healer | dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b.exe
Size

989KB
MD5

2989659a9a9e9d52bbaac77420eb2c5d
SHA1

5da1398ec4cfb3d8c590d7f471491f20e6fe8bd3
SHA256

dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b
SHA512

8abc0cf62cf274a91ab62e7c94a94a00bbe85cc687005880b0de5e6c05a4313e4e101f0515dcfb284e605f447754dd97a05c97b26fd6fe700fa9f35483860116
SSDEEP

24576:aybCCJ/fO9N1qtiAf+MIUvV/HMhS/w2/Yqol/peVJO8+:h2wHOFeH+3S9sho/Lol/MLO

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8603.exe	healer
behavioral1/memory/644-28-0x0000000000200000-0x000000000020A000-memory.dmp	healer
behavioral1/memory/3596-34-0x0000000004BD0000-0x0000000004BEA000-memory.dmp	healer
behavioral1/memory/3596-36-0x0000000004DD0000-0x0000000004DE8000-memory.dmp	healer
behavioral1/memory/3596-38-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-62-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-60-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-58-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-56-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-54-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-52-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-50-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-48-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-46-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-44-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-42-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-40-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-37-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral1/memory/3596-64-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

tz8603.exev7780Ml.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8603.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8603.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8603.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v7780Ml.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v7780Ml.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8603.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8603.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8603.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v7780Ml.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v7780Ml.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v7780Ml.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v7780Ml.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3828-73-0x0000000007180000-0x00000000071C4000-memory.dmp	family_redline
behavioral1/memory/3828-72-0x0000000004BB0000-0x0000000004BF6000-memory.dmp	family_redline
behavioral1/memory/3828-107-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-105-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-103-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-101-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-99-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-97-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-95-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-93-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-91-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-89-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-87-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-85-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-83-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-81-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-79-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-77-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-75-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3828-74-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 6 IoCs

Processes:

zap2524.exezap8616.exezap4072.exetz8603.exev7780Ml.exew17Ks24.exe

pid process

112 zap2524.exe
216 zap8616.exe
540 zap4072.exe
644 tz8603.exe
3596 v7780Ml.exe
3828 w17Ks24.exe

pid	process
112	zap2524.exe
216	zap8616.exe
540	zap4072.exe
644	tz8603.exe
3596	v7780Ml.exe
3828	w17Ks24.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

tz8603.exev7780Ml.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8603.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v7780Ml.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v7780Ml.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b.exezap2524.exezap8616.exezap4072.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2524.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8616.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap4072.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1192 3596 WerFault.exe v7780Ml.exe

pid	pid_target	process	target process
1192	3596	WerFault.exe	v7780Ml.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b.exezap2524.exezap8616.exezap4072.exev7780Ml.exew17Ks24.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap2524.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap8616.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap4072.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v7780Ml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w17Ks24.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

tz8603.exev7780Ml.exe

pid process

644 tz8603.exe
644 tz8603.exe
3596 v7780Ml.exe
3596 v7780Ml.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tz8603.exev7780Ml.exew17Ks24.exe

description pid process

Token: SeDebugPrivilege 644 tz8603.exe
Token: SeDebugPrivilege 3596 v7780Ml.exe
Token: SeDebugPrivilege 3828 w17Ks24.exe

pid	process
644	tz8603.exe
644	tz8603.exe
3596	v7780Ml.exe
3596	v7780Ml.exe

description	pid	process
Token: SeDebugPrivilege	644	tz8603.exe
Token: SeDebugPrivilege	3596	v7780Ml.exe
Token: SeDebugPrivilege	3828	w17Ks24.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b.exezap2524.exezap8616.exezap4072.exe

description	pid	process	target process
PID 2112 wrote to memory of 112	2112	dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b.exe	zap2524.exe
PID 2112 wrote to memory of 112	2112	dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b.exe	zap2524.exe
PID 2112 wrote to memory of 112	2112	dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b.exe	zap2524.exe
PID 112 wrote to memory of 216	112	zap2524.exe	zap8616.exe
PID 112 wrote to memory of 216	112	zap2524.exe	zap8616.exe
PID 112 wrote to memory of 216	112	zap2524.exe	zap8616.exe
PID 216 wrote to memory of 540	216	zap8616.exe	zap4072.exe
PID 216 wrote to memory of 540	216	zap8616.exe	zap4072.exe
PID 216 wrote to memory of 540	216	zap8616.exe	zap4072.exe
PID 540 wrote to memory of 644	540	zap4072.exe	tz8603.exe
PID 540 wrote to memory of 644	540	zap4072.exe	tz8603.exe
PID 540 wrote to memory of 3596	540	zap4072.exe	v7780Ml.exe
PID 540 wrote to memory of 3596	540	zap4072.exe	v7780Ml.exe
PID 540 wrote to memory of 3596	540	zap4072.exe	v7780Ml.exe
PID 216 wrote to memory of 3828	216	zap8616.exe	w17Ks24.exe
PID 216 wrote to memory of 3828	216	zap8616.exe	w17Ks24.exe
PID 216 wrote to memory of 3828	216	zap8616.exe	w17Ks24.exe

C:\Users\Admin\AppData\Local\Temp\dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b.exe
"C:\Users\Admin\AppData\Local\Temp\dba07033713c3c8362119985150049a747b7a3fa42cb51799c6213defb87d25b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2524.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2524.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:112

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8616.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8616.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4072.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4072.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8603.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8603.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7780Ml.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7780Ml.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1072
6⤵
- Program crash
PID:1192

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17Ks24.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17Ks24.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3596 -ip 3596
1⤵
PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2524.exe

Filesize
805KB

MD5
79987ba80404831d8a76e7c5a8d4a92a

SHA1
b1af665e1678ddc1745a7a2a8c9478816cdce0b2

SHA256
915fa2fd91a6354a7c1eb2bde54ec764b3950f0a57421a4c65be354ca1c5d524

SHA512
15646188125707a431569f6b47e781a3afc5740eb6493b56726ae9163c2fbd1f19b2495b8cb52b305f1fcdb9d898ee66be3a521da0a7f487b186587047412e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8616.exe

Filesize
663KB

MD5
2c146b727c2ef796458b167f6d4aa558

SHA1
18c1c28f69f6f1ebafea38be721d94ade279a1d4

SHA256
15bcb9c2b14020d7aa979d7411db172603d09933bd732e81daa5801219acc1da

SHA512
bbb10074cec5451fe7f6ea5bcd759680d17d9cf1b896a872355e46c36616a288886310730386b4ab2f46cbecfcc30857ede24b111911c80bb1bedb09cf18b067

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17Ks24.exe

Filesize
333KB

MD5
0ffcd2ed750e7af3e8fff35ad2513fe3

SHA1
c8b3580f9e629899db6289d4f456905203f6ece9

SHA256
726f3cbccf1193d86006d116138f3cf00c833a37ed442bd98c327d2b0f3139cb

SHA512
c94e60a8f2dc2ee86e5a20e8895987cf109f6307645cdb3f385bd813e0789e9276e75b1e1f33d11d3ac3d3d885f5959080c6e69cdb074846fae71b4112bf63d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4072.exe

Filesize
327KB

MD5
bab91e02e797412fd95898894a79642b

SHA1
d5119ca2c148d9a0ecd780ce5d165c665c8fb0a6

SHA256
35a372b3ba6f1f82fa36116557c718e01ae2d082ed44cbc5d25306157572e23f

SHA512
33c14594146533ef06ec57839517cd599e10e94a2ef370925ec4f305b3bef2f886b6670a9057e630afef959bd141986c734efcfca48028fee0865f00391844d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8603.exe

Filesize
12KB

MD5
e09c9ac8eb0d28f92ca3d93544bee0a7

SHA1
a8847e3a88e8abd9ca7bb1c39b7de42c9023669b

SHA256
221f231d3baa43c6da7ee7de3c9d1a017de815eb0604f366458028d84518edb5

SHA512
bc37e934e8837330d6469909dd8a1aa90cc4df390806242fd412421c17e51a8be9154cccf8b7e1df56959e2b870c4cb08f418f269004dda02bbe61d4e8373fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7780Ml.exe

Filesize
275KB

MD5
80cec86b7d713c81950a13e4ad70bd2f

SHA1
5ca14bea041da40b6934745b8dd93517b32e0529

SHA256
3ca9da774de7f4170bc290f220dfd360e203b65187ab980c945d024eaa9a0955

SHA512
e20f9f0ae1dab814f96d8fad2b52fc908e833a1ee5fa3d3c76c07bff0192121c29b8c7817640783876705383afda62d288beae2112f567b1bdf1dd0024c85006

Download Submit
memory/644-28-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/3596-34-0x0000000004BD0000-0x0000000004BEA000-memory.dmp

Filesize
104KB

Download
memory/3596-35-0x0000000007180000-0x0000000007724000-memory.dmp

Filesize
5.6MB

Download
memory/3596-36-0x0000000004DD0000-0x0000000004DE8000-memory.dmp

Filesize
96KB

Download
memory/3596-38-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-62-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-60-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-58-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-56-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-54-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-52-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-50-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-48-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-46-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-44-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-42-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-40-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-37-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-64-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3596-65-0x0000000000400000-0x0000000002B73000-memory.dmp

Filesize
39.4MB

Download
memory/3596-67-0x0000000000400000-0x0000000002B73000-memory.dmp

Filesize
39.4MB

Download
memory/3828-73-0x0000000007180000-0x00000000071C4000-memory.dmp

Filesize
272KB

Download
memory/3828-72-0x0000000004BB0000-0x0000000004BF6000-memory.dmp

Filesize
280KB

Download
memory/3828-107-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-105-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-103-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-101-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-99-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-97-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-95-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-93-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-91-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-89-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-87-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-85-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-83-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-81-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-79-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-77-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-75-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-74-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3828-980-0x00000000078A0000-0x0000000007EB8000-memory.dmp

Filesize
6.1MB

Download
memory/3828-981-0x0000000007EC0000-0x0000000007FCA000-memory.dmp

Filesize
1.0MB

Download
memory/3828-982-0x00000000072B0000-0x00000000072C2000-memory.dmp

Filesize
72KB

Download
memory/3828-983-0x0000000007FD0000-0x000000000800C000-memory.dmp

Filesize
240KB

Download
memory/3828-984-0x0000000008110000-0x000000000815C000-memory.dmp

Filesize
304KB

Download