healer | e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exe
Size

813KB
MD5

930ce1872717c80d72f576ac11e92bfb
SHA1

076476334615ab1c80b4f16d8d115eeb463931c3
SHA256

e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461
SHA512

281aeccd29b080d61c8a8766a059e19f7ba33bf031333cbe3ff3b8133bffd1dcbed43c4d32856d5e4e69999407d180c6bf6090289409aa08526d621198f237cd
SSDEEP

12288:8MrMy90pv6TqayICoD/K7oVPwYH2dEuSEe7RNIWkMD4H3D2OyvSsAT1rSJPORWS+:oyQvdGm7eIYH2d2d0T2p/MEiKd4K

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3636-19-0x00000000025B0000-0x00000000025CA000-memory.dmp	healer
behavioral1/memory/3636-21-0x0000000002850000-0x0000000002868000-memory.dmp	healer
behavioral1/memory/3636-48-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-49-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-45-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-43-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-39-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-37-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-35-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-34-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-31-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-29-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-27-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-23-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-22-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-41-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/3636-25-0x0000000002850000-0x0000000002862000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro4685.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4685.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4685.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4685.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4685.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4685.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4685.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/512-2143-0x0000000005750000-0x0000000005782000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/5548-2156-0x0000000000330000-0x0000000000360000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si526573.exe	family_redline
behavioral1/memory/5836-2166-0x0000000000140000-0x000000000016E000-memory.dmp	family_redline

Redline family
redline
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

qu3391.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation qu3391.exe
Executes dropped EXE 5 IoCs

Processes:

un532185.exepro4685.exequ3391.exe1.exesi526573.exe

pid process

3480 un532185.exe
3636 pro4685.exe
512 qu3391.exe
5548 1.exe
5836 si526573.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	qu3391.exe

pid	process
3480	un532185.exe
3636	pro4685.exe
512	qu3391.exe
5548	1.exe
5836	si526573.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro4685.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4685.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4685.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exeun532185.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un532185.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4964 3636 WerFault.exe pro4685.exe
5564 512 WerFault.exe qu3391.exe

pid	pid_target	process	target process
4964	3636	WerFault.exe	pro4685.exe
5564	512	WerFault.exe	qu3391.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1.exesi526573.exee78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exeun532185.exepro4685.exequ3391.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si526573.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un532185.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro4685.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu3391.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro4685.exe

pid process

3636 pro4685.exe
3636 pro4685.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro4685.exequ3391.exe

description pid process

Token: SeDebugPrivilege 3636 pro4685.exe
Token: SeDebugPrivilege 512 qu3391.exe

pid	process
3636	pro4685.exe
3636	pro4685.exe

description	pid	process
Token: SeDebugPrivilege	3636	pro4685.exe
Token: SeDebugPrivilege	512	qu3391.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exeun532185.exequ3391.exe

description	pid	process	target process
PID 4032 wrote to memory of 3480	4032	e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exe	un532185.exe
PID 4032 wrote to memory of 3480	4032	e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exe	un532185.exe
PID 4032 wrote to memory of 3480	4032	e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exe	un532185.exe
PID 3480 wrote to memory of 3636	3480	un532185.exe	pro4685.exe
PID 3480 wrote to memory of 3636	3480	un532185.exe	pro4685.exe
PID 3480 wrote to memory of 3636	3480	un532185.exe	pro4685.exe
PID 3480 wrote to memory of 512	3480	un532185.exe	qu3391.exe
PID 3480 wrote to memory of 512	3480	un532185.exe	qu3391.exe
PID 3480 wrote to memory of 512	3480	un532185.exe	qu3391.exe
PID 512 wrote to memory of 5548	512	qu3391.exe	1.exe
PID 512 wrote to memory of 5548	512	qu3391.exe	1.exe
PID 512 wrote to memory of 5548	512	qu3391.exe	1.exe
PID 4032 wrote to memory of 5836	4032	e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exe	si526573.exe
PID 4032 wrote to memory of 5836	4032	e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exe	si526573.exe
PID 4032 wrote to memory of 5836	4032	e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exe	si526573.exe

C:\Users\Admin\AppData\Local\Temp\e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exe
"C:\Users\Admin\AppData\Local\Temp\e78e5d542a85d3218317f83b489fe780fff2e831591dd9ef3b98f0b6de56e461.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un532185.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un532185.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4685.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4685.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1084
      4⤵
      Program crash
      PID:4964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3391.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3391.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:512
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 1376
      4⤵
      Program crash
      PID:5564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si526573.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si526573.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3636 -ip 3636
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 512 -ip 512
1⤵
PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si526573.exe

Filesize
169KB

MD5
e27f8d7a0c1ad4e47ad88e28a8622e73

SHA1
325cfe168bf3f7369380054b60576b8b69a2a260

SHA256
28fe0c256d7c7defb481a8ae1ca37447e2c73810dc335a789a70661bb5fd37fb

SHA512
5ad2cadc1c8e39c87f2e01ff44d76bfbb165f2c456c4f663a7f075418a86e4e83ef24a4244930303b413a7f6dfc2d6bf14d0e7c44e84d92d80c49cc462d07bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un532185.exe

Filesize
660KB

MD5
ce7712c13d4d4120c36f3f513b2f2f24

SHA1
9c539ae8263480c4874ab917d1e7689ede040bb6

SHA256
3d627175dc488d11d15056a8ff702cc90a4441d686f65ec072bb2069266d3aa4

SHA512
a67599fe40b78aac69c43125a87dbcd27dc7e09667467863c9c1367a49fbeac9c46c7d31ba7ef525c8c1dbf2c9a12021d1f103fd5b2e0b22b1722fb82316cd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4685.exe

Filesize
332KB

MD5
d404d200fb643d63ec22a07cc0c40df4

SHA1
8368c393323ed908d17ce01f307c5c7eedca40e0

SHA256
b8e1173f673c436f7df7591b79a0006ddeb8323b0c93199bc316d8e70c8dda32

SHA512
be6b68b69394e23ef6b285c161bccb8e888992f9b140a7cedd2d17766bfd36ef445b1c26d1f8c1a9b1d10ff66b810061d0a0d3d37b92fa6c8f4f31fa670e9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3391.exe

Filesize
495KB

MD5
e7cc1bccbd909176ab22ceb4b790faf6

SHA1
c7931b751247c27213ff8d48811d4cba0596545d

SHA256
2127f992f77dbd54bfd4b227b7000f835687b172775f035ff79e696b12025c3d

SHA512
75aa62382ea2bc021d5546a1ef8d24606029f55eea9ca466134b4886814d031a8bc737931675641d7b16d55ef52d2770857fa875e68b319701e40de3b44441b2

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/512-82-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-61-0x0000000002900000-0x0000000002966000-memory.dmp

Filesize
408KB

Download
memory/512-74-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-78-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-2143-0x0000000005750000-0x0000000005782000-memory.dmp

Filesize
200KB

Download
memory/512-63-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-64-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-66-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-68-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-70-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-72-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-76-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-80-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-96-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-86-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-88-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-90-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-92-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-94-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-84-0x0000000005540000-0x000000000559F000-memory.dmp

Filesize
380KB

Download
memory/512-62-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/3636-27-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-37-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-18-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/3636-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3636-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3636-20-0x0000000004EB0000-0x0000000005454000-memory.dmp

Filesize
5.6MB

Download
memory/3636-15-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/3636-50-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/3636-25-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-41-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-22-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-23-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-19-0x00000000025B0000-0x00000000025CA000-memory.dmp

Filesize
104KB

Download
memory/3636-29-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-31-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-34-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-35-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-55-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/3636-39-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3636-43-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-45-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-49-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-48-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3636-17-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/3636-21-0x0000000002850000-0x0000000002868000-memory.dmp

Filesize
96KB

Download
memory/5548-2157-0x00000000025C0000-0x00000000025C6000-memory.dmp

Filesize
24KB

Download
memory/5548-2158-0x00000000052C0000-0x00000000058D8000-memory.dmp

Filesize
6.1MB

Download
memory/5548-2159-0x0000000004DB0000-0x0000000004EBA000-memory.dmp

Filesize
1.0MB

Download
memory/5548-2160-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/5548-2156-0x0000000000330000-0x0000000000360000-memory.dmp

Filesize
192KB

Download
memory/5548-2164-0x0000000004D20000-0x0000000004D5C000-memory.dmp

Filesize
240KB

Download
memory/5548-2167-0x0000000004D60000-0x0000000004DAC000-memory.dmp

Filesize
304KB

Download
memory/5836-2166-0x0000000000140000-0x000000000016E000-memory.dmp

Filesize
184KB

Download
memory/5836-2168-0x0000000002430000-0x0000000002436000-memory.dmp

Filesize
24KB

Download