healer | dd28757ba337789b9a949b429a6dd126f498846bfdc22e0aae928380e5db0a85

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd28757ba337789b9a949b429a6dd126f498846bfdc22e0aae928380e5db0a85.exe
Size

1.0MB
MD5

b550ea8ae211d27302212c8ad9063dce
SHA1

e2839c44bfb3d96632977fc5c901e77ba426e086
SHA256

dd28757ba337789b9a949b429a6dd126f498846bfdc22e0aae928380e5db0a85
SHA512

56faf9624e3e9e5dc5e1e932d0a6eef3311b56dc18bb4a75da398860403e70c8202d99f70d559a004d0d1bc9398bbc2d05821a97b87b1a75c2838fd02fd8f7ef
SSDEEP

24576:OywkWX4luRsI0LCfbzv1YClaNyXyw+SZBtDEC+nO9Gi9K9:dwkWXSueIFfbz9YCUiQuKC+nO

Score

10^/10

healer redline dizon norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

dizon

77.91.124.145:4125

Attributes

auth_value
047038ed6238aaee09c368831591e935

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/5064-25-0x0000000002370000-0x000000000238A000-memory.dmp	healer
behavioral1/memory/5064-27-0x0000000002550000-0x0000000002568000-memory.dmp	healer
behavioral1/memory/5064-28-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-55-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-53-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-51-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-50-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-47-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-45-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-41-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-39-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-37-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-35-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-33-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-31-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-43-0x0000000002550000-0x0000000002562000-memory.dmp	healer
behavioral1/memory/5064-29-0x0000000002550000-0x0000000002562000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr721660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr721660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr721660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr721660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr721660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr721660.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/3628-2148-0x0000000005400000-0x0000000005432000-memory.dmp	family_redline
behavioral1/files/0x0011000000023b5e-2153.dat	family_redline
behavioral1/memory/3680-2161-0x0000000000060000-0x0000000000090000-memory.dmp	family_redline
behavioral1/files/0x0007000000023ca9-2171.dat	family_redline
behavioral1/memory/5208-2172-0x0000000000680000-0x00000000006B0000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	qu171670.exe

Executes dropped EXE 6 IoCs

pid	Process
4628	un370362.exe
1504	un182367.exe
5064	pr721660.exe
3628	qu171670.exe
3680	1.exe
5208	rk521032.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr721660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr721660.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dd28757ba337789b9a949b429a6dd126f498846bfdc22e0aae928380e5db0a85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un370362.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un182367.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6080	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4496	5064	WerFault.exe	87
468	3628	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk521032.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd28757ba337789b9a949b429a6dd126f498846bfdc22e0aae928380e5db0a85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un370362.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un182367.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr721660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu171670.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5064	pr721660.exe
5064	pr721660.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	pr721660.exe
Token: SeDebugPrivilege	3628	qu171670.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 4628	2116	dd28757ba337789b9a949b429a6dd126f498846bfdc22e0aae928380e5db0a85.exe	83
PID 2116 wrote to memory of 4628	2116	dd28757ba337789b9a949b429a6dd126f498846bfdc22e0aae928380e5db0a85.exe	83
PID 2116 wrote to memory of 4628	2116	dd28757ba337789b9a949b429a6dd126f498846bfdc22e0aae928380e5db0a85.exe	83
PID 4628 wrote to memory of 1504	4628	un370362.exe	85
PID 4628 wrote to memory of 1504	4628	un370362.exe	85
PID 4628 wrote to memory of 1504	4628	un370362.exe	85
PID 1504 wrote to memory of 5064	1504	un182367.exe	87
PID 1504 wrote to memory of 5064	1504	un182367.exe	87
PID 1504 wrote to memory of 5064	1504	un182367.exe	87
PID 1504 wrote to memory of 3628	1504	un182367.exe	100
PID 1504 wrote to memory of 3628	1504	un182367.exe	100
PID 1504 wrote to memory of 3628	1504	un182367.exe	100
PID 3628 wrote to memory of 3680	3628	qu171670.exe	101
PID 3628 wrote to memory of 3680	3628	qu171670.exe	101
PID 3628 wrote to memory of 3680	3628	qu171670.exe	101
PID 4628 wrote to memory of 5208	4628	un370362.exe	104
PID 4628 wrote to memory of 5208	4628	un370362.exe	104
PID 4628 wrote to memory of 5208	4628	un370362.exe	104

C:\Users\Admin\AppData\Local\Temp\dd28757ba337789b9a949b429a6dd126f498846bfdc22e0aae928380e5db0a85.exe
"C:\Users\Admin\AppData\Local\Temp\dd28757ba337789b9a949b429a6dd126f498846bfdc22e0aae928380e5db0a85.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un370362.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un370362.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un182367.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un182367.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr721660.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr721660.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1080
        5⤵
        Program crash
        
        PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu171670.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu171670.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3628
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1384
        5⤵
        Program crash
        
        PID:468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk521032.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk521032.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5064 -ip 5064
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3628 -ip 3628
1⤵
PID:5076

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:6080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un370362.exe

Filesize
795KB

MD5
e57fa8fcbfac792fbb6947bb782ab1e2

SHA1
f10663378b3110c0d86e4a0567abd08f0e1b1551

SHA256
08604479a806585eb3c842c6bd77ae7eb56bc3343fe739658aad578841e25152

SHA512
61d81027c50332e71c2d08cd66cb3ef688a6004053804c0a1e21d0ee964513faff7c942ea359b9003983f0d7223a140ba81eb1719c12e635012488cf2af2b168

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk521032.exe

Filesize
168KB

MD5
8eecb6f8baaf2454bc6669f848bd59d9

SHA1
a062da5a1bded7ef2a32d0f42f931166c5c1ea97

SHA256
a8136a4d250f19a6544650f7c0455ba9fe3485f78dec419b88afa6a2a1200324

SHA512
064bb11c6997377967948a36e15302d7b2c3ac6d623854590673bdc2eff911384a6b7848c41cf82999372cfb587e0529cc203a4c8937daeb4d2661c5d1e138af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un182367.exe

Filesize
641KB

MD5
4d65f6232db07cd2362c2574e1a599d0

SHA1
226d2447ac32544c99ef30d66a95867189100d4b

SHA256
669b44542cf8d91765ff2b3b6402649710af40f9afc078e2b95ab930614ab5c6

SHA512
74ffb922a753edb6165eed1c2e44f963b1bffa120a2e172e16b09cde8c6c93ffadffc8c6911b69d11fe4cb4254858d281cead0158d9d2b7bbf0625b676d4187d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr721660.exe

Filesize
235KB

MD5
0671a6d75fc468f2df451f25c2594f7f

SHA1
4f7c67f32a06004108e7f9221ae47854f8c93e67

SHA256
ef209585e7ff08c56f71f7600ba2772dad9526cdcd4455c0833c7b5770d904b9

SHA512
6fc117424719cc680b44a92dc088e8171de08a06b55cd57524c5687493094eac6fc052a6143e4f0bbd50c5fe98747e1565df61ae766c94ceea02e02a0d78bfda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu171670.exe

Filesize
419KB

MD5
28c87d7b54497e848bf4dbaa9403e22f

SHA1
68ecdcb4f785287fbdd6037a53dca9f7d7c74553

SHA256
0ad1b168d4cb519e30553c213e4c0d2d15abbf69c0168fad2f5a4bd11aa722c9

SHA512
148584a2151b94255e47d7ef3fbbd0a4d02a21e1b42635eae59d484ad23528c29499ca8ce9b125407870f047cbeafd4dbe451abd384f3cea388df3ef1705cf50

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/3628-75-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-66-0x0000000004B70000-0x0000000004BD6000-memory.dmp

Filesize
408KB

Download
memory/3628-97-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-101-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-2148-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/3628-68-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-69-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-71-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-73-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-77-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-79-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-81-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-83-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-99-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-87-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-89-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-92-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-93-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-95-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-85-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/3628-67-0x00000000051E0000-0x0000000005246000-memory.dmp

Filesize
408KB

Download
memory/3680-2166-0x0000000004A40000-0x0000000004A7C000-memory.dmp

Filesize
240KB

Download
memory/3680-2161-0x0000000000060000-0x0000000000090000-memory.dmp

Filesize
192KB

Download
memory/3680-2167-0x0000000004BD0000-0x0000000004C1C000-memory.dmp

Filesize
304KB

Download
memory/3680-2165-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3680-2164-0x0000000004AC0000-0x0000000004BCA000-memory.dmp

Filesize
1.0MB

Download
memory/3680-2163-0x0000000004FD0000-0x00000000055E8000-memory.dmp

Filesize
6.1MB

Download
memory/3680-2162-0x00000000007C0000-0x00000000007C6000-memory.dmp

Filesize
24KB

Download
memory/5064-29-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-50-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5064-43-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-31-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-33-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-35-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-37-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-39-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-41-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-45-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-22-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/5064-47-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-56-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/5064-51-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-53-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-55-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5064-57-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/5064-26-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/5064-23-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download
memory/5064-58-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5064-60-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/5064-28-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/5064-25-0x0000000002370000-0x000000000238A000-memory.dmp

Filesize
104KB

Download
memory/5064-27-0x0000000002550000-0x0000000002568000-memory.dmp

Filesize
96KB

Download
memory/5208-2172-0x0000000000680000-0x00000000006B0000-memory.dmp

Filesize
192KB

Download
memory/5208-2173-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download