healer | 1d58eee936478ff8990e80a0cef7803d61375f33362c2ad5e2131c18463c25ac

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d58eee936478ff8990e80a0cef7803d61375f33362c2ad5e2131c18463c25ac.exe
Size

1.3MB
MD5

4465df6f776e356c9ce55d0d3669deea
SHA1

ca3dbc9bb34949f8c036d0fe8f96db6c888f0722
SHA256

1d58eee936478ff8990e80a0cef7803d61375f33362c2ad5e2131c18463c25ac
SHA512

64dc3e2605abc2920a307b094171a965758b58316772690acdac53fc729a027322919787863df41d0566137347eb1776a60928d68a7b15bb0195954b53154c29
SSDEEP

24576:Qy0BVW6BpegLeewunIdTun/DvTDZkhhE44AE2iYRm3Z+YJUubAclywt8GYhqM:X8lpegLxwzurTYhE45E2IBldYw6GYI

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023caa-40.dat	healer
behavioral1/memory/2696-42-0x0000000000630000-0x000000000063A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	iJB43RZ97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	iJB43RZ97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	iJB43RZ97.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	iJB43RZ97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	iJB43RZ97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	iJB43RZ97.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4868-48-0x0000000004B00000-0x0000000004B46000-memory.dmp	family_redline
behavioral1/memory/4868-50-0x0000000004E60000-0x0000000004EA4000-memory.dmp	family_redline
behavioral1/memory/4868-68-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-72-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-114-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-112-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-110-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-108-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-106-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-102-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-100-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-98-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-96-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-94-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-92-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-90-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-88-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-86-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-82-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-80-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-78-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-76-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-74-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-70-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-66-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-64-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-62-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-60-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-58-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-56-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-104-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-84-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-54-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-52-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline
behavioral1/memory/4868-51-0x0000000004E60000-0x0000000004E9E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 7 IoCs

pid	Process
4548	vmfF54nE55.exe
3944	vmNE37Ks79.exe
180	vmLp98vq81.exe
4680	vmef37Mg60.exe
1872	vmcj12Ry79.exe
2696	iJB43RZ97.exe
4868	kLT22Nc01.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	iJB43RZ97.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1d58eee936478ff8990e80a0cef7803d61375f33362c2ad5e2131c18463c25ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vmfF54nE55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vmNE37Ks79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	vmLp98vq81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	vmef37Mg60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	vmcj12Ry79.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmNE37Ks79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmLp98vq81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmef37Mg60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmcj12Ry79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kLT22Nc01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d58eee936478ff8990e80a0cef7803d61375f33362c2ad5e2131c18463c25ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmfF54nE55.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2696	iJB43RZ97.exe
2696	iJB43RZ97.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	iJB43RZ97.exe
Token: SeDebugPrivilege	4868	kLT22Nc01.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 4548	2496	1d58eee936478ff8990e80a0cef7803d61375f33362c2ad5e2131c18463c25ac.exe	84
PID 2496 wrote to memory of 4548	2496	1d58eee936478ff8990e80a0cef7803d61375f33362c2ad5e2131c18463c25ac.exe	84
PID 2496 wrote to memory of 4548	2496	1d58eee936478ff8990e80a0cef7803d61375f33362c2ad5e2131c18463c25ac.exe	84
PID 4548 wrote to memory of 3944	4548	vmfF54nE55.exe	85
PID 4548 wrote to memory of 3944	4548	vmfF54nE55.exe	85
PID 4548 wrote to memory of 3944	4548	vmfF54nE55.exe	85
PID 3944 wrote to memory of 180	3944	vmNE37Ks79.exe	86
PID 3944 wrote to memory of 180	3944	vmNE37Ks79.exe	86
PID 3944 wrote to memory of 180	3944	vmNE37Ks79.exe	86
PID 180 wrote to memory of 4680	180	vmLp98vq81.exe	88
PID 180 wrote to memory of 4680	180	vmLp98vq81.exe	88
PID 180 wrote to memory of 4680	180	vmLp98vq81.exe	88
PID 4680 wrote to memory of 1872	4680	vmef37Mg60.exe	89
PID 4680 wrote to memory of 1872	4680	vmef37Mg60.exe	89
PID 4680 wrote to memory of 1872	4680	vmef37Mg60.exe	89
PID 1872 wrote to memory of 2696	1872	vmcj12Ry79.exe	91
PID 1872 wrote to memory of 2696	1872	vmcj12Ry79.exe	91
PID 1872 wrote to memory of 4868	1872	vmcj12Ry79.exe	96
PID 1872 wrote to memory of 4868	1872	vmcj12Ry79.exe	96
PID 1872 wrote to memory of 4868	1872	vmcj12Ry79.exe	96

C:\Users\Admin\AppData\Local\Temp\1d58eee936478ff8990e80a0cef7803d61375f33362c2ad5e2131c18463c25ac.exe
"C:\Users\Admin\AppData\Local\Temp\1d58eee936478ff8990e80a0cef7803d61375f33362c2ad5e2131c18463c25ac.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmfF54nE55.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmfF54nE55.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmNE37Ks79.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmNE37Ks79.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmLp98vq81.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmLp98vq81.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:180
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmef37Mg60.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmef37Mg60.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4680
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcj12Ry79.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcj12Ry79.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\iJB43RZ97.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\iJB43RZ97.exe
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kLT22Nc01.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kLT22Nc01.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmfF54nE55.exe

Filesize
1.2MB

MD5
5a7b32de5957043428482dc1f3b56b4a

SHA1
403ccb07229452ca7ef118a23d2c7ab4f7da20bd

SHA256
7b9d70b3c9f33afcbcee1a79ad10474e578def504d688f7baa35a9f99653464a

SHA512
7bf5d6087758df48985deb8e439be5bbe576c2c0984a61ec8a8bd498e18305b89ce739f2cbe23d02016318d58f97ca7bdb82e8b8c4df828aedfe61997e662e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmNE37Ks79.exe

Filesize
1014KB

MD5
e156b36c231e33b799aba4cdb5ac7d39

SHA1
5e475086b02ba3e1f0c7c451f746d26c23d3b0ea

SHA256
267b2b591e3c9f67052b38d761d178639e35d20098bd531a8b802280f3cb13c0

SHA512
fa2697f01a5d1758e0b54c56b394360906b4e0cee22587f80e5654b4df75d3bb710b0b50504def306363c55e746d83e1b49b08733f053722506b547ce33efdc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmLp98vq81.exe

Filesize
913KB

MD5
2944384516d18bf43bab9a5ca7181c71

SHA1
f986e99ebbda701392083c696aed8a0257ac045c

SHA256
c08f893a50a2fdaaa24bf33d61d062e26757f7c2d8eea42e0fbdeec23af1fc07

SHA512
f6ee5af4af9bfb928ca8c45a188cf6d5933a5ac12c1df9d9fed23d242d9d937b035dbca6b8d48d5d2f185fd14dbab475a55af9977ac755f2c39b258a1da08f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmef37Mg60.exe

Filesize
687KB

MD5
7fabf486e0f2fc5c5802f2dd4dc7ffa1

SHA1
d07351b07afbdf6bf5751909d216244e371d04a7

SHA256
c57692cfd4e2a64ac8d226eb73c9ed750e844fe56ef481d8426211c0ce9cd755

SHA512
dbe3bc4ca046c41a77e9809a81a4a03c6098702659c7f3fdfca35f3225d848077015e430780221feebd085d587bdebf3b36e2aa28cf21d6e28d5061deafa1cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcj12Ry79.exe

Filesize
401KB

MD5
f72888335d1745e21c6b39d4f24a0a15

SHA1
af8e72c17a2168bc9b756ee83c1885a5716e6bcf

SHA256
fe88eea62001e6e7053a18b30b2470a8739d84c10262d1d819f022fb202f627f

SHA512
ae2e4096c8b10387b142f25a56bac51a22c9c83ddc59ed3080fd1b90af92a7cfd4e964cf1755dc03a85b6108eeb33c071062f66b154986ec2cc9d752fafe1247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\iJB43RZ97.exe

Filesize
15KB

MD5
9c61bbbe646648d7041572c550027e65

SHA1
4aa05bbaff6daccba7957cfebbb79f1a1e0abd75

SHA256
8177c76360a488f2ad1ff877cd2063fbb811a0450aa128c0bb4dd420040a3faf

SHA512
f3823d874a3b87481946ef7d0b4b044ea4e72bde8fd342851de31d9dfdf384869c2e2a8794ca9f2ffaf034de8fae0392fc6cc9c941337831ea15e4d1d5ed4693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kLT22Nc01.exe

Filesize
375KB

MD5
cd6966060f9f437f1933aba4b8703cca

SHA1
9f69f3f9317a4a6526c99074bb851bc4a1c30788

SHA256
24a0f1a482ffbadb53221d40b7669cfb6352b0ccffb786a595cfeb4d9805b9f0

SHA512
d7249fb6f039225e99d30293f69453c0c08a44bf12887d656d4e30fa896aaf51d31fab132ed6840ffe0f305f3ce8cf0be315835bf221745a7b4dac27640c1929

Download Submit
memory/2696-42-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/4868-90-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-78-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-50-0x0000000004E60000-0x0000000004EA4000-memory.dmp

Filesize
272KB

Download
memory/4868-68-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-72-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-114-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-112-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-110-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-108-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-106-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-102-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-100-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-98-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-96-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-94-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-92-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-48-0x0000000004B00000-0x0000000004B46000-memory.dmp

Filesize
280KB

Download
memory/4868-88-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-86-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-82-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-80-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-49-0x0000000007360000-0x0000000007904000-memory.dmp

Filesize
5.6MB

Download
memory/4868-76-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-74-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-70-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-66-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-64-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-62-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-60-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-58-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-56-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-104-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-84-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-54-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-52-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-51-0x0000000004E60000-0x0000000004E9E000-memory.dmp

Filesize
248KB

Download
memory/4868-957-0x0000000007910000-0x0000000007F28000-memory.dmp

Filesize
6.1MB

Download
memory/4868-958-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/4868-959-0x00000000072F0000-0x0000000007302000-memory.dmp

Filesize
72KB

Download
memory/4868-960-0x0000000007310000-0x000000000734C000-memory.dmp

Filesize
240KB

Download
memory/4868-961-0x0000000008150000-0x000000000819C000-memory.dmp

Filesize
304KB

Download