healer | 960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47c

Analysis

max time kernel
112s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exe
Size

649KB
MD5

3422d3f6531168aaf74cbe8611b36590
SHA1

2ba16f05ca705b9b8948c252e8cb15803050c5f1
SHA256

960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47c
SHA512

c2ebf22e3761a904bb5afa0dc4f86e2a97fed3c2c885462f7e3495b31e4be254bd38d099e21565df7a1d4d2d2e99483cab2441baae3c784c2aa89ae11e803276
SSDEEP

12288:6Mr9y907tdQpvyst59Kc01Fi7C5e1irlflpMMwVPhzW/qwN4oq:Hy9pqslP0m7C5eQlflpo5+f9q

Score

10^/10

healer redline mango discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mango

193.233.20.28:4125

Attributes

auth_value
ecf79d7f5227d998a3501c972d915d23

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6660gh.exe	healer
behavioral1/memory/2412-15-0x0000000000AF0000-0x0000000000AFA000-memory.dmp	healer
behavioral1/memory/672-22-0x0000000002380000-0x000000000239A000-memory.dmp	healer
behavioral1/memory/672-24-0x00000000023B0000-0x00000000023C8000-memory.dmp	healer
behavioral1/memory/672-52-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-50-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-48-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-46-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-44-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-42-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-40-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-38-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-36-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-34-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-32-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-30-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-28-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-26-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer
behavioral1/memory/672-25-0x00000000023B0000-0x00000000023C2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

c12Wi09.exeb6660gh.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	c12Wi09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c12Wi09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b6660gh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	c12Wi09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c12Wi09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b6660gh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b6660gh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	c12Wi09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c12Wi09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b6660gh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b6660gh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b6660gh.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4240-60-0x00000000025B0000-0x00000000025F6000-memory.dmp	family_redline
behavioral1/memory/4240-61-0x00000000050C0000-0x0000000005104000-memory.dmp	family_redline
behavioral1/memory/4240-63-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-73-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-95-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-93-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-91-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-89-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-87-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-85-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-83-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-81-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-79-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-77-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-71-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-69-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-67-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-65-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-75-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline
behavioral1/memory/4240-62-0x00000000050C0000-0x00000000050FE000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 4 IoCs

Processes:

tice4084.exeb6660gh.exec12Wi09.exedbYTX76.exe

pid process

4820 tice4084.exe
2412 b6660gh.exe
672 c12Wi09.exe
4240 dbYTX76.exe

pid	process
4820	tice4084.exe
2412	b6660gh.exe
672	c12Wi09.exe
4240	dbYTX76.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

b6660gh.exec12Wi09.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b6660gh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	c12Wi09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c12Wi09.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exetice4084.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tice4084.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

768 672 WerFault.exe c12Wi09.exe

pid	pid_target	process	target process
768	672	WerFault.exe	c12Wi09.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dbYTX76.exe960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exetice4084.exec12Wi09.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbYTX76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tice4084.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c12Wi09.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b6660gh.exec12Wi09.exe

pid process

2412 b6660gh.exe
2412 b6660gh.exe
672 c12Wi09.exe
672 c12Wi09.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b6660gh.exec12Wi09.exedbYTX76.exe

description pid process

Token: SeDebugPrivilege 2412 b6660gh.exe
Token: SeDebugPrivilege 672 c12Wi09.exe
Token: SeDebugPrivilege 4240 dbYTX76.exe

pid	process
2412	b6660gh.exe
2412	b6660gh.exe
672	c12Wi09.exe
672	c12Wi09.exe

description	pid	process
Token: SeDebugPrivilege	2412	b6660gh.exe
Token: SeDebugPrivilege	672	c12Wi09.exe
Token: SeDebugPrivilege	4240	dbYTX76.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exetice4084.exe

description	pid	process	target process
PID 3316 wrote to memory of 4820	3316	960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exe	tice4084.exe
PID 3316 wrote to memory of 4820	3316	960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exe	tice4084.exe
PID 3316 wrote to memory of 4820	3316	960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exe	tice4084.exe
PID 4820 wrote to memory of 2412	4820	tice4084.exe	b6660gh.exe
PID 4820 wrote to memory of 2412	4820	tice4084.exe	b6660gh.exe
PID 4820 wrote to memory of 672	4820	tice4084.exe	c12Wi09.exe
PID 4820 wrote to memory of 672	4820	tice4084.exe	c12Wi09.exe
PID 4820 wrote to memory of 672	4820	tice4084.exe	c12Wi09.exe
PID 3316 wrote to memory of 4240	3316	960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exe	dbYTX76.exe
PID 3316 wrote to memory of 4240	3316	960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exe	dbYTX76.exe
PID 3316 wrote to memory of 4240	3316	960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exe	dbYTX76.exe

C:\Users\Admin\AppData\Local\Temp\960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exe
"C:\Users\Admin\AppData\Local\Temp\960e251ec5b78b63eccc84865c6c5992b4b8cc4faac997aac6dd6f88d9ded47cN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4084.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4084.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6660gh.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6660gh.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c12Wi09.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c12Wi09.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 1080
      4⤵
      Program crash
      PID:768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dbYTX76.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dbYTX76.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 672 -ip 672
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dbYTX76.exe

Filesize
284KB

MD5
20384c047eeccb2e0834ecbca7d721fb

SHA1
a32ab4634622b20c0d8df6b0376d4b93075b3d5c

SHA256
cf2ce67ebd7f651fafdc8673f0d8193c205a9db31dfa5a426cc8c3684d0a4e51

SHA512
08d5c081eb3cbae8cb245248ba3d231ff889de1a64817b0a4a98e72cac957d2bfc3770894171834e5e183e396f15935463c63ba0eca09c3fb6f81a2993437404

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4084.exe

Filesize
325KB

MD5
905ccec73a00a8586e5a4637b80dc6cf

SHA1
f32c34802ecd82d637321ff5d4c7f41cf436c360

SHA256
d2fdf4ffc7f0b4302c0a86a521be325197a10bc9a81548195df7d73eb57a9703

SHA512
d38472b890aa5727bd0ba66e47db740c86bc0ca6427d29ca76e44e9aba09393b54e204d56101826240005f8fe86c5f868f54bc647ec51a9cbfce9cf7cbc46cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6660gh.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c12Wi09.exe

Filesize
226KB

MD5
8c58c1d5b1d5f0b9153c0c1d110d0240

SHA1
430430303d14244f9b99a29e09cb5d06bc7727d9

SHA256
e7eefbf96a65e930c7137080f9cac5468e9673c7373aec7c8ed4bbeb4aebb728

SHA512
cb44a75a14eadf1bd9d543e4b72f2ff9d54d4ee9d548f449a37b7346f7d9632df071864ca8f6d2e5479ad857681f735b7363b05d1dbc93a31c9f36df2404dd66

Download Submit
memory/672-55-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/672-40-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-22-0x0000000002380000-0x000000000239A000-memory.dmp

Filesize
104KB

Download
memory/672-23-0x0000000004B00000-0x00000000050A4000-memory.dmp

Filesize
5.6MB

Download
memory/672-24-0x00000000023B0000-0x00000000023C8000-memory.dmp

Filesize
96KB

Download
memory/672-52-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-50-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-48-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-46-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-44-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-42-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-34-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-38-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-36-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-53-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/672-32-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-30-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-28-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-26-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/672-25-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2412-14-0x00007FF8C0A03000-0x00007FF8C0A05000-memory.dmp

Filesize
8KB

Download
memory/2412-15-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/2412-16-0x00007FF8C0A03000-0x00007FF8C0A05000-memory.dmp

Filesize
8KB

Download
memory/4240-62-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-85-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-63-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-73-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-95-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-93-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-91-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-89-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-87-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-61-0x00000000050C0000-0x0000000005104000-memory.dmp

Filesize
272KB

Download
memory/4240-83-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-81-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-79-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-77-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-71-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-69-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-67-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-65-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-75-0x00000000050C0000-0x00000000050FE000-memory.dmp

Filesize
248KB

Download
memory/4240-60-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/4240-968-0x0000000005100000-0x0000000005718000-memory.dmp

Filesize
6.1MB

Download
memory/4240-969-0x00000000057A0000-0x00000000058AA000-memory.dmp

Filesize
1.0MB

Download
memory/4240-970-0x00000000058E0000-0x00000000058F2000-memory.dmp

Filesize
72KB

Download
memory/4240-971-0x0000000005900000-0x000000000593C000-memory.dmp

Filesize
240KB

Download
memory/4240-972-0x0000000005A50000-0x0000000005A9C000-memory.dmp

Filesize
304KB

Download