healer | 42470db9f3e7a3ab625282e235519b7f80bb4cf59f1ec541edb258432b1527d0

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42470db9f3e7a3ab625282e235519b7f80bb4cf59f1ec541edb258432b1527d0.exe
Size

1.2MB
MD5

cf5c4a1065b38a43021222c4e9e714dc
SHA1

dc7d686a616e426087e24d17ed7b0b4215a6f8c6
SHA256

42470db9f3e7a3ab625282e235519b7f80bb4cf59f1ec541edb258432b1527d0
SHA512

c576b122be3a1dbe7b5a70ecb86a96c4ba2dc5f63fb3a9df112ce848e71342ac88d3c2b00c777ce8f52eda2e1f5c91f3fff95e2f1755460190417ed00a7e469a
SSDEEP

24576:kygfUzIksqG+hV1zT/yx6NABN80uIp2KtbJoXqYq:z1IxSVtg6+BNnVbJoXt

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023bc2-32.dat	healer
behavioral1/memory/3212-35-0x0000000000230000-0x000000000023A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	buOi61dd68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	buOi61dd68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	buOi61dd68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	buOi61dd68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	buOi61dd68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	buOi61dd68.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3588-41-0x0000000004B90000-0x0000000004BD6000-memory.dmp	family_redline
behavioral1/memory/3588-43-0x0000000004C50000-0x0000000004C94000-memory.dmp	family_redline
behavioral1/memory/3588-71-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-69-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-67-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-107-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-105-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-103-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-99-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-95-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-93-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-91-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-87-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-85-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-81-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-79-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-77-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-73-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-65-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-63-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-61-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-55-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-102-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-97-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-89-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-83-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-76-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-59-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-57-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-53-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-51-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-49-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-47-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-45-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral1/memory/3588-44-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
408	pleD70Ie96.exe
3472	plCk21gk31.exe
2584	plzF66ud04.exe
2800	plMp50dE41.exe
3212	buOi61dd68.exe
3588	caug56OS87.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	buOi61dd68.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	42470db9f3e7a3ab625282e235519b7f80bb4cf59f1ec541edb258432b1527d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pleD70Ie96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plCk21gk31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plzF66ud04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	plMp50dE41.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42470db9f3e7a3ab625282e235519b7f80bb4cf59f1ec541edb258432b1527d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pleD70Ie96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plCk21gk31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plzF66ud04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plMp50dE41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caug56OS87.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3212	buOi61dd68.exe
3212	buOi61dd68.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	buOi61dd68.exe
Token: SeDebugPrivilege	3588	caug56OS87.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 408	3528	42470db9f3e7a3ab625282e235519b7f80bb4cf59f1ec541edb258432b1527d0.exe	83
PID 3528 wrote to memory of 408	3528	42470db9f3e7a3ab625282e235519b7f80bb4cf59f1ec541edb258432b1527d0.exe	83
PID 3528 wrote to memory of 408	3528	42470db9f3e7a3ab625282e235519b7f80bb4cf59f1ec541edb258432b1527d0.exe	83
PID 408 wrote to memory of 3472	408	pleD70Ie96.exe	85
PID 408 wrote to memory of 3472	408	pleD70Ie96.exe	85
PID 408 wrote to memory of 3472	408	pleD70Ie96.exe	85
PID 3472 wrote to memory of 2584	3472	plCk21gk31.exe	86
PID 3472 wrote to memory of 2584	3472	plCk21gk31.exe	86
PID 3472 wrote to memory of 2584	3472	plCk21gk31.exe	86
PID 2584 wrote to memory of 2800	2584	plzF66ud04.exe	88
PID 2584 wrote to memory of 2800	2584	plzF66ud04.exe	88
PID 2584 wrote to memory of 2800	2584	plzF66ud04.exe	88
PID 2800 wrote to memory of 3212	2800	plMp50dE41.exe	90
PID 2800 wrote to memory of 3212	2800	plMp50dE41.exe	90
PID 2800 wrote to memory of 3588	2800	plMp50dE41.exe	95
PID 2800 wrote to memory of 3588	2800	plMp50dE41.exe	95
PID 2800 wrote to memory of 3588	2800	plMp50dE41.exe	95

C:\Users\Admin\AppData\Local\Temp\42470db9f3e7a3ab625282e235519b7f80bb4cf59f1ec541edb258432b1527d0.exe
"C:\Users\Admin\AppData\Local\Temp\42470db9f3e7a3ab625282e235519b7f80bb4cf59f1ec541edb258432b1527d0.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pleD70Ie96.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pleD70Ie96.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plCk21gk31.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plCk21gk31.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plzF66ud04.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plzF66ud04.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plMp50dE41.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plMp50dE41.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOi61dd68.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOi61dd68.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caug56OS87.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caug56OS87.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pleD70Ie96.exe

Filesize
1.0MB

MD5
1bfa7cc8e0ce69f97d355dc7d22dead5

SHA1
72d94ff31d1bf261c2aedefd6ff5eee00de17faa

SHA256
b04070af2a0a55112bdfb703d2bbf476f73a341f141d10341cdffd2e04a8cc37

SHA512
0937d872d2021364cb45f3682eced094481870ed57481032e62fab956d2a56d5b6f8d946f13b91d2965e514676033c6fa310533da1dcbea1c08575d2d88fcaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plCk21gk31.exe

Filesize
958KB

MD5
48e904e6bb8db7252d6d8c58ddec497c

SHA1
bd3893df914342ecc4dd09769d394ba47f6d850c

SHA256
50481465e42f5f4b14c502861c7975342f665868bea0f51c9446c43c01195841

SHA512
1fa1d4bbf7e6fce4047496629a90fa1a4b7f9357e9c53e71ea44a1d0c5263188c1b37a0f4737db75c704c447255015325fa4d090c19692c4edd5ea7594c2ab56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plzF66ud04.exe

Filesize
681KB

MD5
8d87eac8a5b45abeeb8fbb44c16eef5e

SHA1
bc4e40a7e303f214c1f4cd1778f64d48b529dcf9

SHA256
401cd9bf90702d2a345edd56fdb2c0b053671e7be102176f663777f31e7dba72

SHA512
f15796b1906fe221921bede9dca39218598a0de2b2894f17591c8a1ad1d5f38ecae37112950ca4cfec783689511d111e92193ad27ff5dc16fe959f4531e61dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plMp50dE41.exe

Filesize
399KB

MD5
4ab770ee03df575afa3911f1885f35d6

SHA1
3a06a69653710f49b43dacfd6e2ad62f89916a82

SHA256
4e4482223a19212b60698955561ae83061c1c19b26ca1fe9d01f2768206e6be8

SHA512
d0da1814b6adb9f64a30ecb7ea00fd01130edbd104316407cb33b9a6f57d8f7c39ff31328603d096e9a08d6e3e9b41f1b8e89eee3e37a0f1c1fd5fb0372529a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOi61dd68.exe

Filesize
13KB

MD5
20f80ec866fc73c8fdee6973a5e82bf1

SHA1
a84b36575b3f638da3319c6f7989ed1be8301c15

SHA256
3f44b23d068d813adc37b255a49dc3b462425eb4e9ebd562a58d70ae26b8298f

SHA512
f164ba5de5308c17914daa9965c3fb39012a91c3d249fad9a5f0252d27b2eda559d0fc70718552cb3a10bf2311cf0dd9cf10b314c15c96c553b2598f98b1cebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caug56OS87.exe

Filesize
374KB

MD5
942df7eafcd8251e970bab297fe208c5

SHA1
b2f283226ff1c5687075677e5355cd9975d74225

SHA256
7c23e74f0cd48753c8d4cd4c92994b60cc797217b264b0f4d59b7d2be591ea2e

SHA512
7d71a1c8ebca3bc7ba0b4266b135eccb9418e926f36c5c17d8df6434a79f404622e7c89af438f0de1c7c12ccb1178001e6c16de146ff1b3ec10b27fe7293df61

Download Submit
memory/3212-35-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/3588-77-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-61-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-43-0x0000000004C50000-0x0000000004C94000-memory.dmp

Filesize
272KB

Download
memory/3588-71-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-69-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-67-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-107-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-105-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-103-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-99-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-95-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-93-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-91-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-87-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-85-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-81-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-79-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-41-0x0000000004B90000-0x0000000004BD6000-memory.dmp

Filesize
280KB

Download
memory/3588-73-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-65-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-63-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-42-0x0000000007370000-0x0000000007914000-memory.dmp

Filesize
5.6MB

Download
memory/3588-55-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-102-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-950-0x0000000007A20000-0x0000000008038000-memory.dmp

Filesize
6.1MB

Download
memory/3588-951-0x0000000008040000-0x000000000814A000-memory.dmp

Filesize
1.0MB

Download
memory/3588-97-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-952-0x0000000007330000-0x0000000007342000-memory.dmp

Filesize
72KB

Download
memory/3588-89-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-953-0x0000000008150000-0x000000000818C000-memory.dmp

Filesize
240KB

Download
memory/3588-83-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-76-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-59-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-57-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-53-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-51-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-49-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-47-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-45-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-44-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3588-954-0x0000000008290000-0x00000000082DC000-memory.dmp

Filesize
304KB

Download