healer | d9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c.exe
Size

987KB
MD5

599bbbeb433edb1cbf1413ff630d05ed
SHA1

006789970d5513e38dcb07b4a5dcd17aa762432f
SHA256

d9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c
SHA512

2c6e7f94a0dbad97e4523518262f7ac4d15b627e4b281ce0775efb681ee0becd55eca9f1fcd7618044170b6632e2720e2c069c7bb1b95f3de17d8b1e9fc402b1
SSDEEP

24576:EySYsJ1TNsALBJ2j7vnfujjpkulTywt9ESfOLIT7JvtU:TS/J5Zk4jKub7JOLAv

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2261.exe	healer
behavioral1/memory/2732-28-0x00000000007F0000-0x00000000007FA000-memory.dmp	healer
behavioral1/memory/3248-34-0x0000000002170000-0x000000000218A000-memory.dmp	healer
behavioral1/memory/3248-36-0x0000000004A30000-0x0000000004A48000-memory.dmp	healer
behavioral1/memory/3248-37-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-44-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-64-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-62-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-61-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-58-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-56-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-55-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-52-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-50-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-48-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-46-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-42-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-40-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer
behavioral1/memory/3248-38-0x0000000004A30000-0x0000000004A42000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

tz2261.exev0562jO.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2261.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0562jO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0562jO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0562jO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0562jO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0562jO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0562jO.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1936-72-0x0000000002480000-0x00000000024C6000-memory.dmp	family_redline
behavioral1/memory/1936-73-0x00000000050A0000-0x00000000050E4000-memory.dmp	family_redline
behavioral1/memory/1936-79-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-89-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-107-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-105-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-103-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-101-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-99-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-97-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-95-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-91-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-87-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-85-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-83-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-81-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-93-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-77-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-75-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline
behavioral1/memory/1936-74-0x00000000050A0000-0x00000000050DF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 6 IoCs

Processes:

zap2245.exezap3069.exezap7761.exetz2261.exev0562jO.exew47Xs75.exe

pid process

1920 zap2245.exe
4996 zap3069.exe
932 zap7761.exe
2732 tz2261.exe
3248 v0562jO.exe
1936 w47Xs75.exe

pid	process
1920	zap2245.exe
4996	zap3069.exe
932	zap7761.exe
2732	tz2261.exe
3248	v0562jO.exe
1936	w47Xs75.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

tz2261.exev0562jO.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2261.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0562jO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0562jO.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c.exezap2245.exezap3069.exezap7761.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2245.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3069.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7761.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2584 3248 WerFault.exe v0562jO.exe

pid	pid_target	process	target process
2584	3248	WerFault.exe	v0562jO.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

zap3069.exezap7761.exev0562jO.exew47Xs75.exed9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c.exezap2245.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap3069.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap7761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v0562jO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w47Xs75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap2245.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

tz2261.exev0562jO.exe

pid process

2732 tz2261.exe
2732 tz2261.exe
3248 v0562jO.exe
3248 v0562jO.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tz2261.exev0562jO.exew47Xs75.exe

description pid process

Token: SeDebugPrivilege 2732 tz2261.exe
Token: SeDebugPrivilege 3248 v0562jO.exe
Token: SeDebugPrivilege 1936 w47Xs75.exe

pid	process
2732	tz2261.exe
2732	tz2261.exe
3248	v0562jO.exe
3248	v0562jO.exe

description	pid	process
Token: SeDebugPrivilege	2732	tz2261.exe
Token: SeDebugPrivilege	3248	v0562jO.exe
Token: SeDebugPrivilege	1936	w47Xs75.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

d9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c.exezap2245.exezap3069.exezap7761.exe

description	pid	process	target process
PID 708 wrote to memory of 1920	708	d9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c.exe	zap2245.exe
PID 708 wrote to memory of 1920	708	d9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c.exe	zap2245.exe
PID 708 wrote to memory of 1920	708	d9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c.exe	zap2245.exe
PID 1920 wrote to memory of 4996	1920	zap2245.exe	zap3069.exe
PID 1920 wrote to memory of 4996	1920	zap2245.exe	zap3069.exe
PID 1920 wrote to memory of 4996	1920	zap2245.exe	zap3069.exe
PID 4996 wrote to memory of 932	4996	zap3069.exe	zap7761.exe
PID 4996 wrote to memory of 932	4996	zap3069.exe	zap7761.exe
PID 4996 wrote to memory of 932	4996	zap3069.exe	zap7761.exe
PID 932 wrote to memory of 2732	932	zap7761.exe	tz2261.exe
PID 932 wrote to memory of 2732	932	zap7761.exe	tz2261.exe
PID 932 wrote to memory of 3248	932	zap7761.exe	v0562jO.exe
PID 932 wrote to memory of 3248	932	zap7761.exe	v0562jO.exe
PID 932 wrote to memory of 3248	932	zap7761.exe	v0562jO.exe
PID 4996 wrote to memory of 1936	4996	zap3069.exe	w47Xs75.exe
PID 4996 wrote to memory of 1936	4996	zap3069.exe	w47Xs75.exe
PID 4996 wrote to memory of 1936	4996	zap3069.exe	w47Xs75.exe

C:\Users\Admin\AppData\Local\Temp\d9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c.exe
"C:\Users\Admin\AppData\Local\Temp\d9d163cd3f40af220bc1128be1b3ecaabbf7b86b922b7d92da14b5ce7c36148c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:708

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2245.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2245.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3069.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3069.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7761.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7761.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2261.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2261.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0562jO.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0562jO.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1100
6⤵
- Program crash
PID:2584

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w47Xs75.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w47Xs75.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3248 -ip 3248
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2245.exe

Filesize
804KB

MD5
04d439704e6525b1f0c920387f55e757

SHA1
340128a85b89c99fbb56317f48d08839874d6a12

SHA256
7fee4d5cae4f38bd5273e348b14a5d449f0038fda22f114814bfd27723122361

SHA512
2ac8be9482c42292275b2b24e7f0f19885e01e5ee8264e573e9ea55e8c81b316fcb2460b5e4468e1be5d95abd3f7bd4f76a39e7426bac7150b3b0e3e76ef4014

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3069.exe

Filesize
651KB

MD5
3dbcca759f39ac84a93393280553226f

SHA1
2dc5c2059f2dc02b8e4d6941846c646d8b782f94

SHA256
422c2d8560a660a1fa3e0da2ec7048350d8cb282d010fa57c09a036754c39fcd

SHA512
c67b7603038d499299e9475505b2fffcfbca340cec1e59ce19a2298709c423a20a6c14ef2eed9e746c31081fc82b2ee502fd24a1cf5838b4b2056cff9b39d359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w47Xs75.exe

Filesize
292KB

MD5
5139b267c598d932bc7f93551fddc1b3

SHA1
7d5b62c62b519912318c94b91d58d6afc380638f

SHA256
eb649908915e78c6b3b65f486a18043e710c3e0041d5d0382917bfb0da3f0945

SHA512
c97c0cf7cb8671e5bcfcb530283a2e2237d2b88c51a3fb3e55b5edee8e7020596fa47a5b1b301e5fd50a49ec1de8af97416f0c47a4e94afc83e0e6fcf5e172d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7761.exe

Filesize
322KB

MD5
449a91ec2e027922045b7efa21546bc9

SHA1
3e185afed2d53f34757c0e76743fc19a086bbd84

SHA256
fdf47c690d4ba14a067d3656699a054268d2e872d6452d1236779c1aada707a7

SHA512
ded15b50d51195a7a32b408d8aac6fdca99e0d93303f6e254b52ff7aa1fe5814573f07da7dcdc4300f527aa3af5699ae84a56a6bf624d9304f40b104ee98774b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2261.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0562jO.exe

Filesize
235KB

MD5
faafebb3ebe2defdc61e2657057810fa

SHA1
f0b44a107ce52583fab24ebee35ade25fc25b5ec

SHA256
107352fb365b10d1e7d29bd193b64bde164db57bc36d8808bd564d6b15bb712b

SHA512
7fc8f27032af92d6e026a5de78745ce51dd94194eebea0b5a1df3f72be239b0997da868c9dbc90804ef5711eaaa273c1553a6fce916cdab2cb1b6e2f2827061b

Download Submit
memory/1936-87-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-85-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-984-0x0000000005A30000-0x0000000005A7C000-memory.dmp

Filesize
304KB

Download
memory/1936-983-0x00000000058E0000-0x000000000591C000-memory.dmp

Filesize
240KB

Download
memory/1936-982-0x00000000058C0000-0x00000000058D2000-memory.dmp

Filesize
72KB

Download
memory/1936-981-0x0000000005780000-0x000000000588A000-memory.dmp

Filesize
1.0MB

Download
memory/1936-980-0x00000000050E0000-0x00000000056F8000-memory.dmp

Filesize
6.1MB

Download
memory/1936-74-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-75-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-77-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-93-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-81-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-83-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-91-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-95-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-97-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-99-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-101-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-103-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-105-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-107-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-72-0x0000000002480000-0x00000000024C6000-memory.dmp

Filesize
280KB

Download
memory/1936-73-0x00000000050A0000-0x00000000050E4000-memory.dmp

Filesize
272KB

Download
memory/1936-79-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/1936-89-0x00000000050A0000-0x00000000050DF000-memory.dmp

Filesize
252KB

Download
memory/2732-28-0x00000000007F0000-0x00000000007FA000-memory.dmp

Filesize
40KB

Download
memory/3248-50-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-44-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-38-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-40-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-42-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-46-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-48-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-52-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-36-0x0000000004A30000-0x0000000004A48000-memory.dmp

Filesize
96KB

Download
memory/3248-65-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3248-67-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3248-55-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-56-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-58-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-61-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-62-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-64-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-34-0x0000000002170000-0x000000000218A000-memory.dmp

Filesize
104KB

Download
memory/3248-37-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3248-35-0x0000000004B60000-0x0000000005104000-memory.dmp

Filesize
5.6MB

Download