healer | aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exe
Size

802KB
MD5

21fe5ebd39a747c5c0fe1fef41d98a74
SHA1

f368352d5182bd0b3f2c1297e0b1b2c3a86702fb
SHA256

aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb
SHA512

ced62d4f72eff9ed57b7f3dd446190b24773aee55b4f348180b09b4b8e86064e081828badfff8d9518fc7739bed4ceac4bc6b05c16ec38a911cc734e3f0238e2
SSDEEP

24576:4yPPBvz0EigO1E+DCSyZ4jByBf24eGyaDr:/BvzZO1HyyjBmFf

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3756-19-0x0000000002570000-0x000000000258A000-memory.dmp	healer
behavioral1/memory/3756-21-0x0000000004B80000-0x0000000004B98000-memory.dmp	healer
behavioral1/memory/3756-49-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-47-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-45-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-43-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-41-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-40-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-37-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-35-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-33-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-31-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-29-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-27-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-25-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-23-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/3756-22-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro5564.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro5564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5564.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2248-2142-0x00000000028C0000-0x00000000028F2000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/3300-2155-0x0000000000780000-0x00000000007B0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si334851.exe	family_redline
behavioral1/memory/5680-2166-0x0000000000820000-0x000000000084E000-memory.dmp	family_redline

Redline family
redline
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

qu8151.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation qu8151.exe
Executes dropped EXE 5 IoCs

Processes:

un145405.exepro5564.exequ8151.exe1.exesi334851.exe

pid process

3284 un145405.exe
3756 pro5564.exe
2248 qu8151.exe
3300 1.exe
5680 si334851.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	qu8151.exe

pid	process
3284	un145405.exe
3756	pro5564.exe
2248	qu8151.exe
3300	1.exe
5680	si334851.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro5564.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5564.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exeun145405.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un145405.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1096 3756 WerFault.exe pro5564.exe
5864 2248 WerFault.exe qu8151.exe

pid	pid_target	process	target process
1096	3756	WerFault.exe	pro5564.exe
5864	2248	WerFault.exe	qu8151.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

un145405.exepro5564.exequ8151.exe1.exesi334851.exeaac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un145405.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro5564.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu8151.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si334851.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro5564.exe

pid process

3756 pro5564.exe
3756 pro5564.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro5564.exequ8151.exe

description pid process

Token: SeDebugPrivilege 3756 pro5564.exe
Token: SeDebugPrivilege 2248 qu8151.exe

pid	process
3756	pro5564.exe
3756	pro5564.exe

description	pid	process
Token: SeDebugPrivilege	3756	pro5564.exe
Token: SeDebugPrivilege	2248	qu8151.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exeun145405.exequ8151.exe

description	pid	process	target process
PID 3880 wrote to memory of 3284	3880	aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exe	un145405.exe
PID 3880 wrote to memory of 3284	3880	aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exe	un145405.exe
PID 3880 wrote to memory of 3284	3880	aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exe	un145405.exe
PID 3284 wrote to memory of 3756	3284	un145405.exe	pro5564.exe
PID 3284 wrote to memory of 3756	3284	un145405.exe	pro5564.exe
PID 3284 wrote to memory of 3756	3284	un145405.exe	pro5564.exe
PID 3284 wrote to memory of 2248	3284	un145405.exe	qu8151.exe
PID 3284 wrote to memory of 2248	3284	un145405.exe	qu8151.exe
PID 3284 wrote to memory of 2248	3284	un145405.exe	qu8151.exe
PID 2248 wrote to memory of 3300	2248	qu8151.exe	1.exe
PID 2248 wrote to memory of 3300	2248	qu8151.exe	1.exe
PID 2248 wrote to memory of 3300	2248	qu8151.exe	1.exe
PID 3880 wrote to memory of 5680	3880	aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exe	si334851.exe
PID 3880 wrote to memory of 5680	3880	aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exe	si334851.exe
PID 3880 wrote to memory of 5680	3880	aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exe	si334851.exe

C:\Users\Admin\AppData\Local\Temp\aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exe
"C:\Users\Admin\AppData\Local\Temp\aac2c8d378178924b4f00336f06009b4b0bd258154c5904cab70652fcaaa23cb.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un145405.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un145405.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3284

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5564.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5564.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1084
4⤵
- Program crash
PID:1096

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8151.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8151.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1384
4⤵
- Program crash
PID:5864

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si334851.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si334851.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3756 -ip 3756
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2248 -ip 2248
1⤵
PID:6080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si334851.exe

Filesize
168KB

MD5
8978ca4b4b3d9e82282997f859ff8f75

SHA1
25308f30e0578442fad92b07d79713568f67c75b

SHA256
f83a81d0741ee5ed84452483249cb6321dd77e56c08c0b0a4d53b3595e3721b1

SHA512
a92b3bd79f5b36863b2c790a949ac5b4c6ed05e717e91f445534eaaf420f06dd0fdb741d5b19471aa0555306f7632998823f7c8bf1433f0ac7fa7067b21459c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un145405.exe

Filesize
648KB

MD5
66e8913ad37243791f8a8a105a19db3a

SHA1
c36ec6fd6c6d20d315a359425f9ac1f3b0556135

SHA256
c5198dc55fada2375a9e50191bd905600b2881f4944a083f092ebab84f1ab19c

SHA512
e69eaf6f126dc748a2217ec088a3ed901640040a40cbf4211972fde74c584606683aa3388729face476ede3567b0375a5c83030bc9fae0e2f053050dbb94f48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5564.exe

Filesize
252KB

MD5
99e59a93fac61a17822db1929bbda916

SHA1
1bb2b8bc9fd0cf1408de72f680cc241488e8f3f0

SHA256
91904e81c42e8de7be845ef3ae409378fa7dd11160717b18e155d36397a4d971

SHA512
62fd0f860748a94ef8d017854b21491bde1642dcfa0e7225499202dfe1321c713e5418df0e47dde7f92b0ff04c5659f1da860dfa25e03a3050bb3765d60d2c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8151.exe

Filesize
435KB

MD5
782b1a63d2ea3bbcd92ac3d3fc94b755

SHA1
a11c2419dbd64e71913b4d203c65c34cf7d49e6a

SHA256
f435001c21fc436d567a02534f6719565b107606fac85d68cfc3bd209b635f56

SHA512
1197a3e2a8d5f211e0531f3ed990ff3ffd7b9ed5b9ca22b30e2c8e6b2267f9cbeef668b080a3edf313de0446d83569767cdd37565a37b66811f2c0cd7e688fd4

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/2248-67-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-60-0x0000000004C40000-0x0000000004CA6000-memory.dmp

Filesize
408KB

Download
memory/2248-65-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-85-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-2142-0x00000000028C0000-0x00000000028F2000-memory.dmp

Filesize
200KB

Download
memory/2248-62-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-63-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-89-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-69-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-71-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-73-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-75-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-77-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-95-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-81-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-84-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-87-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-91-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-93-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-79-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/2248-61-0x0000000004CB0000-0x0000000004D16000-memory.dmp

Filesize
408KB

Download
memory/3300-2160-0x0000000005160000-0x000000000519C000-memory.dmp

Filesize
240KB

Download
memory/3300-2155-0x0000000000780000-0x00000000007B0000-memory.dmp

Filesize
192KB

Download
memory/3300-2161-0x00000000052E0000-0x000000000532C000-memory.dmp

Filesize
304KB

Download
memory/3300-2159-0x0000000005100000-0x0000000005112000-memory.dmp

Filesize
72KB

Download
memory/3300-2158-0x00000000051D0000-0x00000000052DA000-memory.dmp

Filesize
1.0MB

Download
memory/3300-2157-0x00000000056A0000-0x0000000005CB8000-memory.dmp

Filesize
6.1MB

Download
memory/3300-2156-0x0000000004F60000-0x0000000004F66000-memory.dmp

Filesize
24KB

Download
memory/3756-23-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-43-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3756-25-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-27-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-29-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-31-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-33-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-35-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-37-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-40-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-41-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3756-22-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-45-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-47-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-49-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3756-17-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3756-50-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/3756-19-0x0000000002570000-0x000000000258A000-memory.dmp

Filesize
104KB

Download
memory/3756-15-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/3756-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3756-54-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3756-21-0x0000000004B80000-0x0000000004B98000-memory.dmp

Filesize
96KB

Download
memory/3756-18-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3756-20-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/5680-2166-0x0000000000820000-0x000000000084E000-memory.dmp

Filesize
184KB

Download
memory/5680-2167-0x0000000002890000-0x0000000002896000-memory.dmp

Filesize
24KB

Download