healer | 9fb4c6d0560a6314f2e1c42750be3dbc5136a5990f66ec7ecc1b7fc7b7a05106

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b308892503b0e611b09435cd9621c79295cd1c6358590d04aab7030e2ed585fc.exe
Size

1.0MB
MD5

2a206b44cb6752b2dfeb4ef2393010fc
SHA1

7be7d6236574ff69059e42294158482abf9e3db2
SHA256

b308892503b0e611b09435cd9621c79295cd1c6358590d04aab7030e2ed585fc
SHA512

788be35cb00a1039bd6c1551e90fe2a4f4457a24abc27dfca4c07c067ee2310d636c5359fb1e06f9646a42ac290ec2d661d1bd51713808dcebdbf40e3489b1a2
SSDEEP

12288:kMrxy90S8DN5Mn9cCNnb4c8TMjfOnGoBVfzkfHpmmklE27gDfI7pimzDQ2kvQfL9:dydFcsbFmGoBQH4zlE9DfIRMHZrYHpp

Score

10^/10

healer redline droz norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

77.91.124.145:4125

Attributes

auth_value
d099adf6dbf6ccb8e16967104280634a

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/5020-25-0x0000000000890000-0x00000000008AA000-memory.dmp	healer
behavioral1/memory/5020-27-0x0000000002410000-0x0000000002428000-memory.dmp	healer
behavioral1/memory/5020-55-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-53-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-51-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-49-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-47-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-45-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-43-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-41-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-39-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-37-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-35-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-34-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-32-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-28-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/5020-29-0x0000000002410000-0x0000000002422000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr776695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr776695.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr776695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr776695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr776695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr776695.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2904-2148-0x0000000005400000-0x0000000005432000-memory.dmp	family_redline
behavioral1/files/0x000b000000023cb5-2153.dat	family_redline
behavioral1/memory/5328-2161-0x0000000000380000-0x00000000003B0000-memory.dmp	family_redline
behavioral1/files/0x0007000000023cb0-2169.dat	family_redline
behavioral1/memory/5832-2171-0x0000000000490000-0x00000000004BE000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	qu833282.exe

Executes dropped EXE 6 IoCs

pid	Process
3836	un581917.exe
4396	un856050.exe
5020	pr776695.exe
2904	qu833282.exe
5328	1.exe
5832	rk019395.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr776695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr776695.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un856050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b308892503b0e611b09435cd9621c79295cd1c6358590d04aab7030e2ed585fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un581917.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4544	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5084	5020	WerFault.exe	85
5572	2904	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un581917.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un856050.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr776695.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu833282.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk019395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b308892503b0e611b09435cd9621c79295cd1c6358590d04aab7030e2ed585fc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5020	pr776695.exe
5020	pr776695.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5020	pr776695.exe
Token: SeDebugPrivilege	2904	qu833282.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 3836	548	b308892503b0e611b09435cd9621c79295cd1c6358590d04aab7030e2ed585fc.exe	83
PID 548 wrote to memory of 3836	548	b308892503b0e611b09435cd9621c79295cd1c6358590d04aab7030e2ed585fc.exe	83
PID 548 wrote to memory of 3836	548	b308892503b0e611b09435cd9621c79295cd1c6358590d04aab7030e2ed585fc.exe	83
PID 3836 wrote to memory of 4396	3836	un581917.exe	84
PID 3836 wrote to memory of 4396	3836	un581917.exe	84
PID 3836 wrote to memory of 4396	3836	un581917.exe	84
PID 4396 wrote to memory of 5020	4396	un856050.exe	85
PID 4396 wrote to memory of 5020	4396	un856050.exe	85
PID 4396 wrote to memory of 5020	4396	un856050.exe	85
PID 4396 wrote to memory of 2904	4396	un856050.exe	97
PID 4396 wrote to memory of 2904	4396	un856050.exe	97
PID 4396 wrote to memory of 2904	4396	un856050.exe	97
PID 2904 wrote to memory of 5328	2904	qu833282.exe	98
PID 2904 wrote to memory of 5328	2904	qu833282.exe	98
PID 2904 wrote to memory of 5328	2904	qu833282.exe	98
PID 3836 wrote to memory of 5832	3836	un581917.exe	101
PID 3836 wrote to memory of 5832	3836	un581917.exe	101
PID 3836 wrote to memory of 5832	3836	un581917.exe	101

C:\Users\Admin\AppData\Local\Temp\b308892503b0e611b09435cd9621c79295cd1c6358590d04aab7030e2ed585fc.exe
"C:\Users\Admin\AppData\Local\Temp\b308892503b0e611b09435cd9621c79295cd1c6358590d04aab7030e2ed585fc.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un581917.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un581917.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un856050.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un856050.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776695.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776695.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1084
        5⤵
        Program crash
        
        PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu833282.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu833282.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5328
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1488
        5⤵
        Program crash
        
        PID:5572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk019395.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk019395.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5020 -ip 5020
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2904 -ip 2904
1⤵
PID:5428

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un581917.exe

Filesize
801KB

MD5
4df942fdf1836f761d595e891c263d83

SHA1
5f0dd68cdbaf2fca7de79cd7ed268c8700bbd241

SHA256
c6ce03c70a880eac4aa9b0ecf853f6c5d09f8e16f52c8c64c6383979078bfa29

SHA512
03e719b856e94f29f84c78826aff51e30e93795a34996f0a233bab9dd4529d8973d60837de587a5516cec64bedceb49c27f595f70570406d70f7a89d5b9ada1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk019395.exe

Filesize
168KB

MD5
bf5d35652ea020847f2a00eaf6286864

SHA1
cea570ff21ead6f07ad0c4aa969d04b8a0c14d24

SHA256
822d9dfd994c96a2ae690141c2578bdf820c767448a2146fb1b6aacb84f87bb8

SHA512
c699f5b447f1a21262d38b6f032db3242b3a784365dcbbba95ec3938bce2f2393816d171e61780564ee8ae33715796edbd9abf6fb59e2d33d7ac65482c816bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un856050.exe

Filesize
647KB

MD5
75084aa6c4f227dc7a09372b50c3cbde

SHA1
6053e1013b7a3438315bcc8cbf09114f2d009f27

SHA256
de733d22aa78dfd8887d5920ebae2502b9467191972d086891d3930dee637b82

SHA512
364bcca10447a53cb64180ee5333f7fb5ecc4bcf83fa85ee3425aea9543adb7c75c3546190720f8224795e897ee57fe4adae0232844f1345dbaf74e29c8da5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776695.exe

Filesize
243KB

MD5
5884d8e4d1fb5c1998e3bd6cf7712543

SHA1
65e6c59cc3e332637b2f7bb8501a913fb124e108

SHA256
7037620a24c481c63ce4a5e9020db7c3098890c467ee72368c674fef608f8bb8

SHA512
8a876aa01e8c1405d1793ed445430f12159cac4100fa09ec78b2c967dc29a85363a5bbd6848b40a480cbf337fde760c18afacf5d5b5444a7e9d3404a9a5897e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu833282.exe

Filesize
426KB

MD5
6fea30a78163f91dbba53554ab1338d6

SHA1
a84bdc41942e4ef2e2cf0e3edd86d3482918d44f

SHA256
a4e3614ad9d2ae65aa232fe74e22475d99d402ffe7d0c5c62a5eaac663621fee

SHA512
e2529edff18257c5689b2a308096bdb2411389db8d687a07c12bb8ebcd39728fd2079707cb64b7907afe6b11548daf788814e9843c11e93369dd1945220b0b77

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/2904-99-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-66-0x0000000004BE0000-0x0000000004C46000-memory.dmp

Filesize
408KB

Download
memory/2904-71-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-79-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-2148-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/2904-68-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-69-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-81-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-89-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-73-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-75-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-77-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-83-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-101-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-87-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-91-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-93-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-95-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-97-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-85-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/2904-67-0x0000000005200000-0x0000000005266000-memory.dmp

Filesize
408KB

Download
memory/5020-34-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-43-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-25-0x0000000000890000-0x00000000008AA000-memory.dmp

Filesize
104KB

Download
memory/5020-60-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5020-58-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5020-27-0x0000000002410000-0x0000000002428000-memory.dmp

Filesize
96KB

Download
memory/5020-22-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/5020-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5020-56-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/5020-29-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-28-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-32-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-26-0x0000000004B00000-0x00000000050A4000-memory.dmp

Filesize
5.6MB

Download
memory/5020-35-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-37-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-39-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-41-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5020-23-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5020-45-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-47-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-49-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-51-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-53-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5020-24-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5020-55-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/5328-2162-0x00000000024D0000-0x00000000024D6000-memory.dmp

Filesize
24KB

Download
memory/5328-2163-0x0000000005340000-0x0000000005958000-memory.dmp

Filesize
6.1MB

Download
memory/5328-2164-0x0000000004E30000-0x0000000004F3A000-memory.dmp

Filesize
1.0MB

Download
memory/5328-2165-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/5328-2161-0x0000000000380000-0x00000000003B0000-memory.dmp

Filesize
192KB

Download
memory/5328-2167-0x0000000004D60000-0x0000000004D9C000-memory.dmp

Filesize
240KB

Download
memory/5328-2172-0x0000000004DB0000-0x0000000004DFC000-memory.dmp

Filesize
304KB

Download
memory/5832-2171-0x0000000000490000-0x00000000004BE000-memory.dmp

Filesize
184KB

Download
memory/5832-2173-0x00000000025E0000-0x00000000025E6000-memory.dmp

Filesize
24KB

Download