healer | fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exe
Size

797KB
MD5

b1f2be4bb067aa4d6431da7a74cc7e20
SHA1

c8b1e7246fd862b9fca35a5238ccd33ce976e9c8
SHA256

fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645
SHA512

f5730300b54ee7a4a2977508d5c7250ab5815504efdc3142ee97f45b375964c5635026a695a95713af1dcba9690a2b5bfc7dc92197b55ecbde52979c1adbd9b8
SSDEEP

24576:0ydcfYaM5apqo97wlqqnxamjSiIMf8nb:DdctM5aqm7wlqZmjSiIMk

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4804-19-0x0000000002470000-0x000000000248A000-memory.dmp	healer
behavioral1/memory/4804-21-0x00000000024F0000-0x0000000002508000-memory.dmp	healer
behavioral1/memory/4804-23-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-49-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-47-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-45-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-43-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-41-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-39-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-37-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-35-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-33-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-31-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-29-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-27-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-25-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/4804-22-0x00000000024F0000-0x0000000002502000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro8099.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8099.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8099.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8099.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8099.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8099.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8099.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1632-2143-0x0000000005400000-0x0000000005432000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/4020-2156-0x0000000000450000-0x0000000000480000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si403345.exe	family_redline
behavioral1/memory/4592-2167-0x0000000000B60000-0x0000000000B8E000-memory.dmp	family_redline

Redline family
redline
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

qu4771.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation qu4771.exe
Executes dropped EXE 5 IoCs

Processes:

un855426.exepro8099.exequ4771.exe1.exesi403345.exe

pid process

2932 un855426.exe
4804 pro8099.exe
1632 qu4771.exe
4020 1.exe
4592 si403345.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	qu4771.exe

pid	process
2932	un855426.exe
4804	pro8099.exe
1632	qu4771.exe
4020	1.exe
4592	si403345.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro8099.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8099.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8099.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exeun855426.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un855426.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1448 4804 WerFault.exe pro8099.exe
5624 1632 WerFault.exe qu4771.exe

pid	pid_target	process	target process
1448	4804	WerFault.exe	pro8099.exe
5624	1632	WerFault.exe	qu4771.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exeun855426.exepro8099.exequ4771.exe1.exesi403345.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un855426.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro8099.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu4771.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si403345.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro8099.exe

pid process

4804 pro8099.exe
4804 pro8099.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro8099.exequ4771.exe

description pid process

Token: SeDebugPrivilege 4804 pro8099.exe
Token: SeDebugPrivilege 1632 qu4771.exe

pid	process
4804	pro8099.exe
4804	pro8099.exe

description	pid	process
Token: SeDebugPrivilege	4804	pro8099.exe
Token: SeDebugPrivilege	1632	qu4771.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exeun855426.exequ4771.exe

description	pid	process	target process
PID 2012 wrote to memory of 2932	2012	fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exe	un855426.exe
PID 2012 wrote to memory of 2932	2012	fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exe	un855426.exe
PID 2012 wrote to memory of 2932	2012	fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exe	un855426.exe
PID 2932 wrote to memory of 4804	2932	un855426.exe	pro8099.exe
PID 2932 wrote to memory of 4804	2932	un855426.exe	pro8099.exe
PID 2932 wrote to memory of 4804	2932	un855426.exe	pro8099.exe
PID 2932 wrote to memory of 1632	2932	un855426.exe	qu4771.exe
PID 2932 wrote to memory of 1632	2932	un855426.exe	qu4771.exe
PID 2932 wrote to memory of 1632	2932	un855426.exe	qu4771.exe
PID 1632 wrote to memory of 4020	1632	qu4771.exe	1.exe
PID 1632 wrote to memory of 4020	1632	qu4771.exe	1.exe
PID 1632 wrote to memory of 4020	1632	qu4771.exe	1.exe
PID 2012 wrote to memory of 4592	2012	fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exe	si403345.exe
PID 2012 wrote to memory of 4592	2012	fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exe	si403345.exe
PID 2012 wrote to memory of 4592	2012	fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exe	si403345.exe

C:\Users\Admin\AppData\Local\Temp\fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exe
"C:\Users\Admin\AppData\Local\Temp\fb2a8f3ce7b4e74b5b7af6baac27e8eb30afbf83b15cf748b5ad8b6f90c34645.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un855426.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un855426.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8099.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8099.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1080
4⤵
- Program crash
PID:1448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4771.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4771.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1536
4⤵
- Program crash
PID:5624

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si403345.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si403345.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4804 -ip 4804
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1632 -ip 1632
1⤵
PID:6112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si403345.exe

Filesize
168KB

MD5
0e936733fabc5cbda6464a163198a181

SHA1
f85893218738a0dfa22d947efe059593bc1ec4db

SHA256
0f3c99b6a8b5bd33498b5ae887d1783a912ef44a92b1f384b1bb1144db628691

SHA512
6453d342de0b955f00f7c4113044137af4a36e9ef9cf558e72505cc6faa1184b605e915d61ddd21869c9a53e0840c04253c86e081bca47da6b76794e003d57e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un855426.exe

Filesize
643KB

MD5
c9c59341577c0fbf0d94972ccfa90c55

SHA1
ff00cede9623f7c19adf9743df378f9b755a1315

SHA256
cf0708242c25c6ddc8e9efa2271eec0aafab67857367eed2e01a69c415bb7912

SHA512
cc48ffe93ffffb0dde5104dde4f144f1a7ac3b65f31bbeb237e9e1d0e26003a6f382738bea42dc26ac04b398d8c45da4a64b1b4e9c3febd3ae2cd0efb2c099a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8099.exe

Filesize
241KB

MD5
79bb3537c6833674d75ff73ae1a96d4d

SHA1
06b705663f6f040a70aabbd073651dad9ba3fe48

SHA256
ad2a827c903076da28bc54b514ddffb556a7d37f9a850bcc5ad6ad3e72715892

SHA512
c51c1d13ab24a6e20fe76ddbf808b634f397e5e72b0e503cfdddbe96caf1693867e10575eff4337aeab926de484aaa8cfb78713f484d3f2433c3c72f4e41118e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4771.exe

Filesize
424KB

MD5
f2c17a6cf7d157d0f6bedd388c999d25

SHA1
ed17d342ed15e8f06991e21d0f7d657a3356ae9c

SHA256
c8a7c2b8a8e09774ba749dfda163f9e8525560a0db7c957c6aabe57aa64146fb

SHA512
f79bb9a7540b66acc7edb1d79b928254d1cd56fa708b08968c429508ddaa318e23186ab5b5c72cd5cfdc0c157781bce65cebd6c5ef7080cc3ce54e922f1707f3

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/1632-70-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-84-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-90-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-78-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-80-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-62-0x00000000051E0000-0x0000000005246000-memory.dmp

Filesize
408KB

Download
memory/1632-96-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-61-0x0000000004960000-0x00000000049C6000-memory.dmp

Filesize
408KB

Download
memory/1632-88-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-86-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-92-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-82-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-2143-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/1632-63-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-64-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-66-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-68-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-72-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-74-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-94-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1632-76-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/4020-2156-0x0000000000450000-0x0000000000480000-memory.dmp

Filesize
192KB

Download
memory/4020-2157-0x0000000000BE0000-0x0000000000BE6000-memory.dmp

Filesize
24KB

Download
memory/4020-2158-0x0000000005420000-0x0000000005A38000-memory.dmp

Filesize
6.1MB

Download
memory/4020-2159-0x0000000004F10000-0x000000000501A000-memory.dmp

Filesize
1.0MB

Download
memory/4020-2160-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/4020-2161-0x0000000004E40000-0x0000000004E7C000-memory.dmp

Filesize
240KB

Download
memory/4020-2162-0x0000000004E80000-0x0000000004ECC000-memory.dmp

Filesize
304KB

Download
memory/4592-2167-0x0000000000B60000-0x0000000000B8E000-memory.dmp

Filesize
184KB

Download
memory/4592-2168-0x0000000002CD0000-0x0000000002CD6000-memory.dmp

Filesize
24KB

Download
memory/4804-29-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-50-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/4804-47-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-18-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4804-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4804-55-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4804-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4804-51-0x00000000004C0000-0x00000000004ED000-memory.dmp

Filesize
180KB

Download
memory/4804-22-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-25-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4804-27-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-19-0x0000000002470000-0x000000000248A000-memory.dmp

Filesize
104KB

Download
memory/4804-31-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-33-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-35-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-16-0x00000000004C0000-0x00000000004ED000-memory.dmp

Filesize
180KB

Download
memory/4804-37-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-39-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-41-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-43-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-45-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-49-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-23-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4804-15-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/4804-21-0x00000000024F0000-0x0000000002508000-memory.dmp

Filesize
96KB

Download
memory/4804-20-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download