healer | b82750cab036a21ecf6b44be42d10db314fce2d1275cd28327acef6ed18a182a

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdbc86b6757b826910141e2f12f4516df9594d7b8494cb2787e367a088941b2aN.exe
Size

1.3MB
MD5

3591bada34bf6613fbd3ae779d8580a4
SHA1

56a7e9824326b4cab52c3a2e004539312ed1c350
SHA256

b82750cab036a21ecf6b44be42d10db314fce2d1275cd28327acef6ed18a182a
SHA512

6dbe7385c8f875f1497b3ef66c02108a3b50543ed43ebb029f8f9d579e5c6fb5efc9e3c3354fc41999710db6935bdfe821bfa8b2d02027b2a34e95a3b2b5f1bd
SSDEEP

24576:UyTrzPSDFKBpRbSlKZxKRZKXq7hNmzMKo4fh1wUKBXGvOqNv3V:jTrW5KBpRGsqbKXqPmH622qdF

Score

10^/10

healer redline rouch discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rouch

193.56.146.11:4162

Attributes

auth_value
1b1735bcfc122c708eae27ca352568de

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b9d-39.dat	healer
behavioral1/memory/1776-42-0x0000000000C90000-0x0000000000C9A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	beHG68GN40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	beHG68GN40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	beHG68GN40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	beHG68GN40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	beHG68GN40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	beHG68GN40.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/5060-48-0x0000000002470000-0x00000000024B6000-memory.dmp	family_redline
behavioral1/memory/5060-50-0x0000000002630000-0x0000000002674000-memory.dmp	family_redline
behavioral1/memory/5060-60-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-58-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-114-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-112-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-110-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-108-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-106-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-104-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-102-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-100-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-96-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-94-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-92-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-90-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-88-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-86-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-84-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-82-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-80-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-78-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-76-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-72-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-70-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-68-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-66-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-64-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-63-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-56-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-54-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-98-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-74-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-52-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline
behavioral1/memory/5060-51-0x0000000002630000-0x000000000266E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 7 IoCs

pid	Process
3204	ptaZ1251jB.exe
3976	ptTB7337Iz.exe
1108	ptEU4654Lf.exe
1116	ptvi3308kL.exe
2884	ptwq3630Wb.exe
1776	beHG68GN40.exe
5060	curx50fs20.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	beHG68GN40.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bdbc86b6757b826910141e2f12f4516df9594d7b8494cb2787e367a088941b2aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ptaZ1251jB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ptTB7337Iz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ptEU4654Lf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ptvi3308kL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	ptwq3630Wb.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdbc86b6757b826910141e2f12f4516df9594d7b8494cb2787e367a088941b2aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptaZ1251jB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptTB7337Iz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptEU4654Lf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptvi3308kL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptwq3630Wb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curx50fs20.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1776	beHG68GN40.exe
1776	beHG68GN40.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	beHG68GN40.exe
Token: SeDebugPrivilege	5060	curx50fs20.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 3204	320	bdbc86b6757b826910141e2f12f4516df9594d7b8494cb2787e367a088941b2aN.exe	83
PID 320 wrote to memory of 3204	320	bdbc86b6757b826910141e2f12f4516df9594d7b8494cb2787e367a088941b2aN.exe	83
PID 320 wrote to memory of 3204	320	bdbc86b6757b826910141e2f12f4516df9594d7b8494cb2787e367a088941b2aN.exe	83
PID 3204 wrote to memory of 3976	3204	ptaZ1251jB.exe	85
PID 3204 wrote to memory of 3976	3204	ptaZ1251jB.exe	85
PID 3204 wrote to memory of 3976	3204	ptaZ1251jB.exe	85
PID 3976 wrote to memory of 1108	3976	ptTB7337Iz.exe	87
PID 3976 wrote to memory of 1108	3976	ptTB7337Iz.exe	87
PID 3976 wrote to memory of 1108	3976	ptTB7337Iz.exe	87
PID 1108 wrote to memory of 1116	1108	ptEU4654Lf.exe	88
PID 1108 wrote to memory of 1116	1108	ptEU4654Lf.exe	88
PID 1108 wrote to memory of 1116	1108	ptEU4654Lf.exe	88
PID 1116 wrote to memory of 2884	1116	ptvi3308kL.exe	90
PID 1116 wrote to memory of 2884	1116	ptvi3308kL.exe	90
PID 1116 wrote to memory of 2884	1116	ptvi3308kL.exe	90
PID 2884 wrote to memory of 1776	2884	ptwq3630Wb.exe	91
PID 2884 wrote to memory of 1776	2884	ptwq3630Wb.exe	91
PID 2884 wrote to memory of 5060	2884	ptwq3630Wb.exe	97
PID 2884 wrote to memory of 5060	2884	ptwq3630Wb.exe	97
PID 2884 wrote to memory of 5060	2884	ptwq3630Wb.exe	97

C:\Users\Admin\AppData\Local\Temp\bdbc86b6757b826910141e2f12f4516df9594d7b8494cb2787e367a088941b2aN.exe
"C:\Users\Admin\AppData\Local\Temp\bdbc86b6757b826910141e2f12f4516df9594d7b8494cb2787e367a088941b2aN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptaZ1251jB.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptaZ1251jB.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptTB7337Iz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptTB7337Iz.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptEU4654Lf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptEU4654Lf.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptvi3308kL.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptvi3308kL.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1116
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptwq3630Wb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptwq3630Wb.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beHG68GN40.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beHG68GN40.exe
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\curx50fs20.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\curx50fs20.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptaZ1251jB.exe

Filesize
1.2MB

MD5
552f6cb77703dd1e24f37a386c72ef70

SHA1
5bbd0e6dfa244d16cfd284f230d01975007afb94

SHA256
f8e854bda0695e95549dabd720dc428bec56e2d0148e50e752c1cf3aa024d1b6

SHA512
16b225c04d3ad96e0bf0ea47b1cedd8a2643be74b17b86f2848d6862169b8e39de6a6dc8c0fd45c8574c4540758c5b322369d778d89b7485d85ff32f32c8e9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptTB7337Iz.exe

Filesize
1.0MB

MD5
d3887c4d36c3553e9a63311b886a4cac

SHA1
212b548aea48270d126f1e81fd22ca733e6da810

SHA256
225b5ba8d15c4862024e7f05b2b24a706b991432030327960ab8cafe3eeb3fc4

SHA512
dcc30be24714537cb0ef6c1664fe2078b61497689cfac50074529d394653d307303a06b44dcdd232d5321d7e3aa035cf1f86efeecd4e05583df694bd7e030941

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptEU4654Lf.exe

Filesize
936KB

MD5
f23190c6f5e31fd1f6cfbab2ec2d60c9

SHA1
619cf76ede8c11acf587ccc92462e77c2c8043d9

SHA256
9b410c9adadfbdf50fb587b034c660536ed6448751c4f77a24b51a293e341125

SHA512
869c4140b09bb74dfc28e6f4379629cd9f93b88d5691e64fb3a80945ec8b38336aca377f3b80ae8903f40b476065d045e1f2ff9a9c7952b3bebb82d74b1da4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptvi3308kL.exe

Filesize
667KB

MD5
2ea4535e75c066df7a72cf8d0086f42a

SHA1
9e30c6089da1e450fea23bb8aadd876e66381ff6

SHA256
8b121fd7d2c003e70305a226015cb56e30683a3674435e1cb6eaa0527029c550

SHA512
6fcb867e423a22b3cd17a95554574c5bff91b786a168855279b5911a6fc8c243ed8794c12650efac7b7a64c60ccaf4f1057b91170674933b86b3718b5b062ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptwq3630Wb.exe

Filesize
391KB

MD5
598ac2707f5489fce3c2f1f29330ba7d

SHA1
1a610543f91f07406859979e760c2262eafaa8d7

SHA256
c46412c1ab9edd72f881d88c9f9d4f0848d7ed7164aa5578033321adf9181ad0

SHA512
748f9a2d2f56be0a1477677079892610da729081ba4a50915de76082f9a1bb8b96b79c07ba684cf219663e50a806ea60a54b959e0594599da02d28ab0eb88743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beHG68GN40.exe

Filesize
11KB

MD5
939a4c26894b6e43bf30755f11f861ce

SHA1
8a68588cde36acf688882c6f5108e345c50bfdad

SHA256
270b3cc128b102f1825cc1bf36b0fe2daf6351b6e4dddd8bf409b8d5d8f07c71

SHA512
a9cf1fcae5e7e2fafed8cda162308bf665760f2f5094bb375bab6d98f234c1a1861e5d220f0f9d05e7203f49add541252b84b4d48fd424f5b6acc94031318e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\curx50fs20.exe

Filesize
304KB

MD5
9c3e7c5879f2758bb2add2fbf488ed16

SHA1
c5a2662767f97a4860f33a9fe6cace435a3c1b02

SHA256
7ec2ec7a2ee43e8dc5523be5af507bcf31f19dfed1faa303314729d2fe456acf

SHA512
0808e8e4d00ffe2201f792095081c7fc1678ef3d75d8ae1e6d18363d1693a4bf3c1458252209a6ebd13255d8eb43c9eed45d8029a409ed511fbe3020e8b7ae8a

Download Submit
memory/1776-42-0x0000000000C90000-0x0000000000C9A000-memory.dmp

Filesize
40KB

Download
memory/5060-90-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-80-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-50-0x0000000002630000-0x0000000002674000-memory.dmp

Filesize
272KB

Download
memory/5060-60-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-58-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-114-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-112-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-110-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-108-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-106-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-104-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-102-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-100-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-96-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-94-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-92-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-48-0x0000000002470000-0x00000000024B6000-memory.dmp

Filesize
280KB

Download
memory/5060-88-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-86-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-84-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-82-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-49-0x0000000004CC0000-0x0000000005264000-memory.dmp

Filesize
5.6MB

Download
memory/5060-78-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-76-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-72-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-70-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-68-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-66-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-64-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-63-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-56-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-54-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-98-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-74-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-52-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-51-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/5060-957-0x0000000005270000-0x0000000005888000-memory.dmp

Filesize
6.1MB

Download
memory/5060-958-0x0000000005890000-0x000000000599A000-memory.dmp

Filesize
1.0MB

Download
memory/5060-959-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/5060-960-0x00000000059C0000-0x00000000059FC000-memory.dmp

Filesize
240KB

Download
memory/5060-961-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download