healer | 632b9fa823c1695c9ce874966150eacc67bf61cc89b2efd0a1e5e207471fb389

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

632b9fa823c1695c9ce874966150eacc67bf61cc89b2efd0a1e5e207471fb389.exe
Size

1.1MB
MD5

15987afae0864b82e2680a63cfba7ed0
SHA1

9a457f6d2894435deb803e827a14ebb326f89c77
SHA256

632b9fa823c1695c9ce874966150eacc67bf61cc89b2efd0a1e5e207471fb389
SHA512

cfeb9df5dd48867cb45c3ff7cd20106ed27666242da38ccb34fa0cf8350317cde715127dd8bb1b2d62abe52b1fbe87edfa1e4653114a4330982d63c9a0382f7d
SSDEEP

24576:RyziPJ7OKh7/vxiioQbR4I2xr6CLKxDUhRs1+or2eu0:EWAanV4IeuTxIXs1+orw

Score

10^/10

healer redline rouch discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rouch

193.56.146.11:4162

Attributes

auth_value
1b1735bcfc122c708eae27ca352568de

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca0-33.dat	healer
behavioral1/memory/2876-35-0x0000000000690000-0x000000000069A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	burh02xs32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	burh02xs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	burh02xs32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	burh02xs32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	burh02xs32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	burh02xs32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3416-41-0x0000000002510000-0x0000000002556000-memory.dmp	family_redline
behavioral1/memory/3416-43-0x0000000002730000-0x0000000002774000-memory.dmp	family_redline
behavioral1/memory/3416-71-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-107-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-105-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-103-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-101-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-99-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-97-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-95-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-93-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-91-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-89-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-87-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-85-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-83-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-81-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-79-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-77-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-75-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-73-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-69-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-67-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-65-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-63-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-61-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-59-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-57-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-55-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-53-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-51-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-49-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-47-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-45-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3416-44-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
3728	plYJ36fQ89.exe
4768	plvO39Gb65.exe
972	plGm42RX35.exe
2340	plhD53XZ25.exe
2876	burh02xs32.exe
3416	cayD04PD82.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	burh02xs32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	632b9fa823c1695c9ce874966150eacc67bf61cc89b2efd0a1e5e207471fb389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plYJ36fQ89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plvO39Gb65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plGm42RX35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	plhD53XZ25.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	632b9fa823c1695c9ce874966150eacc67bf61cc89b2efd0a1e5e207471fb389.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plYJ36fQ89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plvO39Gb65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plGm42RX35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plhD53XZ25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cayD04PD82.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2876	burh02xs32.exe
2876	burh02xs32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	burh02xs32.exe
Token: SeDebugPrivilege	3416	cayD04PD82.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3728	3488	632b9fa823c1695c9ce874966150eacc67bf61cc89b2efd0a1e5e207471fb389.exe	85
PID 3488 wrote to memory of 3728	3488	632b9fa823c1695c9ce874966150eacc67bf61cc89b2efd0a1e5e207471fb389.exe	85
PID 3488 wrote to memory of 3728	3488	632b9fa823c1695c9ce874966150eacc67bf61cc89b2efd0a1e5e207471fb389.exe	85
PID 3728 wrote to memory of 4768	3728	plYJ36fQ89.exe	86
PID 3728 wrote to memory of 4768	3728	plYJ36fQ89.exe	86
PID 3728 wrote to memory of 4768	3728	plYJ36fQ89.exe	86
PID 4768 wrote to memory of 972	4768	plvO39Gb65.exe	87
PID 4768 wrote to memory of 972	4768	plvO39Gb65.exe	87
PID 4768 wrote to memory of 972	4768	plvO39Gb65.exe	87
PID 972 wrote to memory of 2340	972	plGm42RX35.exe	88
PID 972 wrote to memory of 2340	972	plGm42RX35.exe	88
PID 972 wrote to memory of 2340	972	plGm42RX35.exe	88
PID 2340 wrote to memory of 2876	2340	plhD53XZ25.exe	90
PID 2340 wrote to memory of 2876	2340	plhD53XZ25.exe	90
PID 2340 wrote to memory of 3416	2340	plhD53XZ25.exe	101
PID 2340 wrote to memory of 3416	2340	plhD53XZ25.exe	101
PID 2340 wrote to memory of 3416	2340	plhD53XZ25.exe	101

C:\Users\Admin\AppData\Local\Temp\632b9fa823c1695c9ce874966150eacc67bf61cc89b2efd0a1e5e207471fb389.exe
"C:\Users\Admin\AppData\Local\Temp\632b9fa823c1695c9ce874966150eacc67bf61cc89b2efd0a1e5e207471fb389.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ36fQ89.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ36fQ89.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plvO39Gb65.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plvO39Gb65.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plGm42RX35.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plGm42RX35.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plhD53XZ25.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plhD53XZ25.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\burh02xs32.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\burh02xs32.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cayD04PD82.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cayD04PD82.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYJ36fQ89.exe

Filesize
996KB

MD5
bed79475e13e89e7e30e5d3afac76477

SHA1
8f44aa7236bf0c773db1a20ff8d84e9d1156b43f

SHA256
8805312131e2bab75bc3e4de75abf7822981a6b3f759eeba1124adc7a131a5d0

SHA512
67e2ab8b2c8823879bb490ad954abaae747e6efe3e317f29dd1e972148f127a89d242f8f5a67d8572e3d511ee8ac17b608349ee811b1d94968bad2423c57b378

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plvO39Gb65.exe

Filesize
893KB

MD5
cd8d3ddc37a82d52a1de733de7c1c54f

SHA1
803f158f68491a59993552ac006ec362cd9b7576

SHA256
111455b972b85a9e987bf83e0a74195a277f240b55bf515e83a79a97e24170f8

SHA512
7086757053f3f256ea2102136136e4307dea7682f46bb1247f213eae57867a0e0f8940e887ad069a2ebabdca48511a366d468fc5476ea063e82d0c394db417c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plGm42RX35.exe

Filesize
666KB

MD5
5791431801227b0552b03cfa82d143f0

SHA1
13f379d098d9337a50cb98aa55890d0eb1a68e3f

SHA256
4cf18ed686d4736efc86eed684862b7b9a48d45bd68af8575ac78c441b45da3b

SHA512
88e7eaecfb235b3079d183cbe4442168d97179c9c95f5e3a7c8fc224d104f8852a97bbe240199f3da9071763c7f85841c05e169f95141426c11dea7d1c5f3761

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plhD53XZ25.exe

Filesize
391KB

MD5
89553971c3d932da14b0554da1410ee6

SHA1
78b14f642d731914de4163bf8f14a334ad2c8f71

SHA256
bdc8f7015408c182217c15c8ca8c6978c03b4692c74a1bc8664bdd44937d57b4

SHA512
f227af571710002f45ae3d0b5d3c8881ff5b818bca0afa772fd9ba8301af150a47bbb9b145a723236699e11f65af0ade140e7ce83ef635cb46fade71d7def289

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\burh02xs32.exe

Filesize
11KB

MD5
e6165df5bd41eaba232431225411e792

SHA1
cb60ab7cfc7040b6c259467f9b098f7a28bb8e2e

SHA256
1e2842cd36697fb9f09460673d9bae39b650b46e1031be9212a7e73555f0e934

SHA512
5c41dfe313db546dd0d563dd50e4bec428b38251d770279e83bf441cd54ca95fd9956e732532ebc0b51229b67b22919309b8111715c92b4652ee2557c09046a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cayD04PD82.exe

Filesize
304KB

MD5
9c3e7c5879f2758bb2add2fbf488ed16

SHA1
c5a2662767f97a4860f33a9fe6cace435a3c1b02

SHA256
7ec2ec7a2ee43e8dc5523be5af507bcf31f19dfed1faa303314729d2fe456acf

SHA512
0808e8e4d00ffe2201f792095081c7fc1678ef3d75d8ae1e6d18363d1693a4bf3c1458252209a6ebd13255d8eb43c9eed45d8029a409ed511fbe3020e8b7ae8a

Download Submit
memory/2876-35-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/3416-81-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-73-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-43-0x0000000002730000-0x0000000002774000-memory.dmp

Filesize
272KB

Download
memory/3416-71-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-107-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-105-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-103-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-101-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-99-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-97-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-95-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-93-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-91-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-89-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-87-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-85-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-83-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-41-0x0000000002510000-0x0000000002556000-memory.dmp

Filesize
280KB

Download
memory/3416-79-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-77-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-75-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-42-0x0000000004E10000-0x00000000053B4000-memory.dmp

Filesize
5.6MB

Download
memory/3416-69-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-67-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-65-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-63-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-61-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-59-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-57-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-55-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-53-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-51-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-49-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-47-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-45-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-44-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3416-950-0x00000000053C0000-0x00000000059D8000-memory.dmp

Filesize
6.1MB

Download
memory/3416-951-0x0000000004C80000-0x0000000004D8A000-memory.dmp

Filesize
1.0MB

Download
memory/3416-952-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/3416-953-0x0000000005AE0000-0x0000000005B1C000-memory.dmp

Filesize
240KB

Download
memory/3416-954-0x0000000005B20000-0x0000000005B6C000-memory.dmp

Filesize
304KB

Download