healer | 5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exe
Size

801KB
MD5

f0f80d947ef2d17090db564296cdec7a
SHA1

e5875f76d836c2f75212c7beacf2ab518ed76cd9
SHA256

5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601
SHA512

8e9bc737e81cf5c1295814d7fbe2d27fa273434428002e6f81977761517864baec6853ff6756b124432bdd69f86ec635e469a75b62848ffd87b57c4ac87f0c86
SSDEEP

24576:oyjyf0FW/Ih7f//Z7jBA/f2XXc0g9wLq:vBFW/I9P5jBSD

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1308-19-0x00000000023B0000-0x00000000023CA000-memory.dmp	healer
behavioral1/memory/1308-21-0x0000000004A50000-0x0000000004A68000-memory.dmp	healer
behavioral1/memory/1308-39-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-49-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-47-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-45-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-43-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-41-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-34-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-31-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-29-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-27-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-25-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-22-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-37-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-35-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/1308-23-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro7257.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro7257.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7257.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7257.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7257.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7257.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7257.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2868-2143-0x0000000005400000-0x0000000005432000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/6120-2156-0x0000000000590000-0x00000000005C0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si200738.exe	family_redline
behavioral1/memory/5828-2167-0x00000000009E0000-0x0000000000A0E000-memory.dmp	family_redline

Redline family
redline
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

qu1924.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation qu1924.exe
Executes dropped EXE 5 IoCs

Processes:

un004494.exepro7257.exequ1924.exe1.exesi200738.exe

pid process

3988 un004494.exe
1308 pro7257.exe
2868 qu1924.exe
6120 1.exe
5828 si200738.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	qu1924.exe

pid	process
3988	un004494.exe
1308	pro7257.exe
2868	qu1924.exe
6120	1.exe
5828	si200738.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro7257.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7257.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7257.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exeun004494.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un004494.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4604 1308 WerFault.exe pro7257.exe
5624 2868 WerFault.exe qu1924.exe

pid	pid_target	process	target process
4604	1308	WerFault.exe	pro7257.exe
5624	2868	WerFault.exe	qu1924.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exeun004494.exepro7257.exequ1924.exe1.exesi200738.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un004494.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro7257.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu1924.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si200738.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro7257.exe

pid process

1308 pro7257.exe
1308 pro7257.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro7257.exequ1924.exe

description pid process

Token: SeDebugPrivilege 1308 pro7257.exe
Token: SeDebugPrivilege 2868 qu1924.exe

pid	process
1308	pro7257.exe
1308	pro7257.exe

description	pid	process
Token: SeDebugPrivilege	1308	pro7257.exe
Token: SeDebugPrivilege	2868	qu1924.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exeun004494.exequ1924.exe

description	pid	process	target process
PID 4908 wrote to memory of 3988	4908	5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exe	un004494.exe
PID 4908 wrote to memory of 3988	4908	5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exe	un004494.exe
PID 4908 wrote to memory of 3988	4908	5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exe	un004494.exe
PID 3988 wrote to memory of 1308	3988	un004494.exe	pro7257.exe
PID 3988 wrote to memory of 1308	3988	un004494.exe	pro7257.exe
PID 3988 wrote to memory of 1308	3988	un004494.exe	pro7257.exe
PID 3988 wrote to memory of 2868	3988	un004494.exe	qu1924.exe
PID 3988 wrote to memory of 2868	3988	un004494.exe	qu1924.exe
PID 3988 wrote to memory of 2868	3988	un004494.exe	qu1924.exe
PID 2868 wrote to memory of 6120	2868	qu1924.exe	1.exe
PID 2868 wrote to memory of 6120	2868	qu1924.exe	1.exe
PID 2868 wrote to memory of 6120	2868	qu1924.exe	1.exe
PID 4908 wrote to memory of 5828	4908	5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exe	si200738.exe
PID 4908 wrote to memory of 5828	4908	5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exe	si200738.exe
PID 4908 wrote to memory of 5828	4908	5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exe	si200738.exe

C:\Users\Admin\AppData\Local\Temp\5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exe
"C:\Users\Admin\AppData\Local\Temp\5f834092715aa50846099b6aaa20b20e9d5d59b0ae1c53d3f4bb538dc7f97601.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004494.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004494.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7257.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7257.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1064
4⤵
- Program crash
PID:4604

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1924.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1924.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 984
4⤵
- Program crash
PID:5624

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si200738.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si200738.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1308 -ip 1308
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2868 -ip 2868
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si200738.exe

Filesize
168KB

MD5
c95d31a527b8a728a024a51a87913855

SHA1
00d9932a86c2e62e9f2fc52a57299904015c7fed

SHA256
638821a4882b8a9792c9d56963d9e4341d3f88e91a7dffba2bdd8a5a0a12afdf

SHA512
fa77abaae679053d5f9d1126b6c138a9eba61c27fa88178b431f451d70f2d14cc6488132d8cc8660eeabb6e4740095617ca99a3b8aeb42fa006465487cbf68bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004494.exe

Filesize
647KB

MD5
3ce7b4e2f3a9459d1f7018ab2070d6aa

SHA1
e26a20baca91ef2e4ef1c05e2bc40aeed566149e

SHA256
ef666a825e69e4581caf0c339875d1749a9258987f95884a8868fcc62148353f

SHA512
5cf8113ab4f1af2271beefc20128865012232a53b0056d0f2688ed0b157d5e0ca3f2a895574a59dce3a3ad700a67dc4ccd6a31a1edb6aefb7a69c1d3b80a69f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7257.exe

Filesize
252KB

MD5
a10b8846ccf308fff5c4f8fb541b93ff

SHA1
5db199e0232246bffa463779cc4b4034d111024a

SHA256
d74baa0f01208ddb28b851c12fb7450917d9587685f38f09759a1405bff7e4ec

SHA512
ba767656c0069fc976da099e888a34d8ebe87ef8689f68da60177ee6996e11a457b905483a8e7245e21a34c8baf4f1c4e1eb3a79eeb439b11226d414915753d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1924.exe

Filesize
435KB

MD5
7fd5120d6c17b2b6c4b764631342bbd4

SHA1
824414bd5181979b891d1722b2b4e4ca90645a52

SHA256
56a73995a2047df51b9d283ccfebfcf4aed45e5296916ff12d4180063400835b

SHA512
85479a6bb8b9ceab34791f03f26d97f30eb8d5c5817e9834a247504afcdebc3d1b721f7d502d204cdee34efcb501531f323871d4d465b4d01faaaeece5092959

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/1308-55-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1308-37-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1308-18-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1308-19-0x00000000023B0000-0x00000000023CA000-memory.dmp

Filesize
104KB

Download
memory/1308-20-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/1308-16-0x00000000020F0000-0x000000000211D000-memory.dmp

Filesize
180KB

Download
memory/1308-39-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-49-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-47-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-45-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-43-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-41-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-34-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-31-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-29-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-27-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-25-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-22-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-21-0x0000000004A50000-0x0000000004A68000-memory.dmp

Filesize
96KB

Download
memory/1308-35-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-23-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1308-50-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/1308-51-0x00000000020F0000-0x000000000211D000-memory.dmp

Filesize
180KB

Download
memory/1308-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1308-15-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/1308-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2868-78-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-96-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-68-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-74-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-76-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-94-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-88-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-86-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-84-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-80-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-92-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-72-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-90-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-62-0x00000000051D0000-0x0000000005236000-memory.dmp

Filesize
408KB

Download
memory/2868-70-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-61-0x0000000004B70000-0x0000000004BD6000-memory.dmp

Filesize
408KB

Download
memory/2868-82-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-66-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-64-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-63-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/2868-2143-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/5828-2167-0x00000000009E0000-0x0000000000A0E000-memory.dmp

Filesize
184KB

Download
memory/5828-2168-0x0000000002D30000-0x0000000002D36000-memory.dmp

Filesize
24KB

Download
memory/6120-2156-0x0000000000590000-0x00000000005C0000-memory.dmp

Filesize
192KB

Download
memory/6120-2157-0x00000000026C0000-0x00000000026C6000-memory.dmp

Filesize
24KB

Download
memory/6120-2158-0x00000000055A0000-0x0000000005BB8000-memory.dmp

Filesize
6.1MB

Download
memory/6120-2159-0x0000000005090000-0x000000000519A000-memory.dmp

Filesize
1.0MB

Download
memory/6120-2160-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/6120-2161-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/6120-2162-0x0000000004FC0000-0x000000000500C000-memory.dmp

Filesize
304KB

Download