healer | b9ec275f6c38217d38c0f1c76aa71f9de77784d3af16da44357b3f7dab268816

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 01:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9ec275f6c38217d38c0f1c76aa71f9de77784d3af16da44357b3f7dab268816.exe
Size

1.0MB
MD5

0ef47ad6942220d8d0634bfa4edb6668
SHA1

8bc2a764293494c5913c3af68fe9abaad08ad482
SHA256

b9ec275f6c38217d38c0f1c76aa71f9de77784d3af16da44357b3f7dab268816
SHA512

45129e1e62602d132007dc430752f277770b1b007b4b369e6bf2ae60b855d5289eae13c5b7d205fc62e0588ba02c55369a490c5f3af85d1f36880e7a1f124336
SSDEEP

24576:cy7zoMS+GwFbOxbpkcPYcJlKJD9IZrq21fWnV1Io6Z/agET:LiLrNJGD25qxV1IRyg

Score

10^/10

healer redline droz norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

77.91.124.145:4125

Attributes

auth_value
d099adf6dbf6ccb8e16967104280634a

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/920-25-0x0000000000800000-0x000000000081A000-memory.dmp	healer
behavioral1/memory/920-27-0x00000000023E0000-0x00000000023F8000-memory.dmp	healer
behavioral1/memory/920-55-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-53-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-51-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-49-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-47-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-45-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-43-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-41-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-39-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-37-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-35-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-33-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-31-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-29-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/920-28-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr750765.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr750765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr750765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr750765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr750765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr750765.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/5028-2149-0x0000000005410000-0x0000000005442000-memory.dmp	family_redline
behavioral1/files/0x0011000000023b70-2154.dat	family_redline
behavioral1/memory/5804-2162-0x0000000000A90000-0x0000000000AC0000-memory.dmp	family_redline
behavioral1/files/0x0007000000023cc1-2172.dat	family_redline
behavioral1/memory/5104-2173-0x0000000000E50000-0x0000000000E7E000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	qu277919.exe

Executes dropped EXE 6 IoCs

pid	Process
624	un898060.exe
3912	un511644.exe
920	pr750765.exe
5028	qu277919.exe
5804	1.exe
5104	rk298432.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr750765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr750765.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b9ec275f6c38217d38c0f1c76aa71f9de77784d3af16da44357b3f7dab268816.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un898060.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un511644.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3996	920	WerFault.exe	87
3480	5028	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr750765.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu277919.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk298432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9ec275f6c38217d38c0f1c76aa71f9de77784d3af16da44357b3f7dab268816.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un898060.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un511644.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
920	pr750765.exe
920	pr750765.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	920	pr750765.exe
Token: SeDebugPrivilege	5028	qu277919.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 624	1232	b9ec275f6c38217d38c0f1c76aa71f9de77784d3af16da44357b3f7dab268816.exe	84
PID 1232 wrote to memory of 624	1232	b9ec275f6c38217d38c0f1c76aa71f9de77784d3af16da44357b3f7dab268816.exe	84
PID 1232 wrote to memory of 624	1232	b9ec275f6c38217d38c0f1c76aa71f9de77784d3af16da44357b3f7dab268816.exe	84
PID 624 wrote to memory of 3912	624	un898060.exe	85
PID 624 wrote to memory of 3912	624	un898060.exe	85
PID 624 wrote to memory of 3912	624	un898060.exe	85
PID 3912 wrote to memory of 920	3912	un511644.exe	87
PID 3912 wrote to memory of 920	3912	un511644.exe	87
PID 3912 wrote to memory of 920	3912	un511644.exe	87
PID 3912 wrote to memory of 5028	3912	un511644.exe	100
PID 3912 wrote to memory of 5028	3912	un511644.exe	100
PID 3912 wrote to memory of 5028	3912	un511644.exe	100
PID 5028 wrote to memory of 5804	5028	qu277919.exe	101
PID 5028 wrote to memory of 5804	5028	qu277919.exe	101
PID 5028 wrote to memory of 5804	5028	qu277919.exe	101
PID 624 wrote to memory of 5104	624	un898060.exe	104
PID 624 wrote to memory of 5104	624	un898060.exe	104
PID 624 wrote to memory of 5104	624	un898060.exe	104

C:\Users\Admin\AppData\Local\Temp\b9ec275f6c38217d38c0f1c76aa71f9de77784d3af16da44357b3f7dab268816.exe
"C:\Users\Admin\AppData\Local\Temp\b9ec275f6c38217d38c0f1c76aa71f9de77784d3af16da44357b3f7dab268816.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un898060.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un898060.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un511644.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un511644.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr750765.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr750765.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:920
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1084
        5⤵
        Program crash
        
        PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu277919.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu277919.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1188
        5⤵
        Program crash
        
        PID:3480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk298432.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk298432.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 920 -ip 920
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5028 -ip 5028
1⤵
PID:5744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un898060.exe

Filesize
801KB

MD5
0f1eee0004a02743c5b4ab58acf323a8

SHA1
e1c80f7d9876431f56442efc85dbe4073fe885dd

SHA256
3319285cbfd7027eb39337067b7651f453bf2cb71f9c6242359a67603aa71f01

SHA512
3ba579e7d857b74f36153236e1003c32f9e1a3bb8a66e4f2cdba440ba982b68ce0676137c8cfd13223bba212df544ead8f1d3e2ce49e35d7f125fa902278f130

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk298432.exe

Filesize
168KB

MD5
d0aa3a76e86a7fb3cb5e9acfacff18e0

SHA1
30ef9588e2db5a755e08bd241816bc84a5ebc857

SHA256
3b55771a6c541594353fca8a240707c99617342d21ff600f60dbb2b977b789ce

SHA512
1a8301a8f73a4ba641a507434e3ad939d639bc6914875628a2492f13bed8fadef20e13090595c29d92c606b415c5d71ca236c5308841b17b53550872cb4100b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un511644.exe

Filesize
647KB

MD5
ccd7d822ac028f2979ac3ba48fa4ce89

SHA1
5b2fa20bb75f2e7035f46c4950721af7b4755b5a

SHA256
0cfa059937cfba75c9f7604591d5071780fd5c81526b9b8ef31a129ab31f424b

SHA512
a279b07a51040c310701f64cb83a49fcfe60c55882483ad8b5a904c9976374d5805d925b12a35c90516e807cd984f7641646e2a67f397a927fb91301e6ee1b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr750765.exe

Filesize
243KB

MD5
6c153f3e2067c95eb24f83c9905decc8

SHA1
359e057af6f81f41b4719e61a6ce5855a9a23317

SHA256
388bb536f080faf05859c76471e5e849b77556cda1b9c812217084cf73f084b6

SHA512
e6b327711ad71e37b7ca91df9af4595f138d9f60c5f92e1c613cdd20a1413d343058d5866671dbddadbd421c6076daff447f3d9c26826a99eb85fb875dcfdea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu277919.exe

Filesize
426KB

MD5
9945b8552f70a0cf6201ea21cd4b7174

SHA1
df2a13b44f1e1b19d5654372543f120420c01168

SHA256
11e97d217737a8130264f37f3b90eb3d4e75a1766232094d0ce243dc5b60d2d8

SHA512
e8c7cd87ffb3f117d0b81d728bb87dea7fcf269b56e983260d5770253a3a8fa130f5e6e8c6201b6d1b0ccf41344bfb5040909bcb90fab62ef69ba19ce05384b6

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/920-62-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/920-26-0x0000000004BF0000-0x0000000005194000-memory.dmp

Filesize
5.6MB

Download
memory/920-27-0x00000000023E0000-0x00000000023F8000-memory.dmp

Filesize
96KB

Download
memory/920-55-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-53-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-51-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-49-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-47-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-45-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-43-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-41-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-39-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-37-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-35-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-33-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-31-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-29-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-28-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/920-56-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/920-57-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/920-58-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/920-59-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/920-61-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/920-25-0x0000000000800000-0x000000000081A000-memory.dmp

Filesize
104KB

Download
memory/920-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/920-22-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/920-23-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/5028-82-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-72-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-100-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-88-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-98-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-97-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-92-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-91-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-86-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-85-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-102-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-80-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-78-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-76-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-74-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-70-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-94-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-69-0x0000000004C20000-0x0000000004C7F000-memory.dmp

Filesize
380KB

Download
memory/5028-2149-0x0000000005410000-0x0000000005442000-memory.dmp

Filesize
200KB

Download
memory/5028-68-0x0000000004C20000-0x0000000004C86000-memory.dmp

Filesize
408KB

Download
memory/5028-67-0x0000000002560000-0x00000000025C6000-memory.dmp

Filesize
408KB

Download
memory/5104-2173-0x0000000000E50000-0x0000000000E7E000-memory.dmp

Filesize
184KB

Download
memory/5104-2174-0x0000000005670000-0x0000000005676000-memory.dmp

Filesize
24KB

Download
memory/5804-2163-0x00000000013C0000-0x00000000013C6000-memory.dmp

Filesize
24KB

Download
memory/5804-2164-0x0000000005AC0000-0x00000000060D8000-memory.dmp

Filesize
6.1MB

Download
memory/5804-2165-0x00000000055B0000-0x00000000056BA000-memory.dmp

Filesize
1.0MB

Download
memory/5804-2166-0x0000000005300000-0x0000000005312000-memory.dmp

Filesize
72KB

Download
memory/5804-2167-0x00000000054A0000-0x00000000054DC000-memory.dmp

Filesize
240KB

Download
memory/5804-2168-0x00000000054E0000-0x000000000552C000-memory.dmp

Filesize
304KB

Download
memory/5804-2162-0x0000000000A90000-0x0000000000AC0000-memory.dmp

Filesize
192KB

Download