healer | 68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d.exe
Size

988KB
MD5

4794dee0c481fa08d74badecb047716d
SHA1

6b81a456a2ff4e484432b7e0b98987f3eff55685
SHA256

68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d
SHA512

9c011f15ff595798f76781b449ea675449d14e19d47141c548df71d21fa7ebcb6c1bee2bf001fd7f96af565ae3af82f7153c12c34c6457ec4d29dcf45f9288f2
SSDEEP

24576:UywBdWLZMSj+N1M1L3vvUR/aDEkgpMxJxNtUyawU8ti:jw7KMSj+N1q3v0a7gp+xNGyVUA

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu070049.exe	healer
behavioral1/memory/3052-28-0x0000000000540000-0x000000000054A000-memory.dmp	healer
behavioral1/memory/1964-34-0x0000000002450000-0x000000000246A000-memory.dmp	healer
behavioral1/memory/1964-36-0x00000000024E0000-0x00000000024F8000-memory.dmp	healer
behavioral1/memory/1964-37-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-42-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-64-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-62-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-60-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-58-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-56-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-54-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-52-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-50-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-48-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-46-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-44-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-40-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/1964-38-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

bu070049.execor5022.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu070049.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu070049.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu070049.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor5022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor5022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu070049.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu070049.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor5022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor5022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor5022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor5022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu070049.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3224-72-0x00000000025C0000-0x0000000002606000-memory.dmp	family_redline
behavioral1/memory/3224-73-0x0000000002650000-0x0000000002694000-memory.dmp	family_redline
behavioral1/memory/3224-81-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-93-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-107-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-106-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-103-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-101-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-99-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-97-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-95-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-91-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-89-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-87-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-85-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-83-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-79-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-77-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-75-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/3224-74-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 6 IoCs

Processes:

kina3262.exekina7968.exekina6341.exebu070049.execor5022.exedyD16s42.exe

pid process

4764 kina3262.exe
3940 kina7968.exe
4760 kina6341.exe
3052 bu070049.exe
1964 cor5022.exe
3224 dyD16s42.exe

pid	process
4764	kina3262.exe
3940	kina7968.exe
4760	kina6341.exe
3052	bu070049.exe
1964	cor5022.exe
3224	dyD16s42.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

cor5022.exebu070049.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor5022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor5022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu070049.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d.exekina3262.exekina7968.exekina6341.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina3262.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina7968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina6341.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3652 1964 WerFault.exe cor5022.exe

pid	pid_target	process	target process
3652	1964	WerFault.exe	cor5022.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kina7968.exekina6341.execor5022.exedyD16s42.exe68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d.exekina3262.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina7968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina6341.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cor5022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyD16s42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina3262.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

bu070049.execor5022.exe

pid process

3052 bu070049.exe
3052 bu070049.exe
1964 cor5022.exe
1964 cor5022.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bu070049.execor5022.exedyD16s42.exe

description pid process

Token: SeDebugPrivilege 3052 bu070049.exe
Token: SeDebugPrivilege 1964 cor5022.exe
Token: SeDebugPrivilege 3224 dyD16s42.exe

pid	process
3052	bu070049.exe
3052	bu070049.exe
1964	cor5022.exe
1964	cor5022.exe

description	pid	process
Token: SeDebugPrivilege	3052	bu070049.exe
Token: SeDebugPrivilege	1964	cor5022.exe
Token: SeDebugPrivilege	3224	dyD16s42.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d.exekina3262.exekina7968.exekina6341.exe

description	pid	process	target process
PID 3984 wrote to memory of 4764	3984	68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d.exe	kina3262.exe
PID 3984 wrote to memory of 4764	3984	68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d.exe	kina3262.exe
PID 3984 wrote to memory of 4764	3984	68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d.exe	kina3262.exe
PID 4764 wrote to memory of 3940	4764	kina3262.exe	kina7968.exe
PID 4764 wrote to memory of 3940	4764	kina3262.exe	kina7968.exe
PID 4764 wrote to memory of 3940	4764	kina3262.exe	kina7968.exe
PID 3940 wrote to memory of 4760	3940	kina7968.exe	kina6341.exe
PID 3940 wrote to memory of 4760	3940	kina7968.exe	kina6341.exe
PID 3940 wrote to memory of 4760	3940	kina7968.exe	kina6341.exe
PID 4760 wrote to memory of 3052	4760	kina6341.exe	bu070049.exe
PID 4760 wrote to memory of 3052	4760	kina6341.exe	bu070049.exe
PID 4760 wrote to memory of 1964	4760	kina6341.exe	cor5022.exe
PID 4760 wrote to memory of 1964	4760	kina6341.exe	cor5022.exe
PID 4760 wrote to memory of 1964	4760	kina6341.exe	cor5022.exe
PID 3940 wrote to memory of 3224	3940	kina7968.exe	dyD16s42.exe
PID 3940 wrote to memory of 3224	3940	kina7968.exe	dyD16s42.exe
PID 3940 wrote to memory of 3224	3940	kina7968.exe	dyD16s42.exe

C:\Users\Admin\AppData\Local\Temp\68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d.exe
"C:\Users\Admin\AppData\Local\Temp\68d666db157e49dbe4af1440b3dc31e60026fd676f4bab0d51f9a00008aae18d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3262.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3262.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7968.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7968.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina6341.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina6341.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu070049.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu070049.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5022.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5022.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1084
6⤵
- Program crash
PID:3652

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyD16s42.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyD16s42.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1964 -ip 1964
1⤵
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3262.exe

Filesize
803KB

MD5
4229df858ae6039afd73fda35f333e0f

SHA1
ddb0b7c28d12dc1be88fa79ccf81fa3d7d4ca6b9

SHA256
7c1290335440dcc011489cafd076e82ab3c194a0fd4a9773583ecde22d0c82ec

SHA512
323de50d5d698dca9d9a7fb3a7ce71d5b9b55d516ffaf3a919ab173922bb8a4e832cb957ba960ab6b2cb4535bb3a3d9e674bdf7325627a3f6a42280a817bbbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7968.exe

Filesize
650KB

MD5
976821d3823c4da07350fe996aafefd0

SHA1
6b6028e7a14129aba996bdf3be90803ea84c5f8a

SHA256
77a71965c8f9cc2df32531114b032eb9351b2b3f148c1a5bce1314df4ca3972f

SHA512
c539fd20aabeeaf258b09152c58013cdd2d0d6814ef16bcd460372df9d1807f36f6a79a9b91a9dbd226b3d83cd68a2041ec13d13f515f220e5aab2dd40be61ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyD16s42.exe

Filesize
295KB

MD5
5f374d99d3e801c1c1a3c90c209467bb

SHA1
9b0b7495e581a39bd27bdb8da8f5dcf2675aed73

SHA256
3e851f2ac17c4c94b6f52ad1433820c822ad1e0e8191516c2a1d96bab89eecf3

SHA512
f0ac0bd5c2143d6e87a69a32c74c810f5076a6c44a0060e8e739963e0ad3202646eed375604347dd9c9831e1102c25918627e5ac700028149e284df44794071b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina6341.exe

Filesize
321KB

MD5
7173be173508b080f7d21d0a46ea0f1a

SHA1
26bebceb366e61cbed599be2d5690cc58945cc86

SHA256
75e4a51beb06380645deb534b1cc7fd9dba5f0033e8d829cc2f5864545f98f50

SHA512
ece2c9763f5832365445c5b6ab00ca67b901ac582e19faa64cdb514c5c65a7d4cf9a06c5b530bd3cebc29471d94c0de012fbf3cc064d5c32d247eb97338cb87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu070049.exe

Filesize
15KB

MD5
edd0be70e79acf717d52b08fa3b8685f

SHA1
1fa1c1a25f1df78c755e4ff07e8f28f1f8a0ce4d

SHA256
bec808da0ffdb008b73180bb51b7979c46dced5edc6b3534b7d8c4f8f737e9d0

SHA512
a67182db6d4c583a13c8a4ab0343e2dd68c777e97bb5009f1bb191575557a1b7481f8639a0be789277b807edaf83fd1eabe0a39709bc9000ca8006844a2d4fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5022.exe

Filesize
237KB

MD5
5c0365f3537742ad5a1faa8eb2bd44e4

SHA1
4aab09a1e7e75a48ccf25577d4ea1d2a9c05c8ed

SHA256
22cb2499b862fb01de308e131b6b065c4b631aafa6beb70a87f7142c2d9bde6b

SHA512
3885346e02d553ced3ba7f2a40ed2cf32bd4ea57d0de7774f825df71a4e29d6816f353a0c8d1fb142b37020ecbcf688539a2d4cf62c6f594affc41876c4a94ce

Download Submit
memory/1964-67-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1964-35-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/1964-36-0x00000000024E0000-0x00000000024F8000-memory.dmp

Filesize
96KB

Download
memory/1964-37-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-42-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-64-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-62-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-60-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-58-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-56-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-54-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-52-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-50-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-48-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-46-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-44-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-40-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-38-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1964-65-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1964-34-0x0000000002450000-0x000000000246A000-memory.dmp

Filesize
104KB

Download
memory/3052-28-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/3224-81-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-87-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-72-0x00000000025C0000-0x0000000002606000-memory.dmp

Filesize
280KB

Download
memory/3224-93-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-107-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-106-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-103-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-101-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-99-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-97-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-95-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-91-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-89-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-73-0x0000000002650000-0x0000000002694000-memory.dmp

Filesize
272KB

Download
memory/3224-85-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-83-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-79-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-77-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-75-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-74-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/3224-980-0x00000000050F0000-0x0000000005708000-memory.dmp

Filesize
6.1MB

Download
memory/3224-981-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/3224-982-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/3224-983-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/3224-984-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download