe	tz7376.exe
PID 4916 wrote to memory of 5020	4916	zap8030.exe	tz7376.exe
PID 4916 wrote to memory of 3312	4916	zap8030.exe	v3024Cl.exe
PID 4916 wrote to memory of 3312	4916	zap8030.exe	v3024Cl.exe
PID 4916 wrote to memory of 3312	4916	zap8030.exe	v3024Cl.exe
PID 4988 wrote to memory of 4136	4988	zap3923.exe	w77LY20.exe
PID 4988 wrote to memory of 4136	4988	zap3923.exe	w77LY20.exe
PID 4988 wrote to memory of 4136	4988	zap3923.exe	w77LY20.exe

C:\Users\Admin\AppData\Local\Temp\f6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857.exe
"C:\Users\Admin\AppData\Local\Temp\f6ccbe27850f0de172e54bb06962746ca50bdb4bef222e7b112dbc6c55e28857.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6201.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6201.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3923.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3923.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8030.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8030.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7376.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7376.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3024Cl.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3024Cl.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1100
6⤵
- Program crash
PID:3580

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w77LY20.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w77LY20.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3312 -ip 3312
1⤵
PID:3788

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6201.exe

Filesize
793KB

MD5
ec8c1b3bc3a48c99a042adf2e90b4304

SHA1
8902da9c97ddb9874d15457f2d751d6d4328c5fa

SHA256
f633e14aca57b9a9a8eae0ab62524e649e36127525df326b93ffd3cff9640970

SHA512
a2961e88ae86a727c8bf8c73b2862cb8643790a840b8a89cf92b8ba4ed5a40aa1501e44ae4da70ab3496c2dfe60ac0947698168556824ee850a00cf0a65804cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3923.exe

Filesize
651KB

MD5
deff7f09e89593ec01b996b381657b9e

SHA1
7a440235e6d555e782e0b743179c7d0419f4341a

SHA256
8baee44d52eb8f3fe6df6a0871f58596092bae3f2647bfaa62552aa610055b48

SHA512
4f71781cb48586ed3e3791b9065466515af3d3b85fd44fdbbd693b6a021ac683ed89b94ea944bec56b9d89fcc6f8bcccfc2c9c626447dc3fa26769e427521338

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w77LY20.exe

Filesize
292KB

MD5
747443d136e239aa64a0002a274d19b9

SHA1
9ff7fef5299d3f9b22a0825b4c767b982a2d6947

SHA256
d6a34519ae83b7464ef25826989fc92e1b8607ba7423b93fcc77fb1d82897835

SHA512
4f759a949c2d050bd286fcf650eb056b424c9ab75e9dba376c7266dc28f0b84f1d139e5c078dd3afeb3b9011794b141dd14fc9a557245d7d32f3790a2b679c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8030.exe

Filesize
322KB

MD5
92128526f2d10b592f37806674ea3e8a

SHA1
036b5d40136fe03c8c4bf86d286eef19262dc80a

SHA256
dad856f4d63559a5c0aa0b97a138721cd0d4f663d18935a9400c71ffd370d1e2

SHA512
9758f94e113d5f6fd1b30268f1b02554aaf9c850b61b0681913c81dd0f535d979bed631e40a5f578db08214330a20bb355a548b351c0b359ea8a3dcc7a47b317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7376.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3024Cl.exe

Filesize
234KB

MD5
143ee42c74e480c65a8091436eb70dad

SHA1
fe000f226e7a019d762db323e2b6a1386f9f474b

SHA256
8a7ec92fc200f6f6b4dfad0927f4e568817c3123cac87a1b2800448388556e1e

SHA512
4dd1ae2d951e676ba7881384cd80cdac4ad96b2d2d2ff0715df168271a9c70ab0ea5855056e0a96d9b635029ccf4937e05b03d5624ee619615842d4096275698

Download Submit
memory/3312-67-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3312-35-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/3312-36-0x0000000004B80000-0x0000000004B98000-memory.dmp

Filesize
96KB

Download
memory/3312-37-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-42-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-64-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-62-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-60-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-58-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-56-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-54-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-52-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-50-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-48-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-46-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-44-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-40-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-38-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3312-65-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3312-34-0x00000000026A0000-0x00000000026BA000-memory.dmp

Filesize
104KB

Download
memory/4136-75-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-91-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-73-0x00000000050D0000-0x0000000005114000-memory.dmp

Filesize
272KB

Download
memory/4136-984-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download
memory/4136-74-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-87-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-107-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-105-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-103-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-101-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-99-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-97-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-93-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-72-0x00000000024F0000-0x0000000002536000-memory.dmp

Filesize
280KB

Download
memory/4136-90-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-85-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-84-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-81-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-79-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-77-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-95-0x00000000050D0000-0x000000000510F000-memory.dmp

Filesize
252KB

Download
memory/4136-980-0x0000000005110000-0x0000000005728000-memory.dmp

Filesize
6.1MB

Download
memory/4136-981-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/4136-982-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/4136-983-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/5020-28-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download