healer | 84ac944213f329ee37cc5d4a0db02f90db41b692d37397f9fa78c42de420b187

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84ac944213f329ee37cc5d4a0db02f90db41b692d37397f9fa78c42de420b187.exe
Size

1.0MB
MD5

552b465cbec053168ea1681e6d351e1e
SHA1

6ea0c481f33a4d77c2086de00a38c8285e4f3e15
SHA256

84ac944213f329ee37cc5d4a0db02f90db41b692d37397f9fa78c42de420b187
SHA512

0fba1f993289f96c47d3babd01d63c02da9a4bf376252ea4402ea331684db0408242e60e1719a4805462964ad5a3996c14bb0f949ba662d59cf9f2981dc528d6
SSDEEP

24576:myTR+D2r1dPzX/WkuzY9DKISxesgTEmajIk5:1TwD2r1BX+ku6D1oNfmsIk

Score

10^/10

healer redline droz norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

77.91.124.145:4125

Attributes

auth_value
d099adf6dbf6ccb8e16967104280634a

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1876-25-0x00000000023F0000-0x000000000240A000-memory.dmp	healer
behavioral1/memory/1876-27-0x00000000024A0000-0x00000000024B8000-memory.dmp	healer
behavioral1/memory/1876-37-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-55-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-53-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-52-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-49-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-47-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-45-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-43-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-41-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-39-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-35-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-33-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-31-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-29-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer
behavioral1/memory/1876-28-0x00000000024A0000-0x00000000024B2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr637474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr637474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr637474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr637474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr637474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr637474.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2620-2148-0x0000000005400000-0x0000000005432000-memory.dmp	family_redline
behavioral1/files/0x000b000000023c9b-2153.dat	family_redline
behavioral1/memory/5004-2161-0x0000000000340000-0x0000000000370000-memory.dmp	family_redline
behavioral1/files/0x0007000000023c97-2170.dat	family_redline
behavioral1/memory/5456-2172-0x0000000000A10000-0x0000000000A3E000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	qu362600.exe

Executes dropped EXE 6 IoCs

pid	Process
3012	un687834.exe
2592	un798231.exe
1876	pr637474.exe
2620	qu362600.exe
5004	1.exe
5456	rk362973.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr637474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr637474.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	84ac944213f329ee37cc5d4a0db02f90db41b692d37397f9fa78c42de420b187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un687834.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un798231.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4828	1876	WerFault.exe	85
5548	2620	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu362600.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk362973.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84ac944213f329ee37cc5d4a0db02f90db41b692d37397f9fa78c42de420b187.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un687834.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un798231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr637474.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1876	pr637474.exe
1876	pr637474.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1876	pr637474.exe
Token: SeDebugPrivilege	2620	qu362600.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 3012	812	84ac944213f329ee37cc5d4a0db02f90db41b692d37397f9fa78c42de420b187.exe	82
PID 812 wrote to memory of 3012	812	84ac944213f329ee37cc5d4a0db02f90db41b692d37397f9fa78c42de420b187.exe	82
PID 812 wrote to memory of 3012	812	84ac944213f329ee37cc5d4a0db02f90db41b692d37397f9fa78c42de420b187.exe	82
PID 3012 wrote to memory of 2592	3012	un687834.exe	83
PID 3012 wrote to memory of 2592	3012	un687834.exe	83
PID 3012 wrote to memory of 2592	3012	un687834.exe	83
PID 2592 wrote to memory of 1876	2592	un798231.exe	85
PID 2592 wrote to memory of 1876	2592	un798231.exe	85
PID 2592 wrote to memory of 1876	2592	un798231.exe	85
PID 2592 wrote to memory of 2620	2592	un798231.exe	100
PID 2592 wrote to memory of 2620	2592	un798231.exe	100
PID 2592 wrote to memory of 2620	2592	un798231.exe	100
PID 2620 wrote to memory of 5004	2620	qu362600.exe	101
PID 2620 wrote to memory of 5004	2620	qu362600.exe	101
PID 2620 wrote to memory of 5004	2620	qu362600.exe	101
PID 3012 wrote to memory of 5456	3012	un687834.exe	104
PID 3012 wrote to memory of 5456	3012	un687834.exe	104
PID 3012 wrote to memory of 5456	3012	un687834.exe	104

C:\Users\Admin\AppData\Local\Temp\84ac944213f329ee37cc5d4a0db02f90db41b692d37397f9fa78c42de420b187.exe
"C:\Users\Admin\AppData\Local\Temp\84ac944213f329ee37cc5d4a0db02f90db41b692d37397f9fa78c42de420b187.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:812
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un687834.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un687834.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un798231.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un798231.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr637474.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr637474.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1096
        5⤵
        Program crash
        
        PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu362600.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu362600.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1516
        5⤵
        Program crash
        
        PID:5548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk362973.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk362973.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1876 -ip 1876
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2620 -ip 2620
1⤵
PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un687834.exe

Filesize
799KB

MD5
bd53dd7f3678aaf2ba5dd579f2eaccbd

SHA1
80f577ac316ea1f4a893deb0753471f83601813a

SHA256
b6949bcb6a6e5b5ad88ac5615ef9489cdbff5c67451ce9049bd656aa872bf3c7

SHA512
e3b5511e0190ac44c10f6e28c86912878d3591b1bce4e6b090ebe0d621dac1c0d81d8540ef3409e35a5240c7fc0f10ae458c3404cbfdb67c601fe26bcfa49594

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk362973.exe

Filesize
168KB

MD5
27e8248f8314e5bb50b38b8213371b8c

SHA1
6221712ab968b619f8e38bd079893e155e5435f6

SHA256
297bd5442fe3ff7a3c8180350e0d7e2ec45a5c5380d0ae926e6f312a30678f44

SHA512
a4e2f3042dbbcbb79890b1506c44a3abc34dae915881536949b0e0e1aef361a6ac515e608bcabe9b8618387ddbad3fca9210bb038ceb67b2c87329ee64c79365

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un798231.exe

Filesize
645KB

MD5
902d1abeb17f256e70439889aec5cb51

SHA1
a43cdde7108b4f83a61274ceb717919506f6004f

SHA256
8dcd64d0c6d94ca6702cffca6f676eb07af0855b202d8b89cdd2fdc5d0a9dd4f

SHA512
edb2b805746e762b9183f60e2876888587bcc95eab3dcc63c351dd2662c4c6fc57b5a8bb9ab1eafa77c951dd7644eed2b059f883d77d742f023a4fafff41c09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr637474.exe

Filesize
243KB

MD5
b14b88ee1c1c5e3ab58f1c2a8cceb774

SHA1
28f2cbb7ef4556e04d4c1138e59b85b07b7ad6d9

SHA256
2dab0ea4100d90170266f36f29f6a0389305905738f3b7ac326dc3f2cfe1abb3

SHA512
16f440de722850ee019a1052ff91064c0520e6cfb142ed28a2b74606f291a253885018d0decd9d32b48f2e386c0d5e3e3d480e5beb11d0c6c72a3e022f6327e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu362600.exe

Filesize
426KB

MD5
e9598d3e011db1ef9bb0a844e5ea2f52

SHA1
39cfad09a101da52f93ad5208cd104ffc34f0889

SHA256
649f5f5aa44e11f46d7166fdb9323ca26a1c0aeb5a9c8b7250f0622e807b6a2a

SHA512
b728789a5445af10592a500d1417281820f1af67daf14bc043896b1827fe771133a23309d7c1a12f351b5b046f9c5351349e4fe41a9f00fbe2fa4fc418d9f1ee

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/1876-22-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/1876-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1876-23-0x0000000000590000-0x00000000005BD000-memory.dmp

Filesize
180KB

Download
memory/1876-25-0x00000000023F0000-0x000000000240A000-memory.dmp

Filesize
104KB

Download
memory/1876-26-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/1876-27-0x00000000024A0000-0x00000000024B8000-memory.dmp

Filesize
96KB

Download
memory/1876-37-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-55-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-53-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-52-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-49-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-47-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-45-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-43-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-41-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-39-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-35-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-33-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-31-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-29-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-28-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1876-56-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/1876-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1876-58-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1876-60-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1876-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2620-66-0x0000000004A60000-0x0000000004AC6000-memory.dmp

Filesize
408KB

Download
memory/2620-67-0x00000000051E0000-0x0000000005246000-memory.dmp

Filesize
408KB

Download
memory/2620-81-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-83-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-101-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-99-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-97-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-95-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-93-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-91-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-89-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-87-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-85-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-79-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-77-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-75-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-73-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-71-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-69-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-68-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2620-2148-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/5004-2161-0x0000000000340000-0x0000000000370000-memory.dmp

Filesize
192KB

Download
memory/5004-2162-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/5004-2163-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/5004-2164-0x0000000004DD0000-0x0000000004EDA000-memory.dmp

Filesize
1.0MB

Download
memory/5004-2165-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/5004-2168-0x0000000004D20000-0x0000000004D5C000-memory.dmp

Filesize
240KB

Download
memory/5004-2171-0x0000000004D70000-0x0000000004DBC000-memory.dmp

Filesize
304KB

Download
memory/5456-2172-0x0000000000A10000-0x0000000000A3E000-memory.dmp

Filesize
184KB

Download
memory/5456-2173-0x0000000002DE0000-0x0000000002DE6000-memory.dmp

Filesize
24KB

Download