healer | 4b5f905fa35268673461f18bd8cc33963b195753b771a4828115f482bfd37cba

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b5f905fa35268673461f18bd8cc33963b195753b771a4828115f482bfd37cba.exe
Size

1.1MB
MD5

680f6cb45a2ac8d50f115a19fe77b6a8
SHA1

f065b9cb5f9d8e0206885ac7b3d4f97bf2044ae9
SHA256

4b5f905fa35268673461f18bd8cc33963b195753b771a4828115f482bfd37cba
SHA512

8d0f352cec8ebe76bf403c3c90bd389484e2d3c172c25402e0e45327eb8973a18ac62dd13e68a983917653e16b7d7f62e45375599d1640ee4a3a74307bb81a73
SSDEEP

24576:wy1yeVzKuDpj3A3uKTdfVJfB+56YNnwuDVpTnsaa:31Z8uDpj3AeKTFVJZGNwCVhsa

Score

10^/10

healer redline rouch discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rouch

193.56.146.11:4162

Attributes

auth_value
1b1735bcfc122c708eae27ca352568de

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cd7-32.dat	healer
behavioral1/memory/1104-35-0x0000000000550000-0x000000000055A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	buXy16UO09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	buXy16UO09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	buXy16UO09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	buXy16UO09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	buXy16UO09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	buXy16UO09.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3616-41-0x0000000002570000-0x00000000025B6000-memory.dmp	family_redline
behavioral1/memory/3616-43-0x0000000002700000-0x0000000002744000-memory.dmp	family_redline
behavioral1/memory/3616-53-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-57-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-107-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-105-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-103-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-99-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-97-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-95-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-93-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-91-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-89-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-87-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-83-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-81-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-79-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-77-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-75-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-73-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-71-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-67-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-65-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-63-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-61-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-59-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-55-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-51-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-49-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-101-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-85-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-69-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-47-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-45-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline
behavioral1/memory/3616-44-0x0000000002700000-0x000000000273E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
3712	plZp76Fu09.exe
336	pljA87dv77.exe
3320	plKK37yD00.exe
3572	plVT76ak78.exe
1104	buXy16UO09.exe
3616	capc28Nb94.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	buXy16UO09.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	plVT76ak78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4b5f905fa35268673461f18bd8cc33963b195753b771a4828115f482bfd37cba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plZp76Fu09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	pljA87dv77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plKK37yD00.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plVT76ak78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	capc28Nb94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b5f905fa35268673461f18bd8cc33963b195753b771a4828115f482bfd37cba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plZp76Fu09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pljA87dv77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plKK37yD00.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1104	buXy16UO09.exe
1104	buXy16UO09.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	buXy16UO09.exe
Token: SeDebugPrivilege	3616	capc28Nb94.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 3712	3660	4b5f905fa35268673461f18bd8cc33963b195753b771a4828115f482bfd37cba.exe	83
PID 3660 wrote to memory of 3712	3660	4b5f905fa35268673461f18bd8cc33963b195753b771a4828115f482bfd37cba.exe	83
PID 3660 wrote to memory of 3712	3660	4b5f905fa35268673461f18bd8cc33963b195753b771a4828115f482bfd37cba.exe	83
PID 3712 wrote to memory of 336	3712	plZp76Fu09.exe	84
PID 3712 wrote to memory of 336	3712	plZp76Fu09.exe	84
PID 3712 wrote to memory of 336	3712	plZp76Fu09.exe	84
PID 336 wrote to memory of 3320	336	pljA87dv77.exe	85
PID 336 wrote to memory of 3320	336	pljA87dv77.exe	85
PID 336 wrote to memory of 3320	336	pljA87dv77.exe	85
PID 3320 wrote to memory of 3572	3320	plKK37yD00.exe	87
PID 3320 wrote to memory of 3572	3320	plKK37yD00.exe	87
PID 3320 wrote to memory of 3572	3320	plKK37yD00.exe	87
PID 3572 wrote to memory of 1104	3572	plVT76ak78.exe	88
PID 3572 wrote to memory of 1104	3572	plVT76ak78.exe	88
PID 3572 wrote to memory of 3616	3572	plVT76ak78.exe	95
PID 3572 wrote to memory of 3616	3572	plVT76ak78.exe	95
PID 3572 wrote to memory of 3616	3572	plVT76ak78.exe	95

C:\Users\Admin\AppData\Local\Temp\4b5f905fa35268673461f18bd8cc33963b195753b771a4828115f482bfd37cba.exe
"C:\Users\Admin\AppData\Local\Temp\4b5f905fa35268673461f18bd8cc33963b195753b771a4828115f482bfd37cba.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plZp76Fu09.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plZp76Fu09.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pljA87dv77.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pljA87dv77.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKK37yD00.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKK37yD00.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3320
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plVT76ak78.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plVT76ak78.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buXy16UO09.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buXy16UO09.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\capc28Nb94.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\capc28Nb94.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plZp76Fu09.exe

Filesize
996KB

MD5
df2e332baf1a79282682be3276a6d0f5

SHA1
a15fd78e668e21e22ef55752ece0cb8cba14b1ce

SHA256
092f219358c770446d91a467590c8b6055087e2547a0d737377ba10e3718edf1

SHA512
0abf31cc52888e0a4c7c5ed200b76b10dd7b8d419e39a398930c1ed54c5534bb04d4147222359ca1f05792f36c585c10ce7270db097dee7d10a50d8cd2659de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pljA87dv77.exe

Filesize
893KB

MD5
0f1e94e79184d3f32e71c6d6ed894942

SHA1
ec00341434695e59add0693755189aa9e8cfa773

SHA256
be811bebea4654e2d9d7148382ccd01aeb9f8a6d1760fc940c5143da82ea99bf

SHA512
3659e9eef6e3a424c3953c9c98276e77b1d2ff77f28be6b7f064e12d9e6114dc6bd6339c7eb741de39f50f1afd7f878d1101aef1843e5048e4bf3aa0ecc7e47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKK37yD00.exe

Filesize
666KB

MD5
8212fad3ac6a500cb31beb47c78c0587

SHA1
9f8da0863359508b037ff3c7fb49598c8f79f000

SHA256
59de998467ff9604675500a2ecd16ec78f3582b244b68cb0bfc7f25744b05ec7

SHA512
532a0c9c1520b08998cdeb84d244927279118a4a3465b1f2eeb9a7dcf1aabb9d7d1df615647177392ef90e23d9237a3ab7d63178fbb5326824c98205ff1cae2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plVT76ak78.exe

Filesize
391KB

MD5
978164d783caf216dbf550c25d33b9df

SHA1
c3a4732d50e35d75a773462f46ac2c2dc28b8331

SHA256
30ac0eea4090c93326b4d7070c18d56b77eb5d8a06a5c333cae4715161f168d7

SHA512
0253a923e5fad5217867d3564888521546c6a82f95fd6b505ee2b8ce1da73f396a579ac0b06693250f676ddd3d0c3c05dc3b821b675c40ba621262564d799d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buXy16UO09.exe

Filesize
11KB

MD5
7b72bfb93cf6f2fbe0c0a016c7e0de37

SHA1
e018e8f8e149a2df4e18b58a58fc0ebb91f54e27

SHA256
1897b9b842ac4d78fa2312e4349fd3011980b05464d9ebca5c45a2103e383e80

SHA512
4e8ec05a9137b898cf005608a23a72ab48e79d360c744d5678453e88a2f3ab33aca6b72dbbc904301f68ee8c8ee5819d6f68b4f90b48684590c909a33f46cd91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\capc28Nb94.exe

Filesize
304KB

MD5
9c3e7c5879f2758bb2add2fbf488ed16

SHA1
c5a2662767f97a4860f33a9fe6cace435a3c1b02

SHA256
7ec2ec7a2ee43e8dc5523be5af507bcf31f19dfed1faa303314729d2fe456acf

SHA512
0808e8e4d00ffe2201f792095081c7fc1678ef3d75d8ae1e6d18363d1693a4bf3c1458252209a6ebd13255d8eb43c9eed45d8029a409ed511fbe3020e8b7ae8a

Download Submit
memory/1104-35-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/3616-79-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-71-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-43-0x0000000002700000-0x0000000002744000-memory.dmp

Filesize
272KB

Download
memory/3616-53-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-57-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-107-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-105-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-103-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-99-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-97-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-95-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-93-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-91-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-89-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-87-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-83-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-81-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-41-0x0000000002570000-0x00000000025B6000-memory.dmp

Filesize
280KB

Download
memory/3616-77-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-75-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-73-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-42-0x0000000004DA0000-0x0000000005344000-memory.dmp

Filesize
5.6MB

Download
memory/3616-67-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-65-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-63-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-61-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-59-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-55-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-51-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-49-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-101-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-85-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-69-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-47-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-45-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-44-0x0000000002700000-0x000000000273E000-memory.dmp

Filesize
248KB

Download
memory/3616-950-0x0000000005350000-0x0000000005968000-memory.dmp

Filesize
6.1MB

Download
memory/3616-951-0x0000000004C80000-0x0000000004D8A000-memory.dmp

Filesize
1.0MB

Download
memory/3616-952-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/3616-953-0x00000000059C0000-0x00000000059FC000-memory.dmp

Filesize
240KB

Download
memory/3616-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download