healer | 2c6d2d003a009f9a0bd913dc4873f98788e4081a16cc409fb32e07748f7d2916

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 09:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

491591a7ee17ecc82de39bee1090087b0d9e5d1aca2164368b056a5ac936aeee.exe
Size

1.0MB
MD5

b6fdcf0e43d16a2f0232418e21952e36
SHA1

fef27b4e70a98b0036a41b06dee2adeab7e1b77c
SHA256

491591a7ee17ecc82de39bee1090087b0d9e5d1aca2164368b056a5ac936aeee
SHA512

7951231ac9952e0373483a2020c75af1809d55b0abef5a874cdd44123c80f92a5c2a8f3aee48b4c70b05e269dfd833d764c2c16f539625a5309100b0505f69bf
SSDEEP

24576:iyqCIYsZfI26RwJcew+raXX79bcrNVxlBQPFnoS:JqLY0UZIyXJbcrZlWFn

Score

10^/10

healer redline droz norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

77.91.124.145:4125

Attributes

auth_value
d099adf6dbf6ccb8e16967104280634a

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2568-25-0x00000000008A0000-0x00000000008BA000-memory.dmp	healer
behavioral1/memory/2568-27-0x00000000021D0000-0x00000000021E8000-memory.dmp	healer
behavioral1/memory/2568-31-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-55-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-53-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-51-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-49-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-47-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-45-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-43-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-41-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-39-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-37-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-35-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-33-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-29-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer
behavioral1/memory/2568-28-0x00000000021D0000-0x00000000021E2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr316776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr316776.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr316776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr316776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr316776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr316776.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1824-2148-0x0000000005400000-0x0000000005432000-memory.dmp	family_redline
behavioral1/files/0x0012000000023b7c-2153.dat	family_redline
behavioral1/memory/4340-2161-0x0000000000AF0000-0x0000000000B20000-memory.dmp	family_redline
behavioral1/files/0x0007000000023cb2-2171.dat	family_redline
behavioral1/memory/5440-2172-0x0000000000490000-0x00000000004BE000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	qu638545.exe

Executes dropped EXE 6 IoCs

pid	Process
1708	un294699.exe
1872	un490086.exe
2568	pr316776.exe
1824	qu638545.exe
4340	1.exe
5440	rk055991.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr316776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr316776.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	491591a7ee17ecc82de39bee1090087b0d9e5d1aca2164368b056a5ac936aeee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un294699.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un490086.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4008	2568	WerFault.exe	85
5384	1824	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un490086.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr316776.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu638545.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk055991.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491591a7ee17ecc82de39bee1090087b0d9e5d1aca2164368b056a5ac936aeee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un294699.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2568	pr316776.exe
2568	pr316776.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	pr316776.exe
Token: SeDebugPrivilege	1824	qu638545.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 1708	5024	491591a7ee17ecc82de39bee1090087b0d9e5d1aca2164368b056a5ac936aeee.exe	83
PID 5024 wrote to memory of 1708	5024	491591a7ee17ecc82de39bee1090087b0d9e5d1aca2164368b056a5ac936aeee.exe	83
PID 5024 wrote to memory of 1708	5024	491591a7ee17ecc82de39bee1090087b0d9e5d1aca2164368b056a5ac936aeee.exe	83
PID 1708 wrote to memory of 1872	1708	un294699.exe	84
PID 1708 wrote to memory of 1872	1708	un294699.exe	84
PID 1708 wrote to memory of 1872	1708	un294699.exe	84
PID 1872 wrote to memory of 2568	1872	un490086.exe	85
PID 1872 wrote to memory of 2568	1872	un490086.exe	85
PID 1872 wrote to memory of 2568	1872	un490086.exe	85
PID 1872 wrote to memory of 1824	1872	un490086.exe	96
PID 1872 wrote to memory of 1824	1872	un490086.exe	96
PID 1872 wrote to memory of 1824	1872	un490086.exe	96
PID 1824 wrote to memory of 4340	1824	qu638545.exe	97
PID 1824 wrote to memory of 4340	1824	qu638545.exe	97
PID 1824 wrote to memory of 4340	1824	qu638545.exe	97
PID 1708 wrote to memory of 5440	1708	un294699.exe	100
PID 1708 wrote to memory of 5440	1708	un294699.exe	100
PID 1708 wrote to memory of 5440	1708	un294699.exe	100

C:\Users\Admin\AppData\Local\Temp\491591a7ee17ecc82de39bee1090087b0d9e5d1aca2164368b056a5ac936aeee.exe
"C:\Users\Admin\AppData\Local\Temp\491591a7ee17ecc82de39bee1090087b0d9e5d1aca2164368b056a5ac936aeee.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un294699.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un294699.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un490086.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un490086.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr316776.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr316776.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1100
        5⤵
        Program crash
        
        PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu638545.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu638545.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1376
        5⤵
        Program crash
        
        PID:5384
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk055991.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk055991.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2568 -ip 2568
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1824 -ip 1824
1⤵
PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un294699.exe

Filesize
797KB

MD5
f0df78b61bf2b8ea125b93673ebe6ab7

SHA1
14b06e02822251cb6223eb1d216b8a4a16b7c0a6

SHA256
299913a0f0709ca1f539b05401224fc9122d7747eb42478a1f5525de84c1ad50

SHA512
ce5057dd52562809ff61a0bc93864f8572cf62c8823099a2385b587eafcefaee8cebdd688acb2b2da887d0d5ec59df981a47e76624758dae76371782d2b0e04f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk055991.exe

Filesize
168KB

MD5
9c80524f5c52cdef324ea38f7534e99e

SHA1
0f78d0c79aab3dd70ad51e750dda0c6690822b76

SHA256
a9855d07a2a1ac9b8413bb84f0b97da9690ee77f41d76f7321ad22f6942b9a17

SHA512
0ef17fdec739b2596ec9cb399847d11ec5bf9c60e0193076570f2589cb9dfb0d9518588db4b5d9547ecd9c40111fd1d447ac37da8214dd8c3bb05926d41d87ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un490086.exe

Filesize
643KB

MD5
1a6db72d26087ea4fd712cd22579727a

SHA1
e215ee0de302b8944f670ce0be6e6df1190b4aaf

SHA256
f519a402958b3da56ec14921b885d691b0d84c4d4d90aebd35e0c1b54257f7a3

SHA512
30ac6ccd9811068a0c75784019738260b3959388aaa2286d556b7c57a9b655ce9d79efd95271bc8e02808f756d474f2eb75f1c8860e40f9045f8a7566b1db16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr316776.exe

Filesize
243KB

MD5
6e8736e24330b2f23fae52d3f16fb554

SHA1
84d3a141b436552fac5601e86b060fad5c7630f5

SHA256
18e296ae901ea5500b79f037b57350ba34715f93a4befb378371f545c0ceec6b

SHA512
9354ea09a269cf3dba592ad44fcab81e984add61328866ebc0f98cd5b828192968aa25601743e8fc88532688ad7c547046f55739eec4a707da837cde14d927f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu638545.exe

Filesize
426KB

MD5
d08b7652d06cc3ad81af08508301ff7f

SHA1
9c7d1c3168bc3a0ebc871853d5ab8ffcc4eeb007

SHA256
124f41dbf59a37bf02cd3d11484ea873702d1dc055da5a14f61c72a2afdda886

SHA512
8537ab368155177a376da2306bac5bf4e63aa670b0b0938404f73b1abddfd41024584aa936957286a7f61a8f29ec6bb93c0a74cf9544611a435d4b495b97fbb2

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/1824-73-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-66-0x0000000004AF0000-0x0000000004B56000-memory.dmp

Filesize
408KB

Download
memory/1824-101-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-83-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-2148-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/1824-68-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-69-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-99-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-71-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-75-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-77-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-79-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-85-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-87-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-81-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-89-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-91-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-93-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-95-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-97-0x0000000002640000-0x000000000269F000-memory.dmp

Filesize
380KB

Download
memory/1824-67-0x0000000002640000-0x00000000026A6000-memory.dmp

Filesize
408KB

Download
memory/2568-35-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-45-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-25-0x00000000008A0000-0x00000000008BA000-memory.dmp

Filesize
104KB

Download
memory/2568-60-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2568-58-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2568-26-0x0000000004C90000-0x0000000005234000-memory.dmp

Filesize
5.6MB

Download
memory/2568-24-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2568-22-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/2568-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2568-56-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/2568-28-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-29-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-33-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-37-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-39-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-41-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-43-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2568-23-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2568-47-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-49-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-51-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-53-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-55-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-31-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-27-0x00000000021D0000-0x00000000021E8000-memory.dmp

Filesize
96KB

Download
memory/4340-2162-0x0000000002C40000-0x0000000002C46000-memory.dmp

Filesize
24KB

Download
memory/4340-2161-0x0000000000AF0000-0x0000000000B20000-memory.dmp

Filesize
192KB

Download
memory/4340-2164-0x0000000005550000-0x000000000565A000-memory.dmp

Filesize
1.0MB

Download
memory/4340-2165-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/4340-2166-0x00000000054D0000-0x000000000550C000-memory.dmp

Filesize
240KB

Download
memory/4340-2167-0x0000000005660000-0x00000000056AC000-memory.dmp

Filesize
304KB

Download
memory/4340-2163-0x0000000005A60000-0x0000000006078000-memory.dmp

Filesize
6.1MB

Download
memory/5440-2172-0x0000000000490000-0x00000000004BE000-memory.dmp

Filesize
184KB

Download
memory/5440-2173-0x0000000004BB0000-0x0000000004BB6000-memory.dmp

Filesize
24KB

Download