healer | 423e1ee9cd3b3839760aa15463a89e9d3e09f8de5451578bc6e78d9163fdd0fc

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

423e1ee9cd3b3839760aa15463a89e9d3e09f8de5451578bc6e78d9163fdd0fc.exe
Size

864KB
MD5

20865d3a0adb691d7c976f38e21f8bcb
SHA1

ba1889b20500391f7cf155deac685f5c9fffd631
SHA256

423e1ee9cd3b3839760aa15463a89e9d3e09f8de5451578bc6e78d9163fdd0fc
SHA512

6993a72afa017909bbdfc41bc6ff1c1151894292439c4e6b4da400e57ddf53e48ec71520b375d9890c9b4758dbbb25fd40c0318e62be1f5856b2d3540cc0aed6
SSDEEP

12288:eMr6y90fZf5sQz93REj9YCtqWeDty4+tSDFFwD9F2+AA8FGkSCuHKQ9MSyxEnh:Uy85/zA5xt12y4+YbQ9F2ZzFGkRuBdh

Score

10^/10

healer redline mango discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mango

193.233.20.28:4125

Attributes

auth_value
ecf79d7f5227d998a3501c972d915d23

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b98-19.dat	healer
behavioral1/memory/1732-22-0x00000000005E0000-0x00000000005EA000-memory.dmp	healer
behavioral1/memory/3760-29-0x00000000048C0000-0x00000000048DA000-memory.dmp	healer
behavioral1/memory/3760-31-0x0000000004B30000-0x0000000004B48000-memory.dmp	healer
behavioral1/memory/3760-59-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-57-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-55-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-53-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-51-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-49-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-47-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-45-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-43-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-41-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-39-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-37-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-35-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-33-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer
behavioral1/memory/3760-32-0x0000000004B30000-0x0000000004B42000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b6743xH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b6743xH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b6743xH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b6743xH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	c11Ta63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c11Ta63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b6743xH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b6743xH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	c11Ta63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c11Ta63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	c11Ta63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c11Ta63.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/448-67-0x0000000004C30000-0x0000000004C76000-memory.dmp	family_redline
behavioral1/memory/448-68-0x0000000004E10000-0x0000000004E54000-memory.dmp	family_redline
behavioral1/memory/448-72-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-94-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-102-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-98-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-96-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-92-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-90-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-88-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-86-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-84-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-82-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-80-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-78-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-76-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-74-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-100-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-70-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline
behavioral1/memory/448-69-0x0000000004E10000-0x0000000004E4E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
3556	tice9574.exe
2028	tice3391.exe
1732	b6743xH.exe
3760	c11Ta63.exe
448	dAsSF15.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b6743xH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	c11Ta63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c11Ta63.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	423e1ee9cd3b3839760aa15463a89e9d3e09f8de5451578bc6e78d9163fdd0fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tice9574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tice3391.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5452	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
544	3760	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	423e1ee9cd3b3839760aa15463a89e9d3e09f8de5451578bc6e78d9163fdd0fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice9574.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice3391.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c11Ta63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dAsSF15.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1732	b6743xH.exe
1732	b6743xH.exe
3760	c11Ta63.exe
3760	c11Ta63.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	b6743xH.exe
Token: SeDebugPrivilege	3760	c11Ta63.exe
Token: SeDebugPrivilege	448	dAsSF15.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 3556	3740	423e1ee9cd3b3839760aa15463a89e9d3e09f8de5451578bc6e78d9163fdd0fc.exe	83
PID 3740 wrote to memory of 3556	3740	423e1ee9cd3b3839760aa15463a89e9d3e09f8de5451578bc6e78d9163fdd0fc.exe	83
PID 3740 wrote to memory of 3556	3740	423e1ee9cd3b3839760aa15463a89e9d3e09f8de5451578bc6e78d9163fdd0fc.exe	83
PID 3556 wrote to memory of 2028	3556	tice9574.exe	84
PID 3556 wrote to memory of 2028	3556	tice9574.exe	84
PID 3556 wrote to memory of 2028	3556	tice9574.exe	84
PID 2028 wrote to memory of 1732	2028	tice3391.exe	85
PID 2028 wrote to memory of 1732	2028	tice3391.exe	85
PID 2028 wrote to memory of 3760	2028	tice3391.exe	96
PID 2028 wrote to memory of 3760	2028	tice3391.exe	96
PID 2028 wrote to memory of 3760	2028	tice3391.exe	96
PID 3556 wrote to memory of 448	3556	tice9574.exe	101
PID 3556 wrote to memory of 448	3556	tice9574.exe	101
PID 3556 wrote to memory of 448	3556	tice9574.exe	101

C:\Users\Admin\AppData\Local\Temp\423e1ee9cd3b3839760aa15463a89e9d3e09f8de5451578bc6e78d9163fdd0fc.exe
"C:\Users\Admin\AppData\Local\Temp\423e1ee9cd3b3839760aa15463a89e9d3e09f8de5451578bc6e78d9163fdd0fc.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9574.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9574.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice3391.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice3391.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6743xH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6743xH.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c11Ta63.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c11Ta63.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3760
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 1088
        5⤵
        Program crash
        
        PID:544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dAsSF15.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dAsSF15.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3760 -ip 3760
1⤵
PID:4104

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9574.exe

Filesize
719KB

MD5
4dca20552bf285c311ea54ec34319791

SHA1
bf445e8f614c9b98a5429b4923799d563babc068

SHA256
9540df7b769630c9e7e02118490290a27b009af814c41c65a854d71e15a9e7ba

SHA512
336e3ed840537d3436a915399a1cbad4e9f644ebeacd5212d9282d951080313f7df0d71428f9e884329261a5c383aa369752c5734678ac404236088ed884d5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dAsSF15.exe

Filesize
399KB

MD5
c6bf1a64fdc55c5a10cc83bd51b50f06

SHA1
e9e7d4376337199725a9e4e7d38d73d0d9f1dd5b

SHA256
ffbda7efaa9c77f475df2f99a5ad779ca6b81a1185e32ed28421bbe2ebf7b95e

SHA512
06581042a32f80aff8d34ea7ec4fa0e6e5840f6f067a36ac910e289af8073a5896a931d21824ad111161a4d8978d4d13cf11f73417d10512904e625d3b62261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice3391.exe

Filesize
360KB

MD5
194d35497c656a7194cf13c80bc6f185

SHA1
ce4cc34596f80e58f9498d1868831f4ffaaa5f74

SHA256
1778a6258056fa272c400f72f51b164ab7674246ed4ea56b850fb9e2af7d3696

SHA512
7aff317ba185ab02236bf55439f32b8d599fd25a6f67c2f8cfd2b9e55e5b6fc61aeffea4df2bb204609cd44546f8d5f0f9f8bec01493e95ff697968efe4682da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6743xH.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c11Ta63.exe

Filesize
342KB

MD5
9e7439409d1828d833431cc54731364d

SHA1
f4697ea901f10466de839564bac104ccfff38c46

SHA256
c691c4692d33d113db12ac6e09c1f3422d81d4428561e839e8b2615b0decc01e

SHA512
e3a8774a823749d51122b784ff17bc74e599f76445685f80e776b1f55a499f69cfa34863db83df1d92e2bfad68708be6c3ec927a055fa45e964cdff6f0d7f539

Download Submit
memory/448-84-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-76-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-979-0x00000000080B0000-0x00000000080FC000-memory.dmp

Filesize
304KB

Download
memory/448-978-0x0000000007F60000-0x0000000007F9C000-memory.dmp

Filesize
240KB

Download
memory/448-977-0x0000000007F40000-0x0000000007F52000-memory.dmp

Filesize
72KB

Download
memory/448-976-0x0000000007230000-0x000000000733A000-memory.dmp

Filesize
1.0MB

Download
memory/448-975-0x0000000007910000-0x0000000007F28000-memory.dmp

Filesize
6.1MB

Download
memory/448-69-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-70-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-100-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-68-0x0000000004E10000-0x0000000004E54000-memory.dmp

Filesize
272KB

Download
memory/448-74-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-67-0x0000000004C30000-0x0000000004C76000-memory.dmp

Filesize
280KB

Download
memory/448-98-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-78-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-80-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-82-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-102-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-86-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-88-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-90-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-94-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-72-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-92-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/448-96-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/1732-23-0x00007FFB5B9D3000-0x00007FFB5B9D5000-memory.dmp

Filesize
8KB

Download
memory/1732-22-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1732-21-0x00007FFB5B9D3000-0x00007FFB5B9D5000-memory.dmp

Filesize
8KB

Download
memory/3760-45-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-51-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-49-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-60-0x0000000000400000-0x0000000002B1A000-memory.dmp

Filesize
39.1MB

Download
memory/3760-32-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-33-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-35-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-37-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-39-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-41-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-43-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-47-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-62-0x0000000000400000-0x0000000002B1A000-memory.dmp

Filesize
39.1MB

Download
memory/3760-53-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-55-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-57-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-59-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/3760-31-0x0000000004B30000-0x0000000004B48000-memory.dmp

Filesize
96KB

Download
memory/3760-30-0x0000000007130000-0x00000000076D4000-memory.dmp

Filesize
5.6MB

Download
memory/3760-29-0x00000000048C0000-0x00000000048DA000-memory.dmp

Filesize
104KB

Download