healer | d3a4537177c9949e90d0060bd054303845c07abf1b9ce917466da2e577fa21a5

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3a4537177c9949e90d0060bd054303845c07abf1b9ce917466da2e577fa21a5.exe
Size

1.2MB
MD5

1280cf86135938a3ea643901aacbc9f3
SHA1

151999a8856e19a4250d35f71e756e6e39a4d343
SHA256

d3a4537177c9949e90d0060bd054303845c07abf1b9ce917466da2e577fa21a5
SHA512

ecbd50884fccf36c3681b64e2f26089bd65a3aebebe59541b8f7b49ccdbcd34dc76071c03e579dc3b0f5521dd9f3e5de441f98721861fe430e63926dd0ecacc4
SSDEEP

24576:LyU6ZYOYuKk1ok78byaoj7GMl9v+hEjipFS2sUfclm284YbXXhT4:+U101Bgbyaoj73f+EjipFS2sUUlmJ4YN

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c0a-32.dat	healer
behavioral1/memory/4460-35-0x0000000000010000-0x000000000001A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	buKg16ZW06.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	buKg16ZW06.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	buKg16ZW06.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	buKg16ZW06.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	buKg16ZW06.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	buKg16ZW06.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3084-41-0x0000000004DF0000-0x0000000004E36000-memory.dmp	family_redline
behavioral1/memory/3084-43-0x0000000004E70000-0x0000000004EB4000-memory.dmp	family_redline
behavioral1/memory/3084-71-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-73-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-107-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-105-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-101-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-99-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-97-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-95-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-93-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-89-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-87-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-85-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-83-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-81-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-79-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-77-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-75-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-69-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-67-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-66-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-63-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-59-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-57-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-55-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-53-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-103-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-91-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-61-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-51-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-49-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-47-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-45-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline
behavioral1/memory/3084-44-0x0000000004E70000-0x0000000004EAE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
1672	plrT65Oi85.exe
32	plEM79zb03.exe
1708	plml36wH84.exe
5100	plHi56BK18.exe
4460	buKg16ZW06.exe
3084	catm83iO62.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	buKg16ZW06.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d3a4537177c9949e90d0060bd054303845c07abf1b9ce917466da2e577fa21a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plrT65Oi85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plEM79zb03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plml36wH84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	plHi56BK18.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3a4537177c9949e90d0060bd054303845c07abf1b9ce917466da2e577fa21a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plrT65Oi85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plEM79zb03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plml36wH84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plHi56BK18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	catm83iO62.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	buKg16ZW06.exe
4460	buKg16ZW06.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	buKg16ZW06.exe
Token: SeDebugPrivilege	3084	catm83iO62.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1672	1496	d3a4537177c9949e90d0060bd054303845c07abf1b9ce917466da2e577fa21a5.exe	83
PID 1496 wrote to memory of 1672	1496	d3a4537177c9949e90d0060bd054303845c07abf1b9ce917466da2e577fa21a5.exe	83
PID 1496 wrote to memory of 1672	1496	d3a4537177c9949e90d0060bd054303845c07abf1b9ce917466da2e577fa21a5.exe	83
PID 1672 wrote to memory of 32	1672	plrT65Oi85.exe	84
PID 1672 wrote to memory of 32	1672	plrT65Oi85.exe	84
PID 1672 wrote to memory of 32	1672	plrT65Oi85.exe	84
PID 32 wrote to memory of 1708	32	plEM79zb03.exe	85
PID 32 wrote to memory of 1708	32	plEM79zb03.exe	85
PID 32 wrote to memory of 1708	32	plEM79zb03.exe	85
PID 1708 wrote to memory of 5100	1708	plml36wH84.exe	86
PID 1708 wrote to memory of 5100	1708	plml36wH84.exe	86
PID 1708 wrote to memory of 5100	1708	plml36wH84.exe	86
PID 5100 wrote to memory of 4460	5100	plHi56BK18.exe	87
PID 5100 wrote to memory of 4460	5100	plHi56BK18.exe	87
PID 5100 wrote to memory of 3084	5100	plHi56BK18.exe	96
PID 5100 wrote to memory of 3084	5100	plHi56BK18.exe	96
PID 5100 wrote to memory of 3084	5100	plHi56BK18.exe	96

C:\Users\Admin\AppData\Local\Temp\d3a4537177c9949e90d0060bd054303845c07abf1b9ce917466da2e577fa21a5.exe
"C:\Users\Admin\AppData\Local\Temp\d3a4537177c9949e90d0060bd054303845c07abf1b9ce917466da2e577fa21a5.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plrT65Oi85.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plrT65Oi85.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEM79zb03.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEM79zb03.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plml36wH84.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plml36wH84.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plHi56BK18.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plHi56BK18.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buKg16ZW06.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buKg16ZW06.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catm83iO62.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catm83iO62.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plrT65Oi85.exe

Filesize
1.0MB

MD5
079ce2f075566c65a7153a68c3423d3c

SHA1
c059f4806d08f1cf980cca2ccfe95edb13549296

SHA256
d064df1b0b640f1ee5198c835503322daa0d4657bf8e122c2ca933393d03e4f8

SHA512
be3c63f77219c0085a70c5233b9544501dcd7173ef435d1a9b83d5df40d33995d2e98f8feafb40baf7ddd5385b6563c66d427123fe1c3a92765f20670eda9764

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEM79zb03.exe

Filesize
959KB

MD5
7b522a31463effc47d17fbe23b4cbef5

SHA1
d1b21e456705f8d9feb4a7131286110788c4ce96

SHA256
0d018b44f995065248ffab88b785979bce9842a69cd74bedf298b6142595b716

SHA512
540c4221c6d1bba1cc60037866f43870016ab7f2b2c6b848d568faaa8daebcac734dc659e3244c0b3b4015eafb07f8b5a765e5f1d526047415639c7b5f433057

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plml36wH84.exe

Filesize
682KB

MD5
9ee661f3b53bc3c2cdda9bb3be3fc899

SHA1
dce3e59faf8d4be0a1ed3fe24ea52f9453df3104

SHA256
bd9743e3b7c9fad86cb16e346e529019d60f146b08130a49e85ccbe14cba8af2

SHA512
70f5951447716ad3fb98809d6257730f6db92fbc790c9d850b4bf7564b16b085d74699498973841e355f0d49b4309c813101aede6c2c504537340ceb74499456

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plHi56BK18.exe

Filesize
399KB

MD5
083c52ab32895fbe2cc7af4d9ffe6f20

SHA1
5a8eb16c586e61677814ba54f9bb0e63f3a5269b

SHA256
5f95d04934e9f95a630e6c28d28b90c8c3f7be59b59315c1bfc63e37157ef480

SHA512
79b99350f67c58b2743bc5e62d17e67f423bd6fa79bdeca06201a90845ae7ea9f5c029da57daa128bb1aee537a67ecb3440870314c3bc7637cff6e6343f2d6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buKg16ZW06.exe

Filesize
13KB

MD5
2c35c9a60829e4f20fb404062bf2196a

SHA1
4aa7722f1425e12dc58dbdb61b901dc3af21fb63

SHA256
56287aea6b3aa68167b13bba7ea083a5ef2e8c8c9f31c491e3bcf2943584203b

SHA512
1038d280f6abd984ee16def1b968b883977b86e15cc1a0dd1b70d4c27da4439288ac067d6e41934917d349285341c3d7e0266d5de5b7db92db5f6f031c005c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catm83iO62.exe

Filesize
374KB

MD5
049b7e9c3b3777fd130ad01127cd8268

SHA1
7f56ea5b4e7029a2da226d899ddfce99ff960e0f

SHA256
aff2553c6b6d9a7f84838eb4a2b47cbb3891e122ba04e305c020e68b27847b68

SHA512
d89cdb1b58ceb4d9b83ab498fc69e5c423b9f44ea2eb24a07b860a6594462899cb1d08e5427dd57473fa2b15d233744f7f7e9fd5f7ae082387a0072c278e0aa1

Download Submit
memory/3084-79-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-69-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-42-0x0000000007350000-0x00000000078F4000-memory.dmp

Filesize
5.6MB

Download
memory/3084-43-0x0000000004E70000-0x0000000004EB4000-memory.dmp

Filesize
272KB

Download
memory/3084-71-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-73-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-107-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-105-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-101-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-99-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-97-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-95-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-93-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-89-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-87-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-85-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-83-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-81-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-954-0x0000000008170000-0x00000000081BC000-memory.dmp

Filesize
304KB

Download
memory/3084-77-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-75-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-41-0x0000000004DF0000-0x0000000004E36000-memory.dmp

Filesize
280KB

Download
memory/3084-67-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-66-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-63-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-59-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-57-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-55-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-53-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-103-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-91-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-61-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-51-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-49-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-47-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-45-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-44-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3084-950-0x0000000007900000-0x0000000007F18000-memory.dmp

Filesize
6.1MB

Download
memory/3084-951-0x0000000007F20000-0x000000000802A000-memory.dmp

Filesize
1.0MB

Download
memory/3084-952-0x00000000072F0000-0x0000000007302000-memory.dmp

Filesize
72KB

Download
memory/3084-953-0x0000000008030000-0x000000000806C000-memory.dmp

Filesize
240KB

Download
memory/4460-35-0x0000000000010000-0x000000000001A000-memory.dmp

Filesize
40KB

Download