healer | f1ea8300f8dba4042b466efd8a5f7fdec0d99d1bf579813a2e8c5399c113ccee

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1ea8300f8dba4042b466efd8a5f7fdec0d99d1bf579813a2e8c5399c113ccee.exe
Size

1.1MB
MD5

d3e92a6125d71c99e45e06eedc1e4cab
SHA1

5806496783264cd86277661146fc2dff4faa1e06
SHA256

f1ea8300f8dba4042b466efd8a5f7fdec0d99d1bf579813a2e8c5399c113ccee
SHA512

437b49174bfbea21e8d3839f88c49b2c91ab5fecf97f1c8fc146263790ba427111940e2a43ad338866049450983059dd0a2dcc67077497f66409ab3df54b4c60
SSDEEP

24576:KyTiV9kvaOayudOw0okLnZHfv8a/f/x29LFJpQEVoglk:RTY9kpayuMf7ZH38aJ2zno

Score

10^/10

healer redline diro lada discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

diro

185.161.248.90:4125

Attributes

auth_value
ae95bda0dd2e95169886a3a68138568b

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4424-23-0x0000000002270000-0x000000000228A000-memory.dmp	healer
behavioral1/memory/4424-25-0x0000000002610000-0x0000000002628000-memory.dmp	healer
behavioral1/memory/4424-26-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-53-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-51-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-49-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-48-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-46-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-43-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-41-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-40-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-38-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-35-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-33-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-31-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-29-0x0000000002610000-0x0000000002622000-memory.dmp	healer
behavioral1/memory/4424-28-0x0000000002610000-0x0000000002622000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr620230.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr620230.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr620230.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr620230.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr620230.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr620230.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/4596-2206-0x0000000005410000-0x0000000005442000-memory.dmp	family_redline
behavioral1/files/0x0012000000023b5d-2211.dat	family_redline
behavioral1/memory/4260-2219-0x0000000000D20000-0x0000000000D4E000-memory.dmp	family_redline
behavioral1/files/0x0007000000023c9f-2228.dat	family_redline
behavioral1/memory/3596-2230-0x0000000000DA0000-0x0000000000DD0000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	qu106534.exe

Executes dropped EXE 6 IoCs

pid	Process
3832	un964191.exe
232	un388079.exe
4424	pr620230.exe
4596	qu106534.exe
4260	1.exe
3596	rk948377.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr620230.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr620230.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f1ea8300f8dba4042b466efd8a5f7fdec0d99d1bf579813a2e8c5399c113ccee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un964191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un388079.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2900	4424	WerFault.exe	87
1676	4596	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk948377.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1ea8300f8dba4042b466efd8a5f7fdec0d99d1bf579813a2e8c5399c113ccee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un964191.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un388079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr620230.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu106534.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4424	pr620230.exe
4424	pr620230.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	pr620230.exe
Token: SeDebugPrivilege	4596	qu106534.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 3832	1900	f1ea8300f8dba4042b466efd8a5f7fdec0d99d1bf579813a2e8c5399c113ccee.exe	84
PID 1900 wrote to memory of 3832	1900	f1ea8300f8dba4042b466efd8a5f7fdec0d99d1bf579813a2e8c5399c113ccee.exe	84
PID 1900 wrote to memory of 3832	1900	f1ea8300f8dba4042b466efd8a5f7fdec0d99d1bf579813a2e8c5399c113ccee.exe	84
PID 3832 wrote to memory of 232	3832	un964191.exe	86
PID 3832 wrote to memory of 232	3832	un964191.exe	86
PID 3832 wrote to memory of 232	3832	un964191.exe	86
PID 232 wrote to memory of 4424	232	un388079.exe	87
PID 232 wrote to memory of 4424	232	un388079.exe	87
PID 232 wrote to memory of 4424	232	un388079.exe	87
PID 232 wrote to memory of 4596	232	un388079.exe	92
PID 232 wrote to memory of 4596	232	un388079.exe	92
PID 232 wrote to memory of 4596	232	un388079.exe	92
PID 4596 wrote to memory of 4260	4596	qu106534.exe	93
PID 4596 wrote to memory of 4260	4596	qu106534.exe	93
PID 4596 wrote to memory of 4260	4596	qu106534.exe	93
PID 3832 wrote to memory of 3596	3832	un964191.exe	96
PID 3832 wrote to memory of 3596	3832	un964191.exe	96
PID 3832 wrote to memory of 3596	3832	un964191.exe	96

C:\Users\Admin\AppData\Local\Temp\f1ea8300f8dba4042b466efd8a5f7fdec0d99d1bf579813a2e8c5399c113ccee.exe
"C:\Users\Admin\AppData\Local\Temp\f1ea8300f8dba4042b466efd8a5f7fdec0d99d1bf579813a2e8c5399c113ccee.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964191.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964191.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un388079.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un388079.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr620230.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr620230.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1100
        5⤵
        Program crash
        
        PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu106534.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu106534.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1376
        5⤵
        Program crash
        
        PID:1676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk948377.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk948377.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4424 -ip 4424
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4596 -ip 4596
1⤵
PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964191.exe

Filesize
818KB

MD5
d94f1fa928314fdd90a080f1642f9ae9

SHA1
9cfa1ace64f9362e72c4aa737dc2f2ede501cdaf

SHA256
c3fd298bec000f8adc0df09fb016efb2d84517eb56b88bc2cbfcb153c2e1f061

SHA512
6df6b71a1de1f79e2538f2a91e36355b85dcb08c79501b7d079e9a4405aeb9b4e7d12c2d96ff608e0ffc2508a36428bbacedc110dd3c57807e3c01c17fb6ea81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk948377.exe

Filesize
168KB

MD5
abda83f4dcfc4dd7b01c36ecb65444b0

SHA1
01ef854f2b34e6e61cabe73c19144bfa8042606b

SHA256
58043596bcf72f9068d182f1b6e68d2ea53195f3f7a2827dd6dc2bba50d430fb

SHA512
c313e66067f9fb8dc0b7cc92dcf43335e82f1311be7343925c5dabf0691237fe68e039eb6984fddaa0e301063e98f95953e9505f5a851032183930d46a8c306e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un388079.exe

Filesize
664KB

MD5
c796252cf7deafd846437d76d2e2a412

SHA1
11b97105961a1b28eab656f01af2a88924096e89

SHA256
ea43ff4427c178f82a58cac02ea271253d389187bf005932b88e76ae8f809ce5

SHA512
b5c153fd85676a4acf567bbb607b32e8fb7190df27a8f5e27bacadd0ff8475602a05e83c3c01068f542e02ea7af9c978a0a98b20d9e89d09b9e34c61530ff5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr620230.exe

Filesize
317KB

MD5
385e680851b4d0866d1e3e3bcfe95042

SHA1
06a2b2d037c33eaa3c563c2be15aa4852cfee9ee

SHA256
e2e29c15086f736349a723eda17264b087b517fd2e3aa3202ede6c333dce0dc7

SHA512
664379a65efbffb38202b5e013b532a75b45a8dd48017889ba01c2b6abcc986840739004e5b8ebf5ddcdd7e5ad674d8bfde9b65a77f6fcfdd02e99017739ee17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu106534.exe

Filesize
501KB

MD5
18da791b87f68612659e94ba33b30b7e

SHA1
ba3e023d8adcfccf703b488b9a2b2993b3322c6c

SHA256
3022574696b29d2dbb9aa5c46c8acf720cd27e0c61e7c6ff1f30d51a27800a77

SHA512
f5bf66bc9e14e5f3365c7b70f2447af589ad484d553eb78e4422dac9a29da304b8b39b393e1e862bd5fa7463e3ee12dca363b19e9239328748b30c531260d2f1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/3596-2230-0x0000000000DA0000-0x0000000000DD0000-memory.dmp

Filesize
192KB

Download
memory/3596-2231-0x0000000002E50000-0x0000000002E56000-memory.dmp

Filesize
24KB

Download
memory/4260-2221-0x0000000005D70000-0x0000000006388000-memory.dmp

Filesize
6.1MB

Download
memory/4260-2220-0x0000000002FF0000-0x0000000002FF6000-memory.dmp

Filesize
24KB

Download
memory/4260-2219-0x0000000000D20000-0x0000000000D4E000-memory.dmp

Filesize
184KB

Download
memory/4260-2226-0x0000000005750000-0x000000000579C000-memory.dmp

Filesize
304KB

Download
memory/4260-2224-0x00000000056C0000-0x00000000056FC000-memory.dmp

Filesize
240KB

Download
memory/4260-2223-0x00000000056A0000-0x00000000056B2000-memory.dmp

Filesize
72KB

Download
memory/4260-2222-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/4424-55-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/4424-28-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-46-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-43-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-41-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-40-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-38-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-35-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-33-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-31-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-29-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-51-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-54-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4424-49-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-57-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4424-22-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/4424-23-0x0000000002270000-0x000000000228A000-memory.dmp

Filesize
104KB

Download
memory/4424-24-0x0000000004B00000-0x00000000050A4000-memory.dmp

Filesize
5.6MB

Download
memory/4424-25-0x0000000002610000-0x0000000002628000-memory.dmp

Filesize
96KB

Download
memory/4424-26-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-53-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4424-48-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4596-97-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-93-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-91-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-89-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-87-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-85-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-83-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-81-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-79-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-77-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-95-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-64-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-65-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-67-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-73-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-63-0x0000000004B40000-0x0000000004BA6000-memory.dmp

Filesize
408KB

Download
memory/4596-62-0x0000000002650000-0x00000000026B8000-memory.dmp

Filesize
416KB

Download
memory/4596-75-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-71-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-69-0x0000000004B40000-0x0000000004BA0000-memory.dmp

Filesize
384KB

Download
memory/4596-2206-0x0000000005410000-0x0000000005442000-memory.dmp

Filesize
200KB

Download