healer | 5d116e793d9c86f2067640244296032577fb2f08863d0765693b22f96e2a35b6

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d116e793d9c86f2067640244296032577fb2f08863d0765693b22f96e2a35b6.exe
Size

1.3MB
MD5

a7368937d6bb117ce84417785500b8dc
SHA1

39f4f23d7fc0e8c3f90e2c054074642d9bedfeff
SHA256

5d116e793d9c86f2067640244296032577fb2f08863d0765693b22f96e2a35b6
SHA512

e11de0ced4aabe47b6ea20a65e91a21ed28a68245175713e005030a46db44da1d65325eed4675fba693d788cabe15e893214079f031f20ff8f150aa6b51b1918
SSDEEP

24576:7yrhLiZKlAY6KDJfBgqd163ubsut91iPH:uZ0KntBgqH63ubsufo

Score

10^/10

healer redline rouch discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rouch

193.56.146.11:4162

Attributes

auth_value
1b1735bcfc122c708eae27ca352568de

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cbd-40.dat	healer
behavioral1/memory/3936-42-0x0000000000CA0000-0x0000000000CAA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	beLO82WC70.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	beLO82WC70.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	beLO82WC70.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	beLO82WC70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	beLO82WC70.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	beLO82WC70.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4740-48-0x0000000002620000-0x0000000002666000-memory.dmp	family_redline
behavioral1/memory/4740-50-0x0000000002810000-0x0000000002854000-memory.dmp	family_redline
behavioral1/memory/4740-88-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-98-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-114-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-112-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-110-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-108-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-106-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-104-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-102-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-96-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-94-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-92-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-90-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-86-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-84-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-82-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-81-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-78-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-74-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-70-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-68-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-66-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-62-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-60-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-58-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-56-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-100-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-76-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-72-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-64-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-54-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-52-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline
behavioral1/memory/4740-51-0x0000000002810000-0x000000000284E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 7 IoCs

pid	Process
4472	pttd7190nP.exe
1008	ptqN2040mB.exe
3956	ptsX9741zv.exe
1028	ptFo4379Hr.exe
3900	ptnq8725Rl.exe
3936	beLO82WC70.exe
4740	cuRR85vy73.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	beLO82WC70.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5d116e793d9c86f2067640244296032577fb2f08863d0765693b22f96e2a35b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pttd7190nP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ptqN2040mB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ptsX9741zv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ptFo4379Hr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	ptnq8725Rl.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4104	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptqN2040mB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptsX9741zv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptFo4379Hr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptnq8725Rl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuRR85vy73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d116e793d9c86f2067640244296032577fb2f08863d0765693b22f96e2a35b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pttd7190nP.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3936	beLO82WC70.exe
3936	beLO82WC70.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	beLO82WC70.exe
Token: SeDebugPrivilege	4740	cuRR85vy73.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4472	2912	5d116e793d9c86f2067640244296032577fb2f08863d0765693b22f96e2a35b6.exe	83
PID 2912 wrote to memory of 4472	2912	5d116e793d9c86f2067640244296032577fb2f08863d0765693b22f96e2a35b6.exe	83
PID 2912 wrote to memory of 4472	2912	5d116e793d9c86f2067640244296032577fb2f08863d0765693b22f96e2a35b6.exe	83
PID 4472 wrote to memory of 1008	4472	pttd7190nP.exe	85
PID 4472 wrote to memory of 1008	4472	pttd7190nP.exe	85
PID 4472 wrote to memory of 1008	4472	pttd7190nP.exe	85
PID 1008 wrote to memory of 3956	1008	ptqN2040mB.exe	87
PID 1008 wrote to memory of 3956	1008	ptqN2040mB.exe	87
PID 1008 wrote to memory of 3956	1008	ptqN2040mB.exe	87
PID 3956 wrote to memory of 1028	3956	ptsX9741zv.exe	88
PID 3956 wrote to memory of 1028	3956	ptsX9741zv.exe	88
PID 3956 wrote to memory of 1028	3956	ptsX9741zv.exe	88
PID 1028 wrote to memory of 3900	1028	ptFo4379Hr.exe	89
PID 1028 wrote to memory of 3900	1028	ptFo4379Hr.exe	89
PID 1028 wrote to memory of 3900	1028	ptFo4379Hr.exe	89
PID 3900 wrote to memory of 3936	3900	ptnq8725Rl.exe	90
PID 3900 wrote to memory of 3936	3900	ptnq8725Rl.exe	90
PID 3900 wrote to memory of 4740	3900	ptnq8725Rl.exe	97
PID 3900 wrote to memory of 4740	3900	ptnq8725Rl.exe	97
PID 3900 wrote to memory of 4740	3900	ptnq8725Rl.exe	97

C:\Users\Admin\AppData\Local\Temp\5d116e793d9c86f2067640244296032577fb2f08863d0765693b22f96e2a35b6.exe
"C:\Users\Admin\AppData\Local\Temp\5d116e793d9c86f2067640244296032577fb2f08863d0765693b22f96e2a35b6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pttd7190nP.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pttd7190nP.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptqN2040mB.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptqN2040mB.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsX9741zv.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsX9741zv.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptFo4379Hr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptFo4379Hr.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1028
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnq8725Rl.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnq8725Rl.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beLO82WC70.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beLO82WC70.exe
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuRR85vy73.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuRR85vy73.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pttd7190nP.exe

Filesize
1.2MB

MD5
d354f453184da8ac8dcbc7c7abef933f

SHA1
a7592b540576ef2af25fb112692019f4efad0104

SHA256
74a013ad4b1d082609f2531a8310d17ed19c86ec0bd722a17c8015d4804d7e70

SHA512
df04d6c52f64582a05ece56c44b16220f2c5e84e74f3e60a441769db84a578792b0d7b630dcf3573dca5d02cad793ceeac2ef7dfd0bf12da4972b178292505aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptqN2040mB.exe

Filesize
1.0MB

MD5
71abd7bae0ffc3c6dea0db67ef0e24c8

SHA1
051e7d01ea5246e4c5978076ee0e74fac6cc687e

SHA256
1859cadeeed0bd4d0776068b8e0c95ee567e942de360af14bd37cba764be2f6e

SHA512
6abe718f1cfc38f9d44dcf0a71e50913fc44f308a785739889de71161ff47f1caba8a4bb9fe988571994a05b3fe64c664e64da3aad9fd6b61dfbb4c42fac4dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsX9741zv.exe

Filesize
935KB

MD5
ba0e366ab973850d4bdaa2a72c997dac

SHA1
3c5feb62405ef020e6444b80440871bbcc4ea4a3

SHA256
9c88c39e51c1020a366c5f36dc6d4f5bdcf12320d6a4ee66f44e7995088a4dfc

SHA512
8a026fa5064382c45a2ab89e1637441b6bc1c1034bc2bc360d3c09509112f671c9907f9226a98497f53c04ee7d3947c4e5b09733992bb45a4167db7a3956d737

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptFo4379Hr.exe

Filesize
666KB

MD5
8b73c3148aca4461e6633f2ad7fc144e

SHA1
6ba674e2c9ca48a0248c49610e8669ad6fef3136

SHA256
e9b881e4c7947a8d7f1594673247f65ebc7bf2a13e809c642739b758b7466d27

SHA512
9990deae3d5bb3e9de4dda21d814e8036f5e8d8903730d142d578c8fb497e3666873f2cf362c4884400f64f73e44517773d115ccc068dd0c83f2214a72065e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnq8725Rl.exe

Filesize
391KB

MD5
c6107632a4755e45fb344d1f505d476c

SHA1
f6b1dd1b85bd1478f016248b6a06d3e2e3efdd46

SHA256
bad822e4cefc588a2f64bb5ae133fc27f9be128baa4183ea297267d9945ab0d1

SHA512
1a04256cdec277b890e9f5abcf0604dade5879f65c221468d0a3ef29d65dadce0e9c64b6dc9dcdedbaafaa07eeecfccd0a47fd9250d5bea496d1a1c75d866e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beLO82WC70.exe

Filesize
11KB

MD5
00e45ef943b851d5b217cd2f8d23300c

SHA1
47f8e8327cb97deb464231130021f973db0185b7

SHA256
be986f709448a6b755441c0dfafa1dcf706821d1aaf92bed5d719b9e030fbaed

SHA512
61d09407736d9d3ba46ec6986c38035ec81c24cfc9ee8b2881d476149ea49cbf305100e381860254461f8e4083a701fc95c1ebde90f92da550c6295bde490f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuRR85vy73.exe

Filesize
304KB

MD5
9c3e7c5879f2758bb2add2fbf488ed16

SHA1
c5a2662767f97a4860f33a9fe6cace435a3c1b02

SHA256
7ec2ec7a2ee43e8dc5523be5af507bcf31f19dfed1faa303314729d2fe456acf

SHA512
0808e8e4d00ffe2201f792095081c7fc1678ef3d75d8ae1e6d18363d1693a4bf3c1458252209a6ebd13255d8eb43c9eed45d8029a409ed511fbe3020e8b7ae8a

Download Submit
memory/3936-42-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/4740-86-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-74-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-50-0x0000000002810000-0x0000000002854000-memory.dmp

Filesize
272KB

Download
memory/4740-88-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-98-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-114-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-112-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-110-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-108-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-106-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-104-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-102-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-96-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-94-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-92-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-90-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-48-0x0000000002620000-0x0000000002666000-memory.dmp

Filesize
280KB

Download
memory/4740-84-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-82-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-81-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-78-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-49-0x0000000004D10000-0x00000000052B4000-memory.dmp

Filesize
5.6MB

Download
memory/4740-70-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-68-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-66-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-62-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-60-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-58-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-56-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-100-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-76-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-72-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-64-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-54-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-52-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-51-0x0000000002810000-0x000000000284E000-memory.dmp

Filesize
248KB

Download
memory/4740-957-0x00000000052C0000-0x00000000058D8000-memory.dmp

Filesize
6.1MB

Download
memory/4740-958-0x00000000058E0000-0x00000000059EA000-memory.dmp

Filesize
1.0MB

Download
memory/4740-959-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/4740-960-0x00000000059F0000-0x0000000005A2C000-memory.dmp

Filesize
240KB

Download
memory/4740-961-0x0000000005B30000-0x0000000005B7C000-memory.dmp

Filesize
304KB

Download