healer | b7ceb34bba631c55fc7188814711ea344799c43833aae8df15ad1b094d7909a7

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7ceb34bba631c55fc7188814711ea344799c43833aae8df15ad1b094d7909a7.exe
Size

1.1MB
MD5

fd2a2a02a8f51064bf75d6c3d5254a96
SHA1

d2a4f30034e3648959fbc6855fcceefec7c21ba8
SHA256

b7ceb34bba631c55fc7188814711ea344799c43833aae8df15ad1b094d7909a7
SHA512

55403bae85dedd0df76f9881ecde8910acd8884bbd098e0ef905644bc6e87cd990301474017a135ad5559add6bf14127645043db72b3d544260bc5a7836b17de
SSDEEP

24576:9y1zcm3LXmVIq1o9aujaFx/h+ALoTfiAYwkqTj:Y1z93LXwI9aujaHYfiAY0

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c95-32.dat	healer
behavioral1/memory/1656-35-0x00000000000C0000-0x00000000000CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	buAQ28GB03.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	buAQ28GB03.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	buAQ28GB03.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	buAQ28GB03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	buAQ28GB03.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	buAQ28GB03.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/1480-41-0x0000000004C40000-0x0000000004C86000-memory.dmp	family_redline
behavioral1/memory/1480-43-0x00000000052E0000-0x0000000005324000-memory.dmp	family_redline
behavioral1/memory/1480-44-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-107-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-105-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-104-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-101-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-99-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-98-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-95-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-93-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-91-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-87-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-83-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-81-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-80-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-77-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-75-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-73-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-71-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-67-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-65-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-63-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-61-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-59-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-55-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-53-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-51-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-49-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-89-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-85-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-69-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-57-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-47-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/1480-45-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
4844	plIN26fu99.exe
816	plEX69kO71.exe
4384	plMs68BT29.exe
2884	plTz30Vx98.exe
1656	buAQ28GB03.exe
1480	cati04tt62.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	buAQ28GB03.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b7ceb34bba631c55fc7188814711ea344799c43833aae8df15ad1b094d7909a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plIN26fu99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plEX69kO71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plMs68BT29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	plTz30Vx98.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7ceb34bba631c55fc7188814711ea344799c43833aae8df15ad1b094d7909a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plIN26fu99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plEX69kO71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plMs68BT29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plTz30Vx98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cati04tt62.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1656	buAQ28GB03.exe
1656	buAQ28GB03.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	buAQ28GB03.exe
Token: SeDebugPrivilege	1480	cati04tt62.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4844	3672	b7ceb34bba631c55fc7188814711ea344799c43833aae8df15ad1b094d7909a7.exe	83
PID 3672 wrote to memory of 4844	3672	b7ceb34bba631c55fc7188814711ea344799c43833aae8df15ad1b094d7909a7.exe	83
PID 3672 wrote to memory of 4844	3672	b7ceb34bba631c55fc7188814711ea344799c43833aae8df15ad1b094d7909a7.exe	83
PID 4844 wrote to memory of 816	4844	plIN26fu99.exe	85
PID 4844 wrote to memory of 816	4844	plIN26fu99.exe	85
PID 4844 wrote to memory of 816	4844	plIN26fu99.exe	85
PID 816 wrote to memory of 4384	816	plEX69kO71.exe	86
PID 816 wrote to memory of 4384	816	plEX69kO71.exe	86
PID 816 wrote to memory of 4384	816	plEX69kO71.exe	86
PID 4384 wrote to memory of 2884	4384	plMs68BT29.exe	87
PID 4384 wrote to memory of 2884	4384	plMs68BT29.exe	87
PID 4384 wrote to memory of 2884	4384	plMs68BT29.exe	87
PID 2884 wrote to memory of 1656	2884	plTz30Vx98.exe	89
PID 2884 wrote to memory of 1656	2884	plTz30Vx98.exe	89
PID 2884 wrote to memory of 1480	2884	plTz30Vx98.exe	99
PID 2884 wrote to memory of 1480	2884	plTz30Vx98.exe	99
PID 2884 wrote to memory of 1480	2884	plTz30Vx98.exe	99

C:\Users\Admin\AppData\Local\Temp\b7ceb34bba631c55fc7188814711ea344799c43833aae8df15ad1b094d7909a7.exe
"C:\Users\Admin\AppData\Local\Temp\b7ceb34bba631c55fc7188814711ea344799c43833aae8df15ad1b094d7909a7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIN26fu99.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIN26fu99.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEX69kO71.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEX69kO71.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plMs68BT29.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plMs68BT29.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plTz30Vx98.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plTz30Vx98.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAQ28GB03.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAQ28GB03.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cati04tt62.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cati04tt62.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIN26fu99.exe

Filesize
986KB

MD5
ac0437a6af1ec8a6f2c7c8218fbcf889

SHA1
2586ab45674d22febb0ca1037d2df29148109167

SHA256
f447ad2183ed400bb0cca3f27150cc7409d6beee53cf03307d8a7b8c25a28322

SHA512
4b44f42e438cd927a0bcfe4cffc84c582c857c94011736e3a5a9f22da4eb5a4aef7f21fe7eb751dadf52af4710eabdc5d16687d364b4048185c39ce917c6d1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEX69kO71.exe

Filesize
883KB

MD5
afa365b7d9e7573026e4c9bdfaf10680

SHA1
72c32fb6330d17be3fcd3c7d4e33eed070d93245

SHA256
09f9ec3671ad8b5fd2624ca8f16f3dbf7c55d36065da65229d51738504722eca

SHA512
d6c3a755233f42ead6ac2bf3c18284e7dbbce6bcbf8d89219d5a090097b0e73171428d769bc4da2f12513012e6b81d80051154d28f60a00f63ce50ee888dc9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plMs68BT29.exe

Filesize
660KB

MD5
c534996bb78eead964b8839b9bafb15a

SHA1
610b3c2c5c6eb5583ebb48aef8de3e95c1ff8a89

SHA256
29d02b74b4636b37fb933504490b03ecc2b8d0936c24538af62ae31438b57840

SHA512
b580619aec77ed2fb3ab7d416fb2ecb97201a7c37273a1873dc32ea55b217866c0fbedb7fc46a5591d29146d11131f42145f8910fa0bc696fd73d2f4ffdba4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plTz30Vx98.exe

Filesize
388KB

MD5
c503c45b6365e4eb94d488222d2663cd

SHA1
f62d3ce96a92ec3dcc8ece0d223f2c436957c7c0

SHA256
dac76c9aa208ceee445e3267f27155c540f437226514c85e91290411d65ad895

SHA512
feaa033517a7fb358bfa3ece4ee0eaf3b854e2d3fc04340b3d9b0891e819177298fb453ef1bd00a1a3caa5ab1da3f0c04f2f6d2bba24a708e33a6f66f3e770af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAQ28GB03.exe

Filesize
11KB

MD5
7e55f8743ecae8db17206b194a5f6046

SHA1
4c09aa829b2831c3720f399bcf7bb48bbc6b8c4f

SHA256
c0f6efa313868cde8ef3c08909c4c35f56c19f0bef2e75672e76d25c02b33c8f

SHA512
899101046ea723bd820d86f56d854278c7dbe1c20007c53d068a306ff90607ef54417a6775f20573184936be69628db4776da78f1c7d3cc2b7f1a7cb1cf06e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cati04tt62.exe

Filesize
305KB

MD5
e11ed6fc64ebc2ac86e3a4e39aa0b6b6

SHA1
ad61736c537f06c5eda7ae7064b55a37b514eea1

SHA256
8b09887654b84d73fdaf0d421b2d5910529cbfcd5a4848a23111c2612d3a1695

SHA512
43e07b129d1b0269027fca92c05cd28fcecd5c9469df0b414ad24ba1b3270f6e55c2e5b67bc4734ec43d72e0609d58c068c23560716db14cd468031cb7b6b880

Download Submit
memory/1480-77-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-71-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-42-0x0000000004CF0000-0x0000000005294000-memory.dmp

Filesize
5.6MB

Download
memory/1480-43-0x00000000052E0000-0x0000000005324000-memory.dmp

Filesize
272KB

Download
memory/1480-44-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-107-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-105-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-104-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-101-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-99-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-98-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-95-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-93-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-91-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-87-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-83-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-81-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-80-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-954-0x0000000005C50000-0x0000000005C9C000-memory.dmp

Filesize
304KB

Download
memory/1480-75-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-73-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-41-0x0000000004C40000-0x0000000004C86000-memory.dmp

Filesize
280KB

Download
memory/1480-67-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-65-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-63-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-61-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-59-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-55-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-53-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-51-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-49-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-89-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-85-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-69-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-57-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-47-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-45-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/1480-950-0x0000000005320000-0x0000000005938000-memory.dmp

Filesize
6.1MB

Download
memory/1480-951-0x00000000059A0000-0x0000000005AAA000-memory.dmp

Filesize
1.0MB

Download
memory/1480-952-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

Filesize
72KB

Download
memory/1480-953-0x0000000005B00000-0x0000000005B3C000-memory.dmp

Filesize
240KB

Download
memory/1656-35-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download