healer | af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exe
Size

802KB
MD5

1e9fb9fe48c1177246179fce23f828a5
SHA1

93360487839feac845c0a39475267ffd5513ed3b
SHA256

af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f
SHA512

cb44dddabef0649e792bfb13bed72cb4304fb557ade5602101402533a888317cf03d322dd8839dc9a62a8f74a58774690cf59badb7b4a27ba9879dc1badf2333
SSDEEP

12288:OMrLy90QgpWGMLej/cDFv8ystBVHfWiOrZIcJy4CwQ4EUVGTz/ojAMaPiGQIdxQ:RyJveADFQHJW9rDbjjX88vod3Q

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2860-19-0x0000000002280000-0x000000000229A000-memory.dmp	healer
behavioral1/memory/2860-21-0x0000000004A40000-0x0000000004A58000-memory.dmp	healer
behavioral1/memory/2860-49-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-47-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-45-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-43-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-41-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-39-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-37-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-35-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-33-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-31-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-29-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-27-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-25-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-23-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/2860-22-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro6945.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro6945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro6945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro6945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro6945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro6945.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro6945.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3912-2143-0x0000000005410000-0x0000000005442000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/5892-2156-0x0000000000AC0000-0x0000000000AF0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si085064.exe	family_redline
behavioral1/memory/2068-2167-0x0000000000AC0000-0x0000000000AEE000-memory.dmp	family_redline

Redline family
redline
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

qu8738.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation qu8738.exe
Executes dropped EXE 5 IoCs

Processes:

un974925.exepro6945.exequ8738.exe1.exesi085064.exe

pid process

3512 un974925.exe
2860 pro6945.exe
3912 qu8738.exe
5892 1.exe
2068 si085064.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	qu8738.exe

pid	process
3512	un974925.exe
2860	pro6945.exe
3912	qu8738.exe
5892	1.exe
2068	si085064.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro6945.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro6945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro6945.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

un974925.exeaf39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un974925.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4736 2860 WerFault.exe pro6945.exe
700 3912 WerFault.exe qu8738.exe

pid	pid_target	process	target process
4736	2860	WerFault.exe	pro6945.exe
700	3912	WerFault.exe	qu8738.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pro6945.exequ8738.exe1.exesi085064.exeaf39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exeun974925.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro6945.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu8738.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si085064.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un974925.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro6945.exe

pid process

2860 pro6945.exe
2860 pro6945.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro6945.exequ8738.exe

description pid process

Token: SeDebugPrivilege 2860 pro6945.exe
Token: SeDebugPrivilege 3912 qu8738.exe

pid	process
2860	pro6945.exe
2860	pro6945.exe

description	pid	process
Token: SeDebugPrivilege	2860	pro6945.exe
Token: SeDebugPrivilege	3912	qu8738.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exeun974925.exequ8738.exe

description	pid	process	target process
PID 4544 wrote to memory of 3512	4544	af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exe	un974925.exe
PID 4544 wrote to memory of 3512	4544	af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exe	un974925.exe
PID 4544 wrote to memory of 3512	4544	af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exe	un974925.exe
PID 3512 wrote to memory of 2860	3512	un974925.exe	pro6945.exe
PID 3512 wrote to memory of 2860	3512	un974925.exe	pro6945.exe
PID 3512 wrote to memory of 2860	3512	un974925.exe	pro6945.exe
PID 3512 wrote to memory of 3912	3512	un974925.exe	qu8738.exe
PID 3512 wrote to memory of 3912	3512	un974925.exe	qu8738.exe
PID 3512 wrote to memory of 3912	3512	un974925.exe	qu8738.exe
PID 3912 wrote to memory of 5892	3912	qu8738.exe	1.exe
PID 3912 wrote to memory of 5892	3912	qu8738.exe	1.exe
PID 3912 wrote to memory of 5892	3912	qu8738.exe	1.exe
PID 4544 wrote to memory of 2068	4544	af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exe	si085064.exe
PID 4544 wrote to memory of 2068	4544	af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exe	si085064.exe
PID 4544 wrote to memory of 2068	4544	af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exe	si085064.exe

C:\Users\Admin\AppData\Local\Temp\af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exe
"C:\Users\Admin\AppData\Local\Temp\af39320f314ec78ea1153ccc035908072af0fa701a81b2e84bde9330e1c9d58f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un974925.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un974925.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6945.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6945.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 976
4⤵
- Program crash
PID:4736

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8738.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8738.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1380
4⤵
- Program crash
PID:700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si085064.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si085064.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2860 -ip 2860
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3912 -ip 3912
1⤵
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si085064.exe

Filesize
168KB

MD5
22a1e3d2e41003d816a88f646d897f1d

SHA1
001efd432724aebf1f763364eace6919a81c2f97

SHA256
1fd448becc1b67e2dd89059a15d294a94a6cb52307c376f946254fec5bad121a

SHA512
29b5b1ddb168cef4059515b9aee37db18ac28ee48c0cd6b32ca2efc712452270d712d2a4dfe058d085d41539c36bc4d66557eaca9677cbbbfb8be45aa90fba37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un974925.exe

Filesize
648KB

MD5
177450b5d419027b4ff09d44f75a4d44

SHA1
c208b7963e5b58da603fc9153184138ff96dd8a8

SHA256
45e8b5cd4df0d6fe968538021b1d167cb45f745886d60ecca3cf7575668aee6e

SHA512
5fd1717ccb1c2e3d1535ce39fd96dfbc3b5fcbae82bfdf5cf1133d787ca3a04a5007d3aab63fd5909fb3cf1508dfacd540bfe4816742edc28f21f21f76d9a512

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6945.exe

Filesize
252KB

MD5
e4291a3c7e3aff681ea1bc71d192b9f3

SHA1
d02eaf05fe9094226c56b084c4a974498aba1cac

SHA256
8c24ac9b19c9b3a291b72f8cac75e91618bc070b51c36bd3e13cd18d4613fa62

SHA512
787faaa6b99bca14fb09a97e621316d06b9b94d71109dfd6c0dbbbae84136cf271c793b6980eca5fad5a1a7053947eacebf7d89a89977658e6a65780795d6c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8738.exe

Filesize
435KB

MD5
9dc42f953d93487ddd6fe9cb2766f1c1

SHA1
815ec7bb576f7e211ea50a927152e7bbaf018462

SHA256
072b0cfd49b48a18b748992d90239931a2d9e73f2304965a9ba03c4e205a37f3

SHA512
543df2fbe5b3bcfe711c4f6479ec797e11c656a41544c49560312e9215f551b8baafecf4b5d6156bc43b3d9d084e18a97c2843d201af69d4cf2d76a451e2b612

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/2068-2167-0x0000000000AC0000-0x0000000000AEE000-memory.dmp

Filesize
184KB

Download
memory/2068-2168-0x0000000001290000-0x0000000001296000-memory.dmp

Filesize
24KB

Download
memory/2860-51-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/2860-16-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/2860-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2860-18-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2860-19-0x0000000002280000-0x000000000229A000-memory.dmp

Filesize
104KB

Download
memory/2860-20-0x0000000004C00000-0x00000000051A4000-memory.dmp

Filesize
5.6MB

Download
memory/2860-21-0x0000000004A40000-0x0000000004A58000-memory.dmp

Filesize
96KB

Download
memory/2860-49-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-47-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-45-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-43-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-41-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-39-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-37-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-35-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-33-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-31-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-29-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-27-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-25-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-23-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-22-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/2860-50-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2860-15-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2860-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2860-55-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2860-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3912-61-0x00000000025F0000-0x0000000002656000-memory.dmp

Filesize
408KB

Download
memory/3912-62-0x0000000004C20000-0x0000000004C86000-memory.dmp

Filesize
408KB

Download
memory/3912-72-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-64-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-63-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-82-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-96-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-94-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-90-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-88-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-86-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-84-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-80-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-78-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-76-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-74-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-70-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-68-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-66-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-92-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/3912-2143-0x0000000005410000-0x0000000005442000-memory.dmp

Filesize
200KB

Download
memory/5892-2156-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

Filesize
192KB

Download
memory/5892-2157-0x0000000002B60000-0x0000000002B66000-memory.dmp

Filesize
24KB

Download
memory/5892-2158-0x0000000005A00000-0x0000000006018000-memory.dmp

Filesize
6.1MB

Download
memory/5892-2159-0x0000000005510000-0x000000000561A000-memory.dmp

Filesize
1.0MB

Download
memory/5892-2160-0x0000000005440000-0x0000000005452000-memory.dmp

Filesize
72KB

Download
memory/5892-2161-0x00000000054A0000-0x00000000054DC000-memory.dmp

Filesize
240KB

Download
memory/5892-2162-0x0000000005620000-0x000000000566C000-memory.dmp

Filesize
304KB

Download