healer | d548a11e7e2c4a2afbc8f6e13e35d75fa7444c20740a4ea6d37a9dcf8bc9fd2d

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d548a11e7e2c4a2afbc8f6e13e35d75fa7444c20740a4ea6d37a9dcf8bc9fd2d.exe
Size

1.2MB
MD5

d51f44355e1887c6c76515ec4418ad8a
SHA1

bbf8e10298a17fff9d31229a2dac5eb9be65ae40
SHA256

d548a11e7e2c4a2afbc8f6e13e35d75fa7444c20740a4ea6d37a9dcf8bc9fd2d
SHA512

7b9adb06c087e431d7f158317352953351b3c2a6dd18a8dc92a6494773c8b85255e635e3a941420bb805af5393413b130be3b9ea7b511644343d6bf87d52df9b
SSDEEP

24576:Jy/PlVhzVananoxlRVv1LREdo+hlhvTjNCRhS2NS3JCOa5:8/HaaslRwtIN+UOY

Score

10^/10

healer redline dirx soft discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

soft

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

redline

Botnet

dirx

77.91.124.146:4121

Attributes

auth_value
522d988f763be056e53e089f74d464cc

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1564-22-0x00000000029C0000-0x00000000029DA000-memory.dmp	healer
behavioral1/memory/1564-24-0x0000000002A90000-0x0000000002AA8000-memory.dmp	healer
behavioral1/memory/1564-42-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-52-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-50-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-48-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-46-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-44-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-40-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-39-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-36-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-35-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-30-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-32-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-28-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-26-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer
behavioral1/memory/1564-25-0x0000000002A90000-0x0000000002AA2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr853494.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr853494.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr853494.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr853494.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr853494.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr853494.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2248-2190-0x0000000005780000-0x00000000057B2000-memory.dmp	family_redline
behavioral1/files/0x0010000000023b07-2195.dat	family_redline
behavioral1/memory/6468-2203-0x00000000009D0000-0x00000000009FE000-memory.dmp	family_redline
behavioral1/files/0x0009000000023bd3-2211.dat	family_redline
behavioral1/memory/6592-2213-0x00000000005B0000-0x00000000005E0000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	qu001486.exe

Executes dropped EXE 6 IoCs

pid	Process
4552	un660534.exe
3488	un839750.exe
1564	pr853494.exe
2248	qu001486.exe
6468	1.exe
6592	rk104021.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr853494.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr853494.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un660534.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un839750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d548a11e7e2c4a2afbc8f6e13e35d75fa7444c20740a4ea6d37a9dcf8bc9fd2d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4872	1564	WerFault.exe	85
6540	2248	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d548a11e7e2c4a2afbc8f6e13e35d75fa7444c20740a4ea6d37a9dcf8bc9fd2d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un660534.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un839750.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr853494.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu001486.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk104021.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1564	pr853494.exe
1564	pr853494.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1564	pr853494.exe
Token: SeDebugPrivilege	2248	qu001486.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 4552	3536	d548a11e7e2c4a2afbc8f6e13e35d75fa7444c20740a4ea6d37a9dcf8bc9fd2d.exe	83
PID 3536 wrote to memory of 4552	3536	d548a11e7e2c4a2afbc8f6e13e35d75fa7444c20740a4ea6d37a9dcf8bc9fd2d.exe	83
PID 3536 wrote to memory of 4552	3536	d548a11e7e2c4a2afbc8f6e13e35d75fa7444c20740a4ea6d37a9dcf8bc9fd2d.exe	83
PID 4552 wrote to memory of 3488	4552	un660534.exe	84
PID 4552 wrote to memory of 3488	4552	un660534.exe	84
PID 4552 wrote to memory of 3488	4552	un660534.exe	84
PID 3488 wrote to memory of 1564	3488	un839750.exe	85
PID 3488 wrote to memory of 1564	3488	un839750.exe	85
PID 3488 wrote to memory of 1564	3488	un839750.exe	85
PID 3488 wrote to memory of 2248	3488	un839750.exe	96
PID 3488 wrote to memory of 2248	3488	un839750.exe	96
PID 3488 wrote to memory of 2248	3488	un839750.exe	96
PID 2248 wrote to memory of 6468	2248	qu001486.exe	98
PID 2248 wrote to memory of 6468	2248	qu001486.exe	98
PID 2248 wrote to memory of 6468	2248	qu001486.exe	98
PID 4552 wrote to memory of 6592	4552	un660534.exe	101
PID 4552 wrote to memory of 6592	4552	un660534.exe	101
PID 4552 wrote to memory of 6592	4552	un660534.exe	101

C:\Users\Admin\AppData\Local\Temp\d548a11e7e2c4a2afbc8f6e13e35d75fa7444c20740a4ea6d37a9dcf8bc9fd2d.exe
"C:\Users\Admin\AppData\Local\Temp\d548a11e7e2c4a2afbc8f6e13e35d75fa7444c20740a4ea6d37a9dcf8bc9fd2d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un660534.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un660534.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un839750.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un839750.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr853494.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr853494.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1564
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1084
        5⤵
        Program crash
        
        PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu001486.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu001486.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1460
        5⤵
        Program crash
        
        PID:6540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk104021.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk104021.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1564 -ip 1564
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2248 -ip 2248
1⤵
PID:6496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un660534.exe

Filesize
862KB

MD5
adfad982af246154acfb8517f7bd1f3b

SHA1
9a46e8cea645f6bc5b66764487fcce3f0a760892

SHA256
ff4a02e6b41f8ce698e90608a6662a24379e369efe8d1c05a17ff325fdc7057f

SHA512
8dd864ca414331357f12889b990574490e830133a0c702d70e900118e65321c85e8cd052deeda3dc6565561813febb73e405be96a1c28775a2579b6d464528ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk104021.exe

Filesize
168KB

MD5
fbfa01d46e7b58b1ed79a6be4cf69461

SHA1
397b2456c912f7942bd691162ed2a45625aa70e2

SHA256
e3303efcab49c407fb255248f1206d2447b02004dd34b22b1d2b6742f6846e0d

SHA512
b8d5d4cec4d9151ac21778037ab605986c9567d18f14ae36d81cc7e59308f70701ef6442d4cb82fb1766fdf82d64daead30b580685dfa80871f02097c6fed7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un839750.exe

Filesize
708KB

MD5
9cfb95c04d2fed71f3d0c11319bd4605

SHA1
68abc420d347cd8b813f61a580c3e6b268573ae7

SHA256
6e3358ebfda014c0389ca34b7fcb11db805d0325f10d4f7e8c6d9a92b3a2163d

SHA512
312c392658ae5e3f622c28da88797b9cd48d8c1d1d6c73169c283aee02de8f23c4f166082347ccbcd3a62b7dd07bd6b855579506626c367c85821ccabdeb6b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr853494.exe

Filesize
403KB

MD5
c93e5924308cfc9e1895bfe02de3e8a0

SHA1
e99180db3b362b529fd49b64b776f1863e4096f5

SHA256
6ba4e1d3573049f9679f0d5c8e007dc492d3f6c140c583f6c5d9eb019ef15979

SHA512
ab64d15ec73e985b0a7ccd4e52196696cdd0e8a073f71ad1231e1aefa3c702d0c6f22016d7fb9f388c3e91e42f35d5681481b88b60538bdd5a493679ffeeab3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu001486.exe

Filesize
588KB

MD5
caaffc567d91760ae282750da9afee38

SHA1
d633d2f910faa1490dacdc1fe8b6c9f61107ad3f

SHA256
2425462e2c2ce41cd2974e8c723da773250392e607e74017d8fc6464951f45b2

SHA512
74d8a4be9951084551c590e077e69e58a95042037530b58384219185633d861115837ab91ad9582a68de4682f8a50290ad93de478c80ffde1f42c2b7c270123d

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
memory/1564-22-0x00000000029C0000-0x00000000029DA000-memory.dmp

Filesize
104KB

Download
memory/1564-23-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/1564-24-0x0000000002A90000-0x0000000002AA8000-memory.dmp

Filesize
96KB

Download
memory/1564-42-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-52-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-50-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-48-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-46-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-44-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-40-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-39-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-36-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-35-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-30-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-32-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-28-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-26-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-25-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/1564-53-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/1564-55-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/2248-60-0x0000000002740000-0x00000000027A8000-memory.dmp

Filesize
416KB

Download
memory/2248-61-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/2248-65-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-75-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-87-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-95-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-93-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-91-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-89-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-85-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-81-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-79-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-77-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-73-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-71-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-69-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-67-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-63-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-83-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-62-0x00000000055B0000-0x0000000005610000-memory.dmp

Filesize
384KB

Download
memory/2248-2190-0x0000000005780000-0x00000000057B2000-memory.dmp

Filesize
200KB

Download
memory/6468-2203-0x00000000009D0000-0x00000000009FE000-memory.dmp

Filesize
184KB

Download
memory/6468-2204-0x0000000002B80000-0x0000000002B86000-memory.dmp

Filesize
24KB

Download
memory/6468-2205-0x0000000005940000-0x0000000005F58000-memory.dmp

Filesize
6.1MB

Download
memory/6468-2206-0x0000000005430000-0x000000000553A000-memory.dmp

Filesize
1.0MB

Download
memory/6468-2207-0x0000000005350000-0x0000000005362000-memory.dmp

Filesize
72KB

Download
memory/6468-2209-0x00000000053B0000-0x00000000053EC000-memory.dmp

Filesize
240KB

Download
memory/6468-2215-0x0000000005540000-0x000000000558C000-memory.dmp

Filesize
304KB

Download
memory/6592-2213-0x00000000005B0000-0x00000000005E0000-memory.dmp

Filesize
192KB

Download
memory/6592-2214-0x00000000026B0000-0x00000000026B6000-memory.dmp

Filesize
24KB

Download