healer | 3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1.exe
Size

864KB
MD5

edd86d8305694109c1171dfc30dd7a9f
SHA1

d0c059e2b360b5aa823f936985bc8df1533751c1
SHA256

3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1
SHA512

046b1084052435c009a810cf926bd632a9916c80e25d0c353fd21a5a22fb25b94f518f20a1ff30e9b50ac8db402c0c30f00a50bdddde5fd61148c2ea6d72f814
SSDEEP

24576:wyli9wbb7QxoJCVx8p4WCEFmSUt02ot1j32:3ln7Q1x8pkEsrg

Score

10^/10

healer redline mango discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mango

193.233.20.28:4125

Attributes

auth_value
ecf79d7f5227d998a3501c972d915d23

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023c7e-19.dat	healer
behavioral1/memory/2316-22-0x0000000000B20000-0x0000000000B2A000-memory.dmp	healer
behavioral1/memory/2884-29-0x00000000046F0000-0x000000000470A000-memory.dmp	healer
behavioral1/memory/2884-31-0x0000000004A50000-0x0000000004A68000-memory.dmp	healer
behavioral1/memory/2884-32-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-35-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-57-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-55-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-54-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-51-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-49-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-47-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-45-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-41-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-39-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-38-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-33-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-43-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2884-59-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

b0526kK.exec21Hr52.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b0526kK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b0526kK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	c21Hr52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c21Hr52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	c21Hr52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c21Hr52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	c21Hr52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b0526kK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b0526kK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b0526kK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b0526kK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c21Hr52.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2836-67-0x00000000048F0000-0x0000000004936000-memory.dmp	family_redline
behavioral1/memory/2836-68-0x0000000004CB0000-0x0000000004CF4000-memory.dmp	family_redline
behavioral1/memory/2836-88-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-102-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-100-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-98-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-96-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-94-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-92-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-90-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-86-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-84-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-82-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-80-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-78-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-76-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-74-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-70-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-72-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline
behavioral1/memory/2836-69-0x0000000004CB0000-0x0000000004CEE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

Processes:

tice2142.exetice4698.exeb0526kK.exec21Hr52.exedHvGk52.exe

pid	Process
1844	tice2142.exe
3888	tice4698.exe
2316	b0526kK.exe
2884	c21Hr52.exe
2836	dHvGk52.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

b0526kK.exec21Hr52.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b0526kK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	c21Hr52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c21Hr52.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1.exetice2142.exetice4698.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tice2142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tice4698.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4232	2884	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tice4698.exec21Hr52.exedHvGk52.exe3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1.exetice2142.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice4698.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c21Hr52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dHvGk52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice2142.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b0526kK.exec21Hr52.exe

pid	Process
2316	b0526kK.exe
2316	b0526kK.exe
2884	c21Hr52.exe
2884	c21Hr52.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b0526kK.exec21Hr52.exedHvGk52.exe

description	pid	Process
Token: SeDebugPrivilege	2316	b0526kK.exe
Token: SeDebugPrivilege	2884	c21Hr52.exe
Token: SeDebugPrivilege	2836	dHvGk52.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1.exetice2142.exetice4698.exe

description	pid	Process	procid_target
PID 3452 wrote to memory of 1844	3452	3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1.exe	82
PID 3452 wrote to memory of 1844	3452	3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1.exe	82
PID 3452 wrote to memory of 1844	3452	3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1.exe	82
PID 1844 wrote to memory of 3888	1844	tice2142.exe	83
PID 1844 wrote to memory of 3888	1844	tice2142.exe	83
PID 1844 wrote to memory of 3888	1844	tice2142.exe	83
PID 3888 wrote to memory of 2316	3888	tice4698.exe	85
PID 3888 wrote to memory of 2316	3888	tice4698.exe	85
PID 3888 wrote to memory of 2884	3888	tice4698.exe	94
PID 3888 wrote to memory of 2884	3888	tice4698.exe	94
PID 3888 wrote to memory of 2884	3888	tice4698.exe	94
PID 1844 wrote to memory of 2836	1844	tice2142.exe	99
PID 1844 wrote to memory of 2836	1844	tice2142.exe	99
PID 1844 wrote to memory of 2836	1844	tice2142.exe	99

C:\Users\Admin\AppData\Local\Temp\3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1.exe
"C:\Users\Admin\AppData\Local\Temp\3a9f6eb2db25dcb7ab2055885f00d197dedb953498230ea8448eb7be9fa9cfb1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice2142.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice2142.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice4698.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice4698.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0526kK.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0526kK.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c21Hr52.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c21Hr52.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1084
        5⤵
        Program crash
        
        PID:4232
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dHvGk52.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dHvGk52.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2884 -ip 2884
1⤵
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice2142.exe

Filesize
719KB

MD5
f315f1c469ba27ea3b9d2ec93fa78ebb

SHA1
31edc3c0faf35e0c02507740fbd38d6ef20dbdc9

SHA256
b9a546a9e5263c73a8c87bc890c2bdeb0f02e84f330b1c2bc4eb43a5284df3b0

SHA512
5e0898400310cead9cfd0aa9a307fbc6f44d5dfff66f450db42664453c898fb44063236d92134b513c66a44c339c4b5ab7c6486beae94c11429425acc47609f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dHvGk52.exe

Filesize
400KB

MD5
0ac14e46a9b15504885c9cff2f710dda

SHA1
4cd53d135468c86457943448b814dd97d6a39938

SHA256
0eaea1816f5306fb08fc133711943780e2732bc120a4926d4825cbe9707ae79d

SHA512
802a3ff65b830b6b810fabd4fd0035e18e25a97441e8ac79b9c084163f6981ea130276cc1744669f086a665c1281924f6305136318ea2b631feed59ec4716403

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice4698.exe

Filesize
359KB

MD5
9f061639899d1308123804e2392b3d42

SHA1
69234636ffb9c08ef17a69a6bbebf067a4b26b0b

SHA256
f56d266447137f8aeb92b3567cdd02606ef3b9482d8ac895cfab2e263c82e5d0

SHA512
fe6c0f63d3fcf9c34644e3f2a203eca8b0b20773f6fe38184ccf8dd6f55dc7bc3d82096a4774c3ad61240b57a54c7dc53433e373379c948c2d1fd0d9b064c12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0526kK.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c21Hr52.exe

Filesize
342KB

MD5
5203e4fd33311ee52bc00c308fc6b8c2

SHA1
9ccdfbbef4a5a8983d4a1de7139cdcb645a3bf0f

SHA256
0880a27b50b0927449fca841525ba2a9c3b61027f7b1e2ed1b7d332065edad24

SHA512
0d03c4fe2788170da6bd31e846368dbb6681ef5b73f20c061db912bf5f0e17caccb77a4689e5f6edc8c526c312040bd420da1a25c56a5490c8b1658856fbfb14

Download Submit
memory/2316-21-0x00007FFFE6713000-0x00007FFFE6715000-memory.dmp

Filesize
8KB

Download
memory/2316-22-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/2316-23-0x00007FFFE6713000-0x00007FFFE6715000-memory.dmp

Filesize
8KB

Download
memory/2836-82-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-80-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-979-0x00000000080B0000-0x00000000080FC000-memory.dmp

Filesize
304KB

Download
memory/2836-978-0x0000000007F70000-0x0000000007FAC000-memory.dmp

Filesize
240KB

Download
memory/2836-977-0x0000000007F50000-0x0000000007F62000-memory.dmp

Filesize
72KB

Download
memory/2836-976-0x0000000007E40000-0x0000000007F4A000-memory.dmp

Filesize
1.0MB

Download
memory/2836-975-0x0000000007820000-0x0000000007E38000-memory.dmp

Filesize
6.1MB

Download
memory/2836-69-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-72-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-70-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-74-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-76-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-78-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-96-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-84-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-86-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-90-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-92-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-94-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-67-0x00000000048F0000-0x0000000004936000-memory.dmp

Filesize
280KB

Download
memory/2836-68-0x0000000004CB0000-0x0000000004CF4000-memory.dmp

Filesize
272KB

Download
memory/2836-88-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-102-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-100-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2836-98-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/2884-41-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-30-0x0000000007380000-0x0000000007924000-memory.dmp

Filesize
5.6MB

Download
memory/2884-61-0x0000000000400000-0x0000000002B19000-memory.dmp

Filesize
39.1MB

Download
memory/2884-59-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-43-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-33-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-29-0x00000000046F0000-0x000000000470A000-memory.dmp

Filesize
104KB

Download
memory/2884-38-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-39-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-31-0x0000000004A50000-0x0000000004A68000-memory.dmp

Filesize
96KB

Download
memory/2884-45-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-47-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-49-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-51-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-54-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-55-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-57-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-35-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2884-32-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download