healer | f64b2056a28b5ed917d7dc38097851992dd457793a6d5b263997cf9566743a98

Analysis

max time kernel
143s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f64b2056a28b5ed917d7dc38097851992dd457793a6d5b263997cf9566743a98.exe
Size

990KB
MD5

ee6aa62ff8af24bd46acabf9ad0fad6e
SHA1

4afb05ad26fa4f63bb2d326a5868b6d522c62af9
SHA256

f64b2056a28b5ed917d7dc38097851992dd457793a6d5b263997cf9566743a98
SHA512

6af9a3cc592dc273cac9aac86c27d9fcf4c3061ee9474cea355824729cd2b6c33091e3b0a7210b5a8a420d3a0db5c641f66b84f9a177124f2310f2e6623c3bba
SSDEEP

12288:nMrRy90ko+Y0snntkzOMYulmpgPtBN/kOeK3nCXM0mkVYg8j7n542d8D6eA06HuJ:6y++YIggnNHD3ifVxS942duGhQ46D5

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cb2-26.dat	healer
behavioral1/memory/2236-28-0x0000000000970000-0x000000000097A000-memory.dmp	healer
behavioral1/memory/2076-34-0x00000000048B0000-0x00000000048CA000-memory.dmp	healer
behavioral1/memory/2076-36-0x0000000004B60000-0x0000000004B78000-memory.dmp	healer
behavioral1/memory/2076-37-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-42-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-64-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-60-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-58-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-57-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-54-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-52-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-50-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-48-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-46-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-45-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-40-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-38-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer
behavioral1/memory/2076-62-0x0000000004B60000-0x0000000004B72000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz5319.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz5319.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v4579TL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4579TL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4579TL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz5319.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz5319.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz5319.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4579TL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4579TL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4579TL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz5319.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

resource	yara_rule
behavioral1/memory/2784-72-0x0000000004B40000-0x0000000004B86000-memory.dmp	family_redline
behavioral1/memory/2784-73-0x0000000004C30000-0x0000000004C74000-memory.dmp	family_redline
behavioral1/memory/2784-77-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-83-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-81-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-79-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-102-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-85-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-75-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-74-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-107-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-105-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-103-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-101-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-99-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-97-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-95-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-93-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-91-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-89-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline
behavioral1/memory/2784-87-0x0000000004C30000-0x0000000004C6F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
516	zap7494.exe
4056	zap3810.exe
4116	zap4189.exe
2236	tz5319.exe
2076	v4579TL.exe
2784	w03eS73.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz5319.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v4579TL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4579TL.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7494.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap4189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f64b2056a28b5ed917d7dc38097851992dd457793a6d5b263997cf9566743a98.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3832	2076	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap7494.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap3810.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zap4189.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v4579TL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w03eS73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f64b2056a28b5ed917d7dc38097851992dd457793a6d5b263997cf9566743a98.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2236	tz5319.exe
2236	tz5319.exe
2076	v4579TL.exe
2076	v4579TL.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	tz5319.exe
Token: SeDebugPrivilege	2076	v4579TL.exe
Token: SeDebugPrivilege	2784	w03eS73.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 516	3108	f64b2056a28b5ed917d7dc38097851992dd457793a6d5b263997cf9566743a98.exe	83
PID 3108 wrote to memory of 516	3108	f64b2056a28b5ed917d7dc38097851992dd457793a6d5b263997cf9566743a98.exe	83
PID 3108 wrote to memory of 516	3108	f64b2056a28b5ed917d7dc38097851992dd457793a6d5b263997cf9566743a98.exe	83
PID 516 wrote to memory of 4056	516	zap7494.exe	84
PID 516 wrote to memory of 4056	516	zap7494.exe	84
PID 516 wrote to memory of 4056	516	zap7494.exe	84
PID 4056 wrote to memory of 4116	4056	zap3810.exe	85
PID 4056 wrote to memory of 4116	4056	zap3810.exe	85
PID 4056 wrote to memory of 4116	4056	zap3810.exe	85
PID 4116 wrote to memory of 2236	4116	zap4189.exe	87
PID 4116 wrote to memory of 2236	4116	zap4189.exe	87
PID 4116 wrote to memory of 2076	4116	zap4189.exe	95
PID 4116 wrote to memory of 2076	4116	zap4189.exe	95
PID 4116 wrote to memory of 2076	4116	zap4189.exe	95
PID 4056 wrote to memory of 2784	4056	zap3810.exe	99
PID 4056 wrote to memory of 2784	4056	zap3810.exe	99
PID 4056 wrote to memory of 2784	4056	zap3810.exe	99

C:\Users\Admin\AppData\Local\Temp\f64b2056a28b5ed917d7dc38097851992dd457793a6d5b263997cf9566743a98.exe
"C:\Users\Admin\AppData\Local\Temp\f64b2056a28b5ed917d7dc38097851992dd457793a6d5b263997cf9566743a98.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7494.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7494.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3810.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3810.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4189.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4189.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5319.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5319.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4579TL.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4579TL.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 1016
        6⤵
        Program crash
        
        PID:3832
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w03eS73.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w03eS73.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2076 -ip 2076
1⤵
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7494.exe

Filesize
807KB

MD5
8312580a3f1eb00b3d5e83cc9d336e00

SHA1
5517f4341c2f2b1b30106365d4b3cb3a2ed18eaa

SHA256
40dbccf32a09394876ad3eb67f5561835c8e1c9e4888afe85cc2eb943af7c333

SHA512
95dc88c3ccbc6b3bc5ff8bced7fcb2981ec5a8a3a7b5008365917c0415337cfd9a6ab38c7392d25733b26a4e9a9efe425578c47859bb72dd34aa341f2895b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3810.exe

Filesize
665KB

MD5
bf13bca230f51d3c9bc10335208a7b87

SHA1
d471e8856cf069651839c5d2f6ad9d091d1d2505

SHA256
f6c7733a8d9e5537efb5311b5b6c2fc2814e093be0f1d8f97a3f460e7163dca9

SHA512
6e7ee757a544736cc125106bc121c537cf0eaa34372e777730db70cd813d6bdc3c9341cfa7195095101240eebf15ece4f183bc6cfd93798415d2fc555236bf19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w03eS73.exe

Filesize
336KB

MD5
93b43b6c75b4c48a9616592e9a014e6a

SHA1
b5d220e730a339bb8a15d1f87382a3a60761191c

SHA256
a97b8d191a011ee004fae24098467c2fa356791ca66a2a9b8e60ad3eb238457c

SHA512
fabf36a03addcdc35f9c9f049d3a760aed60d4170b4788ac6677aaa0c043a3584d42ac5cd1ebca9c13f7b97f3af8e5a798d5219ce287b8f8edfab12aa47067ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4189.exe

Filesize
329KB

MD5
a4d0884a8a4e01806ee1c529a03e6956

SHA1
9d577c3f7d97a5b1320d88187849c848d24b10a4

SHA256
4b8a803fb334392cc62e2297ee1402e77a48af9fd8f8c1a064e78e6a484d6b0d

SHA512
bb37ef874aed98a2c072337b4ddb1f039fa4bff976cf3352e27fc61b29b30461fd1fd02087e0867d5a1ded6275e8ffbe6a506072b743b26e453c2c583850a1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5319.exe

Filesize
11KB

MD5
a83683821454d956f5326b1d80bd1d9d

SHA1
2b21a0d9d03ceed233f5a4b183becb42b36bb3dc

SHA256
004f144f9dc25e0f06ea6f880761bff5370bd6f1ecd02bc4770ab3a98ae0f66b

SHA512
3750d50d1946d14b0fdcbf764ac29feac011fc3231fdd1e09414cb1fb9773d0192dd1aac912060aa2cafda0c0afa993d6f5c179d7a6772f3795326bd1b0ecd05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4579TL.exe

Filesize
277KB

MD5
9aab702b2211eb72ca4ea66e017268f5

SHA1
03fffc1dac742733992830eafa59d29b0c9b629f

SHA256
da8970e0bbeb18b096e4896cbaf933da7ed5cc3b7ddb6cd184e967c455d84603

SHA512
69c44ecbd6a890fad28e85bd4b8080f345b40cb9123c81d15b6fbc70881493e15c8f51b5e2a859d0779576135c45f1af1108a02bb1dd77917809b7e5ae9d8035

Download Submit
memory/2076-34-0x00000000048B0000-0x00000000048CA000-memory.dmp

Filesize
104KB

Download
memory/2076-35-0x0000000007170000-0x0000000007714000-memory.dmp

Filesize
5.6MB

Download
memory/2076-36-0x0000000004B60000-0x0000000004B78000-memory.dmp

Filesize
96KB

Download
memory/2076-37-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-42-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-64-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-60-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-58-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-57-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-54-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-52-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-50-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-48-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-46-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-45-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-40-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-38-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-62-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2076-65-0x0000000000400000-0x0000000002B73000-memory.dmp

Filesize
39.4MB

Download
memory/2076-67-0x0000000000400000-0x0000000002B73000-memory.dmp

Filesize
39.4MB

Download
memory/2236-28-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download
memory/2784-72-0x0000000004B40000-0x0000000004B86000-memory.dmp

Filesize
280KB

Download
memory/2784-73-0x0000000004C30000-0x0000000004C74000-memory.dmp

Filesize
272KB

Download
memory/2784-77-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-83-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-81-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-79-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-102-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-85-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-75-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-74-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-107-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-105-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-103-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-101-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-99-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-97-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-95-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-93-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-91-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-89-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-87-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Filesize
252KB

Download
memory/2784-980-0x0000000007870000-0x0000000007E88000-memory.dmp

Filesize
6.1MB

Download
memory/2784-981-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/2784-982-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

Filesize
72KB

Download
memory/2784-983-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

Filesize
240KB

Download
memory/2784-984-0x0000000008110000-0x000000000815C000-memory.dmp

Filesize
304KB

Download