healer | 5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a

Analysis

max time kernel
141s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a.exe
Size

788KB
MD5

442d1dc2384e9386abacf0fe4a99bed5
SHA1

b0714077c1516f4b3c6296ec696563bbe80d0068
SHA256

5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a
SHA512

3e3244f8fddd7fdbdd93f42600e50db4e9d202b7f420d29380cca723be3ff81f21ccfa40bf89674378956eb5144652902e4455ce6e865aef4c3ae84e6e41e479
SSDEEP

12288:zMr5y90AifwRUe651mBtxaVEu9oF+jjVsW9EaeH6A8g2OX:SyplUzOBtxQeF+jJXReH6Ab5

Score

10^/10

healer redline mango discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mango

193.233.20.28:4125

Attributes

auth_value
ecf79d7f5227d998a3501c972d915d23

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023c96-19.dat	healer
behavioral1/memory/632-22-0x0000000000CF0000-0x0000000000CFA000-memory.dmp	healer
behavioral1/memory/1140-29-0x0000000000940000-0x000000000095A000-memory.dmp	healer
behavioral1/memory/1140-31-0x00000000022C0000-0x00000000022D8000-memory.dmp	healer
behavioral1/memory/1140-59-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-57-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-55-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-53-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-52-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-49-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-47-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-46-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-43-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-41-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-39-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-37-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-35-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-33-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer
behavioral1/memory/1140-32-0x00000000022C0000-0x00000000022D2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

c73AI71.exeb3688rk.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	c73AI71.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c73AI71.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	c73AI71.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c73AI71.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b3688rk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b3688rk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	c73AI71.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b3688rk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c73AI71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b3688rk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b3688rk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b3688rk.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2464-67-0x0000000002430000-0x0000000002476000-memory.dmp	family_redline
behavioral1/memory/2464-68-0x0000000002540000-0x0000000002584000-memory.dmp	family_redline
behavioral1/memory/2464-76-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-80-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-78-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-90-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-74-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-72-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-70-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-69-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-102-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-100-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-98-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-96-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-94-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-92-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-88-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-86-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-84-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline
behavioral1/memory/2464-82-0x0000000002540000-0x000000000257E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

Processes:

tice4008.exetice5034.exeb3688rk.exec73AI71.exedYpUv36.exe

pid	Process
1500	tice4008.exe
3260	tice5034.exe
632	b3688rk.exe
1140	c73AI71.exe
2464	dYpUv36.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c73AI71.exeb3688rk.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	c73AI71.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c73AI71.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b3688rk.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a.exetice4008.exetice5034.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tice4008.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tice5034.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2472	1140	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a.exetice4008.exetice5034.exec73AI71.exedYpUv36.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice4008.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice5034.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c73AI71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dYpUv36.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b3688rk.exec73AI71.exe

pid	Process
632	b3688rk.exe
632	b3688rk.exe
1140	c73AI71.exe
1140	c73AI71.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b3688rk.exec73AI71.exedYpUv36.exe

description	pid	Process
Token: SeDebugPrivilege	632	b3688rk.exe
Token: SeDebugPrivilege	1140	c73AI71.exe
Token: SeDebugPrivilege	2464	dYpUv36.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a.exetice4008.exetice5034.exe

description	pid	Process	procid_target
PID 3384 wrote to memory of 1500	3384	5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a.exe	83
PID 3384 wrote to memory of 1500	3384	5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a.exe	83
PID 3384 wrote to memory of 1500	3384	5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a.exe	83
PID 1500 wrote to memory of 3260	1500	tice4008.exe	84
PID 1500 wrote to memory of 3260	1500	tice4008.exe	84
PID 1500 wrote to memory of 3260	1500	tice4008.exe	84
PID 3260 wrote to memory of 632	3260	tice5034.exe	85
PID 3260 wrote to memory of 632	3260	tice5034.exe	85
PID 3260 wrote to memory of 1140	3260	tice5034.exe	98
PID 3260 wrote to memory of 1140	3260	tice5034.exe	98
PID 3260 wrote to memory of 1140	3260	tice5034.exe	98
PID 1500 wrote to memory of 2464	1500	tice4008.exe	109
PID 1500 wrote to memory of 2464	1500	tice4008.exe	109
PID 1500 wrote to memory of 2464	1500	tice4008.exe	109

C:\Users\Admin\AppData\Local\Temp\5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a.exe
"C:\Users\Admin\AppData\Local\Temp\5e95b1b917d46ffbe77fd4b870300d5ecb638633cf364be557c5f84c1ab4ed7a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4008.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4008.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5034.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5034.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3688rk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3688rk.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:632
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73AI71.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73AI71.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1060
        5⤵
        Program crash
        
        PID:2472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dYpUv36.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dYpUv36.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1140 -ip 1140
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4008.exe

Filesize
643KB

MD5
c6cd8d47885114da0f3439ae43216dd5

SHA1
550d6d32836e43bfca621e13b8ad0a7f9c1afa24

SHA256
8f83c8c7ca1d35213be22ea160925103c8345b51c9fef3f26b37fa96fe339eb5

SHA512
23055212cc716346aa158cd0b4a355e943f349fd90a82e015d57a8c0bd333523bd6c7b90089ae0fa9161270f777be32a3fe7db87ff45caac7bf3c70d665b2203

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dYpUv36.exe

Filesize
295KB

MD5
f4057b8c711b8b0979f93b8d0a45c545

SHA1
e95aa4163a38655138da530554a63579cf53a100

SHA256
1584cc8a16b72ddc4d42e097ea1db6c773d7939be131943da4aff33edc0f5639

SHA512
275899d3a1a26ea04a2fbb2ed984f2204f54220dd20fe7a1b7cacf6d692caa51f4a12da2e7b3e9eee58877c477b73bb8056aee35541983139a138cdf091206ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5034.exe

Filesize
322KB

MD5
87a7480b9c0d9854a518ddcf4aeae1ff

SHA1
0575dd3ed10325e73043076b3cec71662edc6a08

SHA256
17af382cd8979b620437c667084620a7816df6934105656b4661b2a56a6bd0aa

SHA512
f8729824761883f4d9f7750fec7c73b55522ebafdd5c6fceaa880839b324d296f91b134809d5cd2bfd9689f4b0c42d021388224d4878785c957b8e870ccce115

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3688rk.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73AI71.exe

Filesize
237KB

MD5
38e461d3db48d8c7a8ef5394a5efa426

SHA1
b2dea656e22973a77c085e8278d73d384b6fde6e

SHA256
5dc3bc8b5c236d335a6f76f5de568016debcd6b61ebe70f9b34cdcddd029fbfc

SHA512
13821a07898512e4805c5e1ac36ca7b1f4d0711360f4b04e14ffec8ff7993e154160c12baac79bc8a2ffd0bbf934ebcff57900a1a0445139cd6b310372bd91c4

Download Submit
memory/632-21-0x00007FFC7B5A3000-0x00007FFC7B5A5000-memory.dmp

Filesize
8KB

Download
memory/632-22-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/632-23-0x00007FFC7B5A3000-0x00007FFC7B5A5000-memory.dmp

Filesize
8KB

Download
memory/1140-60-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1140-31-0x00000000022C0000-0x00000000022D8000-memory.dmp

Filesize
96KB

Download
memory/1140-59-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-57-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-55-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-53-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-52-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-49-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-47-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-46-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-43-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-41-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-39-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-37-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-35-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-33-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-32-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1140-30-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/1140-62-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1140-29-0x0000000000940000-0x000000000095A000-memory.dmp

Filesize
104KB

Download
memory/2464-80-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-96-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-76-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-67-0x0000000002430000-0x0000000002476000-memory.dmp

Filesize
280KB

Download
memory/2464-78-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-90-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-74-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-72-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-70-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-69-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-102-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-100-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-98-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-68-0x0000000002540000-0x0000000002584000-memory.dmp

Filesize
272KB

Download
memory/2464-94-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-92-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-88-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-86-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-84-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-82-0x0000000002540000-0x000000000257E000-memory.dmp

Filesize
248KB

Download
memory/2464-975-0x00000000052D0000-0x00000000058E8000-memory.dmp

Filesize
6.1MB

Download
memory/2464-976-0x00000000058F0000-0x00000000059FA000-memory.dmp

Filesize
1.0MB

Download
memory/2464-977-0x0000000005A20000-0x0000000005A32000-memory.dmp

Filesize
72KB

Download
memory/2464-978-0x0000000005A40000-0x0000000005A7C000-memory.dmp

Filesize
240KB

Download
memory/2464-979-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download