healer | 58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exe
Size

814KB
MD5

d4d6d198f6009c1719f85f40ae2ae5db
SHA1

071e1ae0ef8a6c82b99cebafa29afaaeb631bf73
SHA256

58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146
SHA512

b24aa72f1d82d8e8886d205589cc1e9602563f878dbe6a5836660b3522f22c208e6045361da8dd38c2d85b10fffcdb58add74a5c4df0f6e05abd21e35aebf699
SSDEEP

12288:PMr4y90fv1sbZQtKQ8clh9+NC2WUzxLK7GaYxNyfaJLX+3uMHxbXiLO1xtiJX4yo:LyWv1sbKph9Y9H5K7GrLyukFbDwJXJo

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4712-19-0x0000000002880000-0x000000000289A000-memory.dmp	healer
behavioral1/memory/4712-21-0x0000000005370000-0x0000000005388000-memory.dmp	healer
behavioral1/memory/4712-23-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-49-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-47-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-46-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-43-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-41-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-39-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-37-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-35-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-33-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-31-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-30-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-27-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-25-0x0000000005370000-0x0000000005382000-memory.dmp	healer
behavioral1/memory/4712-22-0x0000000005370000-0x0000000005382000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro4017.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4017.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4017.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4140-2142-0x0000000005760000-0x0000000005792000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/624-2155-0x0000000000AE0000-0x0000000000B10000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si670381.exe	family_redline
behavioral1/memory/4704-2166-0x0000000000010000-0x000000000003E000-memory.dmp	family_redline

Redline family
redline
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

qu6350.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation qu6350.exe
Executes dropped EXE 5 IoCs

Processes:

un138356.exepro4017.exequ6350.exe1.exesi670381.exe

pid process

4352 un138356.exe
4712 pro4017.exe
4140 qu6350.exe
624 1.exe
4704 si670381.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	qu6350.exe

pid	process
4352	un138356.exe
4712	pro4017.exe
4140	qu6350.exe
624	1.exe
4704	si670381.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro4017.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4017.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exeun138356.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un138356.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3684 4712 WerFault.exe pro4017.exe
3932 4140 WerFault.exe qu6350.exe

pid	pid_target	process	target process
3684	4712	WerFault.exe	pro4017.exe
3932	4140	WerFault.exe	qu6350.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exeun138356.exepro4017.exequ6350.exe1.exesi670381.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un138356.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro4017.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu6350.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si670381.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro4017.exe

pid process

4712 pro4017.exe
4712 pro4017.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro4017.exequ6350.exe

description pid process

Token: SeDebugPrivilege 4712 pro4017.exe
Token: SeDebugPrivilege 4140 qu6350.exe

pid	process
4712	pro4017.exe
4712	pro4017.exe

description	pid	process
Token: SeDebugPrivilege	4712	pro4017.exe
Token: SeDebugPrivilege	4140	qu6350.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exeun138356.exequ6350.exe

description	pid	process	target process
PID 4804 wrote to memory of 4352	4804	58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exe	un138356.exe
PID 4804 wrote to memory of 4352	4804	58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exe	un138356.exe
PID 4804 wrote to memory of 4352	4804	58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exe	un138356.exe
PID 4352 wrote to memory of 4712	4352	un138356.exe	pro4017.exe
PID 4352 wrote to memory of 4712	4352	un138356.exe	pro4017.exe
PID 4352 wrote to memory of 4712	4352	un138356.exe	pro4017.exe
PID 4352 wrote to memory of 4140	4352	un138356.exe	qu6350.exe
PID 4352 wrote to memory of 4140	4352	un138356.exe	qu6350.exe
PID 4352 wrote to memory of 4140	4352	un138356.exe	qu6350.exe
PID 4140 wrote to memory of 624	4140	qu6350.exe	1.exe
PID 4140 wrote to memory of 624	4140	qu6350.exe	1.exe
PID 4140 wrote to memory of 624	4140	qu6350.exe	1.exe
PID 4804 wrote to memory of 4704	4804	58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exe	si670381.exe
PID 4804 wrote to memory of 4704	4804	58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exe	si670381.exe
PID 4804 wrote to memory of 4704	4804	58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exe	si670381.exe

C:\Users\Admin\AppData\Local\Temp\58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exe
"C:\Users\Admin\AppData\Local\Temp\58db4380024a691da8b5befb09a75fef6bbb8a1fb6a8c7f0e9c3918acd4a4146.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un138356.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un138356.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4352

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4017.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4017.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1040
4⤵
- Program crash
PID:3684

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6350.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6350.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1524
4⤵
- Program crash
PID:3932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si670381.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si670381.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4712 -ip 4712
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4140 -ip 4140
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si670381.exe

Filesize
169KB

MD5
76042d39bdea9de2e5b723029cb83dc1

SHA1
b9059afc474a879fb0fa1338c8c728200eb219ce

SHA256
91b76d4e540bd24f5cf9dbe7bce90022cb71fb0734dc2d28b43f7fd06ce3ba84

SHA512
edd9c5c0674e1ff2adf7889faa849e2eb7ef39075d62a809b57716df3f09fd49004f7e6af41abc1b24aeaee415c20759de5d9a1f3ad0a4cef278eb8b4355a14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un138356.exe

Filesize
660KB

MD5
75d6f3529eb19fb9c126eb6d4fbdf800

SHA1
68ee52a8cf8d52fadbd762fa39922cad83628d09

SHA256
b26cdc841c5a15bc69df33c792b2882a39bd0c5050618bf672e0c85923e72f12

SHA512
8dca4ed9f519bddb91d853c1ac218789b2f17227eaea51dece3266a0390e2058dcaf6ae96fb09f39ff043798278b0e43e427ed1ac500b4eb81a1b89feb6f5f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4017.exe

Filesize
312KB

MD5
69d2a67d87c47d5eef7dbbca5b627a6c

SHA1
5d9d0abc2aca282a7aa34139da187bf38878de95

SHA256
de0c72f80a8310058245b0087a298da2f8f670f795ebf719b30f4a28af6b5088

SHA512
47993ed1dd0539b65c8a6c12173f808788c0de589d1586d161ba9d5d089d80b14c42f99c5908e437d8e9d71f2935ff3c3b0867dfb911a724e4d2572833d7beb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6350.exe

Filesize
495KB

MD5
5e22ea4aec494caa99e8baba3678bc0b

SHA1
a5e40572ebf240de47994e5141b9a3082d326957

SHA256
84e553464f853b61d0e522298f7876e5455238a2eb1e34f0fcf8ae53af76e173

SHA512
ed77a9ba7ee2c49b8312249805ecedc79becf7baa4069e7cfe35e3696244fec3fa8e34cb281777145a136c5f924578dabf83b203cbf9206f8c90b1aa0a296e26

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/624-2165-0x0000000005510000-0x000000000555C000-memory.dmp

Filesize
304KB

Download
memory/624-2161-0x0000000005490000-0x00000000054CC000-memory.dmp

Filesize
240KB

Download
memory/624-2159-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/624-2158-0x0000000005580000-0x000000000568A000-memory.dmp

Filesize
1.0MB

Download
memory/624-2157-0x0000000005A90000-0x00000000060A8000-memory.dmp

Filesize
6.1MB

Download
memory/624-2156-0x0000000002CD0000-0x0000000002CD6000-memory.dmp

Filesize
24KB

Download
memory/624-2155-0x0000000000AE0000-0x0000000000B10000-memory.dmp

Filesize
192KB

Download
memory/4140-73-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-2142-0x0000000005760000-0x0000000005792000-memory.dmp

Filesize
200KB

Download
memory/4140-83-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-69-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-71-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-75-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-79-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-81-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-85-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-87-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-89-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-91-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-93-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-95-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-77-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-62-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-63-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-60-0x0000000002890000-0x00000000028F6000-memory.dmp

Filesize
408KB

Download
memory/4140-61-0x0000000004F80000-0x0000000004FE6000-memory.dmp

Filesize
408KB

Download
memory/4140-67-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4140-65-0x0000000004F80000-0x0000000004FDF000-memory.dmp

Filesize
380KB

Download
memory/4704-2166-0x0000000000010000-0x000000000003E000-memory.dmp

Filesize
184KB

Download
memory/4704-2167-0x0000000002120000-0x0000000002126000-memory.dmp

Filesize
24KB

Download
memory/4712-39-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-50-0x00000000008F0000-0x00000000009F0000-memory.dmp

Filesize
1024KB

Download
memory/4712-41-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-43-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-25-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-27-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-30-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-31-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-33-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-35-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-47-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-37-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4712-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4712-22-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-49-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-23-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4712-20-0x0000000004DC0000-0x0000000005364000-memory.dmp

Filesize
5.6MB

Download
memory/4712-21-0x0000000005370000-0x0000000005388000-memory.dmp

Filesize
96KB

Download
memory/4712-19-0x0000000002880000-0x000000000289A000-memory.dmp

Filesize
104KB

Download
memory/4712-18-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/4712-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4712-17-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/4712-15-0x00000000008F0000-0x00000000009F0000-memory.dmp

Filesize
1024KB

Download
memory/4712-54-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/4712-46-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download