healer | 242dfe46958235c3e326a68bec333b1d31e794b579aee8f5309cdc18c923cbc8

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

242dfe46958235c3e326a68bec333b1d31e794b579aee8f5309cdc18c923cbc8.exe
Size

786KB
MD5

1757b8d75987dcdf0a059c7cf89c0f65
SHA1

94fcce6156b3b5f99d237c966ceeb30c4a101b1a
SHA256

242dfe46958235c3e326a68bec333b1d31e794b579aee8f5309cdc18c923cbc8
SHA512

473ddb4466698faec0cee29b958aaa72f8bcb5173cd643c0d60ecc54e46fb7575793caf67e350694bdf3dfdfef7f1f9b520b8b2bafc498a52ee101f0c20fda70
SSDEEP

12288:nMrGy90VhdxrkAX6J2okBBJcFC15MFJA6pX25w86YHOccTT1jH0rjk1lS6Qcemcx:VyMdx4AKJK92FJAomezYncf1bj24wF

Score

10^/10

healer redline mango discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mango

193.233.20.28:4125

Attributes

auth_value
ecf79d7f5227d998a3501c972d915d23

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cba-19.dat	healer
behavioral1/memory/3552-22-0x0000000000B20000-0x0000000000B2A000-memory.dmp	healer
behavioral1/memory/4780-29-0x0000000002130000-0x000000000214A000-memory.dmp	healer
behavioral1/memory/4780-31-0x00000000023E0000-0x00000000023F8000-memory.dmp	healer
behavioral1/memory/4780-37-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-59-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-57-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-55-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-53-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-51-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-49-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-47-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-45-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-43-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-41-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-39-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-35-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-33-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer
behavioral1/memory/4780-32-0x00000000023E0000-0x00000000023F2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	c28IR81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b6163mj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	c28IR81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c28IR81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b6163mj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b6163mj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c28IR81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	c28IR81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c28IR81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b6163mj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b6163mj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b6163mj.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/1272-67-0x00000000023C0000-0x0000000002406000-memory.dmp	family_redline
behavioral1/memory/1272-68-0x00000000026E0000-0x0000000002724000-memory.dmp	family_redline
behavioral1/memory/1272-74-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-69-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-72-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-103-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-100-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-98-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-97-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-94-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-93-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-90-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-88-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-86-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-84-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-82-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-80-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-70-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-78-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/1272-76-0x00000000026E0000-0x000000000271E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
704	tice4700.exe
1064	tice1396.exe
3552	b6163mj.exe
4780	c28IR81.exe
1272	dqobn96.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b6163mj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	c28IR81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c28IR81.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	242dfe46958235c3e326a68bec333b1d31e794b579aee8f5309cdc18c923cbc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tice4700.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tice1396.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5188	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
516	4780	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	242dfe46958235c3e326a68bec333b1d31e794b579aee8f5309cdc18c923cbc8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice4700.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice1396.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c28IR81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqobn96.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3552	b6163mj.exe
3552	b6163mj.exe
4780	c28IR81.exe
4780	c28IR81.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	b6163mj.exe
Token: SeDebugPrivilege	4780	c28IR81.exe
Token: SeDebugPrivilege	1272	dqobn96.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 704	4752	242dfe46958235c3e326a68bec333b1d31e794b579aee8f5309cdc18c923cbc8.exe	84
PID 4752 wrote to memory of 704	4752	242dfe46958235c3e326a68bec333b1d31e794b579aee8f5309cdc18c923cbc8.exe	84
PID 4752 wrote to memory of 704	4752	242dfe46958235c3e326a68bec333b1d31e794b579aee8f5309cdc18c923cbc8.exe	84
PID 704 wrote to memory of 1064	704	tice4700.exe	86
PID 704 wrote to memory of 1064	704	tice4700.exe	86
PID 704 wrote to memory of 1064	704	tice4700.exe	86
PID 1064 wrote to memory of 3552	1064	tice1396.exe	87
PID 1064 wrote to memory of 3552	1064	tice1396.exe	87
PID 1064 wrote to memory of 4780	1064	tice1396.exe	94
PID 1064 wrote to memory of 4780	1064	tice1396.exe	94
PID 1064 wrote to memory of 4780	1064	tice1396.exe	94
PID 704 wrote to memory of 1272	704	tice4700.exe	98
PID 704 wrote to memory of 1272	704	tice4700.exe	98
PID 704 wrote to memory of 1272	704	tice4700.exe	98

C:\Users\Admin\AppData\Local\Temp\242dfe46958235c3e326a68bec333b1d31e794b579aee8f5309cdc18c923cbc8.exe
"C:\Users\Admin\AppData\Local\Temp\242dfe46958235c3e326a68bec333b1d31e794b579aee8f5309cdc18c923cbc8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4700.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4700.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1396.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1396.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6163mj.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6163mj.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3552
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c28IR81.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c28IR81.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1080
        5⤵
        Program crash
        
        PID:516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dqobn96.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dqobn96.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4780 -ip 4780
1⤵
PID:1688

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4700.exe

Filesize
642KB

MD5
b282be99ebc4fd944493776393b0953b

SHA1
b18827e8bba65f45a662c3a983a17a4f46fe7bf9

SHA256
0c2c1157fbc8a7a6e97a81a9e80730366c79c6588242a96f26c656fd1d52e88a

SHA512
a37e5da01cce62fa997c93c95ea87f07ca51a72167ea308997987a6ac7405f04b0b097953efeba20a857e9432292312fa17092a6dff240ad1d36c640ad1551a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dqobn96.exe

Filesize
295KB

MD5
445328539ff074c50bd348ee5a8e16da

SHA1
b5d319cd627fa9b177561a2ded0fbfc0a9f21380

SHA256
fd5067e0cbaad5aa70a6e0c527f5d85be2e57dd40aa3acad05293250bb5bb679

SHA512
3dadbb730d8e84369991430520e65132e9ec95c256ac91807b63d6603c600a090fc442e6018d38524968d54d376e06bdbb03d7e67384884b5c05fb199cc87e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1396.exe

Filesize
321KB

MD5
6e102caef0ef8835fe7cb91ea4e68d65

SHA1
cfa6ea4e9362fb9df9a29be5c66852ce083c1d71

SHA256
ac28898848d983c851647bd906d838cfee8a2c3c1a38f0871ac70982d401a625

SHA512
59c4f9a89054e800cd6c9f85a945dd8dac528b17dfe4f292792dc220eec575782d275db9200de4d70ff0b4c7627164b83925ce90c89486ff5acb10a180f63ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6163mj.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c28IR81.exe

Filesize
237KB

MD5
4c019b6465b03c8d195f6a801135a7aa

SHA1
aea4d18735034e87936f28efd83462e1b109d7b8

SHA256
04d319c84c65572a2f95323c5fe18df20fad577674d6eaf6e2bf725d89853f36

SHA512
25c0dd9d1f3f3295a54f9479270e4a3b7c1dd840253e7073165e59034ef3423ced49ed1bc3250e4e46fcad3e642227768c8a8700e4d38880f8ec813ed8b7c18f

Download Submit
memory/1272-80-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-84-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-979-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/1272-978-0x0000000005A40000-0x0000000005A7C000-memory.dmp

Filesize
240KB

Download
memory/1272-977-0x0000000005A20000-0x0000000005A32000-memory.dmp

Filesize
72KB

Download
memory/1272-976-0x00000000058E0000-0x00000000059EA000-memory.dmp

Filesize
1.0MB

Download
memory/1272-975-0x00000000052B0000-0x00000000058C8000-memory.dmp

Filesize
6.1MB

Download
memory/1272-76-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-72-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-78-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-70-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-103-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-82-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-69-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-86-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-88-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-90-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-93-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-94-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-97-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-98-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-100-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-74-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1272-67-0x00000000023C0000-0x0000000002406000-memory.dmp

Filesize
280KB

Download
memory/1272-68-0x00000000026E0000-0x0000000002724000-memory.dmp

Filesize
272KB

Download
memory/3552-21-0x00007FF813FE3000-0x00007FF813FE5000-memory.dmp

Filesize
8KB

Download
memory/3552-23-0x00007FF813FE3000-0x00007FF813FE5000-memory.dmp

Filesize
8KB

Download
memory/3552-22-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/4780-55-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-62-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4780-60-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4780-32-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-33-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-35-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-39-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-41-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-43-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-45-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-47-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-49-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-51-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-53-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-57-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-59-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-37-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4780-31-0x00000000023E0000-0x00000000023F8000-memory.dmp

Filesize
96KB

Download
memory/4780-30-0x0000000004A70000-0x0000000005014000-memory.dmp

Filesize
5.6MB

Download
memory/4780-29-0x0000000002130000-0x000000000214A000-memory.dmp

Filesize
104KB

Download