healer | ba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350

Analysis

max time kernel
142s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350.exe
Size

988KB
MD5

c0e86ff1217393329e67737a25852011
SHA1

9b02239a3f170ebd4dcb458e96183c17f434b393
SHA256

ba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350
SHA512

dd6f37e5004c0a696332a9c5e716fbdbf6a15be9b70c332ae59459a44d6fdf5e11ef68f7c7ed6728166fb68e2f714da12ada6fee088bfc9f24c14fd13033f676
SSDEEP

24576:Myobx8PjSZCsZMqbfCD812pJMWQXxneHGUfn4u:7od8GxJb32pSXMm04

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu219894.exe	healer
behavioral1/memory/4104-28-0x00000000002F0000-0x00000000002FA000-memory.dmp	healer
behavioral1/memory/3148-34-0x00000000023A0000-0x00000000023BA000-memory.dmp	healer
behavioral1/memory/3148-36-0x00000000024E0000-0x00000000024F8000-memory.dmp	healer
behavioral1/memory/3148-37-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-62-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-60-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-59-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-57-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-54-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-52-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-50-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-49-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-46-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-44-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-42-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-40-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-38-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3148-64-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

bu219894.execor9889.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu219894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu219894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu219894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor9889.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor9889.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor9889.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor9889.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu219894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu219894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu219894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor9889.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor9889.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3832-72-0x00000000024D0000-0x0000000002516000-memory.dmp	family_redline
behavioral1/memory/3832-73-0x0000000005050000-0x0000000005094000-memory.dmp	family_redline
behavioral1/memory/3832-77-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-75-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-74-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-81-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-79-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-105-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-95-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-83-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-107-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-103-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-101-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-99-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-98-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-93-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-91-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-89-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-87-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3832-85-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 6 IoCs

Processes:

kina3267.exekina5637.exekina5146.exebu219894.execor9889.exedZC07s33.exe

pid process

4460 kina3267.exe
2616 kina5637.exe
3428 kina5146.exe
4104 bu219894.exe
3148 cor9889.exe
3832 dZC07s33.exe

pid	process
4460	kina3267.exe
2616	kina5637.exe
3428	kina5146.exe
4104	bu219894.exe
3148	cor9889.exe
3832	dZC07s33.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

cor9889.exebu219894.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor9889.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor9889.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu219894.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350.exekina3267.exekina5637.exekina5146.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina3267.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina5637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina5146.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2452 3148 WerFault.exe cor9889.exe

pid	pid_target	process	target process
2452	3148	WerFault.exe	cor9889.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kina5637.exekina5146.execor9889.exedZC07s33.exeba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350.exekina3267.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina5637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina5146.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cor9889.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dZC07s33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina3267.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

bu219894.execor9889.exe

pid process

4104 bu219894.exe
4104 bu219894.exe
3148 cor9889.exe
3148 cor9889.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bu219894.execor9889.exedZC07s33.exe

description pid process

Token: SeDebugPrivilege 4104 bu219894.exe
Token: SeDebugPrivilege 3148 cor9889.exe
Token: SeDebugPrivilege 3832 dZC07s33.exe

pid	process
4104	bu219894.exe
4104	bu219894.exe
3148	cor9889.exe
3148	cor9889.exe

description	pid	process
Token: SeDebugPrivilege	4104	bu219894.exe
Token: SeDebugPrivilege	3148	cor9889.exe
Token: SeDebugPrivilege	3832	dZC07s33.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350.exekina3267.exekina5637.exekina5146.exe

description	pid	process	target process
PID 4836 wrote to memory of 4460	4836	ba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350.exe	kina3267.exe
PID 4836 wrote to memory of 4460	4836	ba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350.exe	kina3267.exe
PID 4836 wrote to memory of 4460	4836	ba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350.exe	kina3267.exe
PID 4460 wrote to memory of 2616	4460	kina3267.exe	kina5637.exe
PID 4460 wrote to memory of 2616	4460	kina3267.exe	kina5637.exe
PID 4460 wrote to memory of 2616	4460	kina3267.exe	kina5637.exe
PID 2616 wrote to memory of 3428	2616	kina5637.exe	kina5146.exe
PID 2616 wrote to memory of 3428	2616	kina5637.exe	kina5146.exe
PID 2616 wrote to memory of 3428	2616	kina5637.exe	kina5146.exe
PID 3428 wrote to memory of 4104	3428	kina5146.exe	bu219894.exe
PID 3428 wrote to memory of 4104	3428	kina5146.exe	bu219894.exe
PID 3428 wrote to memory of 3148	3428	kina5146.exe	cor9889.exe
PID 3428 wrote to memory of 3148	3428	kina5146.exe	cor9889.exe
PID 3428 wrote to memory of 3148	3428	kina5146.exe	cor9889.exe
PID 2616 wrote to memory of 3832	2616	kina5637.exe	dZC07s33.exe
PID 2616 wrote to memory of 3832	2616	kina5637.exe	dZC07s33.exe
PID 2616 wrote to memory of 3832	2616	kina5637.exe	dZC07s33.exe

C:\Users\Admin\AppData\Local\Temp\ba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350.exe
"C:\Users\Admin\AppData\Local\Temp\ba0a0a4e9df899cc91b46b757040fed45afa28b5bbde638f8c30236857512350.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3267.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3267.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5637.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5637.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5146.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5146.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu219894.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu219894.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9889.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9889.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1084
6⤵
- Program crash
PID:2452

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZC07s33.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZC07s33.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3148 -ip 3148
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3267.exe

Filesize
803KB

MD5
83326d8178e15612d76a78a7ac0c4d22

SHA1
85603ec401cf66f7112574fafeed84ac84bc9fdf

SHA256
2fd030f8aaa61268f7647a2cecb1b746960fa9b14e7d63699c6c39e0f9d4830b

SHA512
7b73c2102040c42efbadfe67aa7ed4e1b7d09f2b9c194791424980f164c271cd55edcda884e78b8a72cceb9d4a754043c4814c53ab5468ebce952d302e30176a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5637.exe

Filesize
650KB

MD5
c1357fe7ad3f67254ecb163b4a6d256c

SHA1
c8241389be8e94af114f368f84f4a77aebc4d348

SHA256
bbbd03cf94af2211dab954ddf5d4bd58800295005063415106db8df6356c51ad

SHA512
98faa7730deb84fd1510321db9dc40383d98dabe565973926783c2ad2a48c6a86a6f5b3e2feb6875c0e7d0e711fef0475597974f49db1226a013702fbc69bf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZC07s33.exe

Filesize
295KB

MD5
3893b3c960a007e4c7dba3afdc85a6d1

SHA1
3b3df4ad15b28a52ab65d795205c3bf66cfee85f

SHA256
77f0f9ae77a423f791775c0550d4cf724bc3c347ac92b4c387fea86cd77e56f5

SHA512
68340a7bc510c0784fa6fd261341faaa3f2a956c3cce5abec6c78e0aaa00cfcf7e03793fe2223521ffd5d1af08c4b7da17c01513901eb6d44bfcf10ca8fc17ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5146.exe

Filesize
321KB

MD5
13722c1998e8f0fd4b5725fa2c205fcb

SHA1
c021164d73bde24aa1c0d31e1845ebd262cb0725

SHA256
d18fdba171396552d37347d44d33c20788a0c13e07405c2160abebe583baef9f

SHA512
5c5c2b32d7c2e33582088ab79856c3a0ec59c82ef07dd7e8f4ea92ba3cfa6fceef3ab4afb0d4dce7c3730ae20e20735b0778490e2bc02ddc2d980b63ef086e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu219894.exe

Filesize
15KB

MD5
8c07b2b30e4ef8e9064a62bba4f0870f

SHA1
a2a9167a987011db0753066d46d63d4475050ac7

SHA256
154d28aaacd1614eb776be30ea2b40c1a6e469ab2cba7e1644459bfd7af4a16e

SHA512
9893f9ba2eb9b0a9d5a1e326951a6dac1b6a7bd65016a726ca432d27ecf5bfda6269832695dbf5b8ee3bac066df4275c80f77730952d8fe15237ae8df076e9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9889.exe

Filesize
237KB

MD5
2ec101b43be6023a8d1e3033f92af6f9

SHA1
c5a268538ceb5a97e8ef6fd2459ab9ef795e7f15

SHA256
7840ab3b2ae3b75310e567c4e633813c8fc6d79e0087daec4e3675223aed9a97

SHA512
3ab6535e915bb547b112c964a7b5702a40541a022d13af339426f3635409b90f5051fc273ee3dd56025561e956385139dd07f7c95e2f1b67867b55aeae44090a

Download Submit
memory/3148-67-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3148-35-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/3148-36-0x00000000024E0000-0x00000000024F8000-memory.dmp

Filesize
96KB

Download
memory/3148-37-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-62-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-60-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-59-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-57-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-54-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-52-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-50-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-49-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-46-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-44-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-42-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-40-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-38-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-64-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3148-65-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3148-34-0x00000000023A0000-0x00000000023BA000-memory.dmp

Filesize
104KB

Download
memory/3832-77-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-101-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-73-0x0000000005050000-0x0000000005094000-memory.dmp

Filesize
272KB

Download
memory/3832-984-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download
memory/3832-75-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-74-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-81-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-79-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-105-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-95-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-83-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-107-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-103-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-72-0x00000000024D0000-0x0000000002516000-memory.dmp

Filesize
280KB

Download
memory/3832-99-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-98-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-93-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-91-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-89-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-87-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-85-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3832-980-0x00000000050F0000-0x0000000005708000-memory.dmp

Filesize
6.1MB

Download
memory/3832-981-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/3832-982-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/3832-983-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/4104-28-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download