healer | c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exe
Size

787KB
MD5

5bb06312e53843de5eb5cee3fe851263
SHA1

b7157ba67767ade80eb0d2823a71df12aa119ace
SHA256

c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39
SHA512

0ee16df2fda02500014693824a4b4ba7e9832a3b583e158823eef202a7ee3954fc4cea35e74caf97719e671700b8b57199ac00cf344191c2d7ecc109b96579de
SSDEEP

12288:2Mroy901dx3K3zs1BJIZyr+F7JwQMu97MH479gxiSYL3XI1V4Iluin9TIcGmn:iyYdlgzs1B2FF7JX9D9miRL3XUVuEn

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2348-19-0x0000000002620000-0x000000000263A000-memory.dmp	healer
behavioral1/memory/2348-21-0x0000000004B80000-0x0000000004B98000-memory.dmp	healer
behavioral1/memory/2348-49-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-47-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-45-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-43-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-41-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-39-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-37-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-35-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-33-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-31-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-29-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-27-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-25-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-23-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2348-22-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro1515.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro1515.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1515.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1515.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1515.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1515.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1515.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4984-2143-0x0000000002780000-0x00000000027B2000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/5208-2156-0x00000000007A0000-0x00000000007D0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si759621.exe	family_redline
behavioral1/memory/3712-2167-0x0000000000B10000-0x0000000000B3E000-memory.dmp	family_redline

Redline family
redline
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

qu0998.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation qu0998.exe
Executes dropped EXE 5 IoCs

Processes:

un244564.exepro1515.exequ0998.exe1.exesi759621.exe

pid process

4788 un244564.exe
2348 pro1515.exe
4984 qu0998.exe
5208 1.exe
3712 si759621.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	qu0998.exe

pid	process
4788	un244564.exe
2348	pro1515.exe
4984	qu0998.exe
5208	1.exe
3712	si759621.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro1515.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1515.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1515.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exeun244564.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un244564.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4656 2348 WerFault.exe pro1515.exe
3960 4984 WerFault.exe qu0998.exe

pid	pid_target	process	target process
4656	2348	WerFault.exe	pro1515.exe
3960	4984	WerFault.exe	qu0998.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exeun244564.exepro1515.exequ0998.exe1.exesi759621.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un244564.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro1515.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu0998.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si759621.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro1515.exe

pid process

2348 pro1515.exe
2348 pro1515.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro1515.exequ0998.exe

description pid process

Token: SeDebugPrivilege 2348 pro1515.exe
Token: SeDebugPrivilege 4984 qu0998.exe

pid	process
2348	pro1515.exe
2348	pro1515.exe

description	pid	process
Token: SeDebugPrivilege	2348	pro1515.exe
Token: SeDebugPrivilege	4984	qu0998.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exeun244564.exequ0998.exe

description	pid	process	target process
PID 1848 wrote to memory of 4788	1848	c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exe	un244564.exe
PID 1848 wrote to memory of 4788	1848	c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exe	un244564.exe
PID 1848 wrote to memory of 4788	1848	c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exe	un244564.exe
PID 4788 wrote to memory of 2348	4788	un244564.exe	pro1515.exe
PID 4788 wrote to memory of 2348	4788	un244564.exe	pro1515.exe
PID 4788 wrote to memory of 2348	4788	un244564.exe	pro1515.exe
PID 4788 wrote to memory of 4984	4788	un244564.exe	qu0998.exe
PID 4788 wrote to memory of 4984	4788	un244564.exe	qu0998.exe
PID 4788 wrote to memory of 4984	4788	un244564.exe	qu0998.exe
PID 4984 wrote to memory of 5208	4984	qu0998.exe	1.exe
PID 4984 wrote to memory of 5208	4984	qu0998.exe	1.exe
PID 4984 wrote to memory of 5208	4984	qu0998.exe	1.exe
PID 1848 wrote to memory of 3712	1848	c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exe	si759621.exe
PID 1848 wrote to memory of 3712	1848	c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exe	si759621.exe
PID 1848 wrote to memory of 3712	1848	c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exe	si759621.exe

C:\Users\Admin\AppData\Local\Temp\c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exe
"C:\Users\Admin\AppData\Local\Temp\c292dc02ac847d295eae64a5292e8784fed9fd3397d0e15d212ab5bae1a55f39.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un244564.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un244564.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1515.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1515.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1080
4⤵
- Program crash
PID:4656

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0998.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0998.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1388
4⤵
- Program crash
PID:3960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si759621.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si759621.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2348 -ip 2348
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4984 -ip 4984
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si759621.exe

Filesize
168KB

MD5
eceef8bb969cb825e7e4223d770ddedb

SHA1
a0be484418d1ecc3199369bfcac45715caee1d70

SHA256
474cf49683e58973508627cc428cc4bedadb710c1a7cd11c641edfd6e08661c6

SHA512
f825bec831b9c3a4b16e6465f79abdb321b07e89171707b413d5c15bf4ffb530bd716beac9354ede6ca7455169a6028f092d0c183838e3a22045c11ccfa265d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un244564.exe

Filesize
633KB

MD5
7980aa6dfa06b86cabc902309a1c3819

SHA1
f669cb386085e0448e02508b5c590e43309357bc

SHA256
82fc21ca76e2d550fe246ff0408fea1321d09f47dc1eb25b238d3cdce04200b0

SHA512
edc7a5be00f5ba08a67f1ac3e05c09b1a33c98c6ad25ff45fc40b5f3add6f61aebcb34fa388783c424e47bc5225a9f2272fd290316b5260c2dbcac9bdf2dd7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1515.exe

Filesize
230KB

MD5
58b9992412123672c2795235c323c129

SHA1
32d926d99dc02da9a1c20b32bd048430568175bd

SHA256
ef1bb9785720403a64d2ad6a0d384f739f713b17f6b0295c920b889f632d5d7b

SHA512
57059f25b2242d1b5090ebdfc3672e56eb4569d75a707d272b3e940158b7f326d4e07a3a43ecdcb3c990a457e7b36e4c5544c8e96c119c90d361cb8781c49fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0998.exe

Filesize
414KB

MD5
58196f77881cb4aa27ea0b748926853f

SHA1
2070f6038ff8a9243d5c221945661b9a5159bb3a

SHA256
dfca58b656bb21ebc0465f36c32bc2e978ee3c577e0f84b9e1609c57f6f8af75

SHA512
b189565ae62378d63e5911e9ea0a0f71bd1988fb755d10de21fbf9596ad69491b6d7cd3e45b144fff398fa90f09ebe352a6a444286250adcfb92188da54456a3

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/2348-55-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-25-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2348-18-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-19-0x0000000002620000-0x000000000263A000-memory.dmp

Filesize
104KB

Download
memory/2348-20-0x0000000004CC0000-0x0000000005264000-memory.dmp

Filesize
5.6MB

Download
memory/2348-16-0x00000000004C0000-0x00000000004ED000-memory.dmp

Filesize
180KB

Download
memory/2348-49-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-47-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-45-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-43-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-41-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-39-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-37-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-35-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-33-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-31-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-29-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-27-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-21-0x0000000004B80000-0x0000000004B98000-memory.dmp

Filesize
96KB

Download
memory/2348-23-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-22-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2348-50-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/2348-51-0x00000000004C0000-0x00000000004ED000-memory.dmp

Filesize
180KB

Download
memory/2348-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2348-15-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/2348-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3712-2168-0x0000000001380000-0x0000000001386000-memory.dmp

Filesize
24KB

Download
memory/3712-2167-0x0000000000B10000-0x0000000000B3E000-memory.dmp

Filesize
184KB

Download
memory/4984-63-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-70-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-74-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-80-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-96-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-94-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-93-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-88-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-86-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-84-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-78-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-62-0x00000000026E0000-0x0000000002746000-memory.dmp

Filesize
408KB

Download
memory/4984-72-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-76-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-64-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-67-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-90-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-82-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-68-0x00000000026E0000-0x000000000273F000-memory.dmp

Filesize
380KB

Download
memory/4984-61-0x0000000002500000-0x0000000002566000-memory.dmp

Filesize
408KB

Download
memory/4984-2143-0x0000000002780000-0x00000000027B2000-memory.dmp

Filesize
200KB

Download
memory/5208-2156-0x00000000007A0000-0x00000000007D0000-memory.dmp

Filesize
192KB

Download
memory/5208-2157-0x0000000005080000-0x0000000005086000-memory.dmp

Filesize
24KB

Download
memory/5208-2158-0x00000000056F0000-0x0000000005D08000-memory.dmp

Filesize
6.1MB

Download
memory/5208-2159-0x00000000051F0000-0x00000000052FA000-memory.dmp

Filesize
1.0MB

Download
memory/5208-2160-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/5208-2161-0x0000000005180000-0x00000000051BC000-memory.dmp

Filesize
240KB

Download
memory/5208-2162-0x0000000005300000-0x000000000534C000-memory.dmp

Filesize
304KB

Download