phemedrone | 976ab5ad4822144756c44ce8fb0426f62e26d9d579d0cb5211c1701be681e775

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2023 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe
Size

4.9MB
MD5

e74b8c7dfcf9ccf4cce06b7481bc06c0
SHA1

c1b3d72fb4b04462d894e5478ea1da26af0932c6
SHA256

976ab5ad4822144756c44ce8fb0426f62e26d9d579d0cb5211c1701be681e775
SHA512

7dad6ebde32bb186dda82c8efda7f46dc2523ac4180f78c9368c0d35eb757b48525dbcf5f65c42f38a42f3253fcee7246646075e22a3ef4a1a6e64b769e875ef
SSDEEP

98304:usadS1IAMpZL6DZ4x0z5vzg2ObHhpfkKmCNHBANF1bkzTtwOUcO:u/ZAaMxZZiBeCNHyzbklwOUcO

Score

10^/10

phemedrone spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot6526296839:AAHf93IZJTXM1F9tUJGQR-zriuV-RU7enBM/sendMessage?chat_id=872309541

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	fluxus2_protected.exe

Executes dropped EXE 3 IoCs

pid	Process
4676	fluxus2_protected.exe
5048	Fluxus V7.exe
740	crypt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4676	fluxus2_protected.exe
740	crypt.exe
740	crypt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2564	740	WerFault.exe	92

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	crypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	crypt.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Fluxus V7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Fluxus V7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Fluxus V7.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4676	fluxus2_protected.exe
4676	fluxus2_protected.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
5048	Fluxus V7.exe
5048	Fluxus V7.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe
740	crypt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	740	crypt.exe
Token: SeDebugPrivilege	5048	Fluxus V7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4676	fluxus2_protected.exe
740	crypt.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 4676	2504	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	89
PID 2504 wrote to memory of 4676	2504	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	89
PID 2504 wrote to memory of 4676	2504	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	89
PID 2504 wrote to memory of 5048	2504	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	91
PID 2504 wrote to memory of 5048	2504	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	91
PID 2504 wrote to memory of 5048	2504	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	91
PID 4676 wrote to memory of 740	4676	fluxus2_protected.exe	92
PID 4676 wrote to memory of 740	4676	fluxus2_protected.exe	92
PID 4676 wrote to memory of 740	4676	fluxus2_protected.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\fluxus2_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\fluxus2_protected.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\crypt.exe
    "C:\Users\Admin\AppData\Local\Temp\crypt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 2724
      4⤵
      Program crash
      PID:2564
- C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe
  "C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 740 -ip 740
1⤵
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yvqx2u25.3zd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fluxus2_protected.exe

Filesize
2.4MB

MD5
a768c386ac833969acd939af76af2968

SHA1
f41bd3d0e7c8330e9f08ff5ca23d6096ea6519fa

SHA256
7d247252300633c5823d6b0241794448731b9d5a306cf1e43ecc5d4c83c1d676

SHA512
3fbc4fa7ffa2803135d918a156a5c4d3fcf709cd6e3500fdb2367c2355ecb31b5cc6e05a283d99f5fcea3e8e623065c6c89935fe3ca5896a950c308d34ae4e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\fluxus2_protected.exe

Filesize
2.4MB

MD5
a768c386ac833969acd939af76af2968

SHA1
f41bd3d0e7c8330e9f08ff5ca23d6096ea6519fa

SHA256
7d247252300633c5823d6b0241794448731b9d5a306cf1e43ecc5d4c83c1d676

SHA512
3fbc4fa7ffa2803135d918a156a5c4d3fcf709cd6e3500fdb2367c2355ecb31b5cc6e05a283d99f5fcea3e8e623065c6c89935fe3ca5896a950c308d34ae4e94

Download Submit
\??\c:\users\admin\appdata\local\temp\fluxus2_protected.exe

Filesize
2.4MB

MD5
a768c386ac833969acd939af76af2968

SHA1
f41bd3d0e7c8330e9f08ff5ca23d6096ea6519fa

SHA256
7d247252300633c5823d6b0241794448731b9d5a306cf1e43ecc5d4c83c1d676

SHA512
3fbc4fa7ffa2803135d918a156a5c4d3fcf709cd6e3500fdb2367c2355ecb31b5cc6e05a283d99f5fcea3e8e623065c6c89935fe3ca5896a950c308d34ae4e94

Download Submit
memory/740-94-0x0000000072F70000-0x0000000073720000-memory.dmp

Filesize
7.7MB

Download
memory/740-43-0x0000000072F70000-0x0000000073720000-memory.dmp

Filesize
7.7MB

Download
memory/740-95-0x00000000002E0000-0x0000000000660000-memory.dmp

Filesize
3.5MB

Download
memory/740-47-0x0000000006000000-0x0000000006010000-memory.dmp

Filesize
64KB

Download
memory/740-39-0x00000000002E0000-0x0000000000660000-memory.dmp

Filesize
3.5MB

Download
memory/740-45-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/740-42-0x00000000002E0000-0x0000000000660000-memory.dmp

Filesize
3.5MB

Download
memory/740-44-0x00000000002E0000-0x0000000000660000-memory.dmp

Filesize
3.5MB

Download
memory/4676-17-0x0000000000240000-0x0000000000631000-memory.dmp

Filesize
3.9MB

Download
memory/4676-40-0x0000000000240000-0x0000000000631000-memory.dmp

Filesize
3.9MB

Download
memory/5048-48-0x0000000006340000-0x0000000006378000-memory.dmp

Filesize
224KB

Download
memory/5048-71-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/5048-46-0x000000000A1D0000-0x000000000A1D8000-memory.dmp

Filesize
32KB

Download
memory/5048-38-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/5048-49-0x0000000006310000-0x000000000631E000-memory.dmp

Filesize
56KB

Download
memory/5048-37-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/5048-50-0x000000000B850000-0x000000000BE78000-memory.dmp

Filesize
6.2MB

Download
memory/5048-33-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/5048-62-0x000000000B3C0000-0x000000000B3DA000-memory.dmp

Filesize
104KB

Download
memory/5048-63-0x000000000C080000-0x000000000C0B6000-memory.dmp

Filesize
216KB

Download
memory/5048-64-0x000000000C740000-0x000000000CDBA000-memory.dmp

Filesize
6.5MB

Download
memory/5048-65-0x000000000C160000-0x000000000C1F6000-memory.dmp

Filesize
600KB

Download
memory/5048-66-0x000000000C0F0000-0x000000000C112000-memory.dmp

Filesize
136KB

Download
memory/5048-67-0x000000000C120000-0x000000000C13E000-memory.dmp

Filesize
120KB

Download
memory/5048-68-0x000000000C2E0000-0x000000000C32A000-memory.dmp

Filesize
296KB

Download
memory/5048-69-0x000000000CDC0000-0x000000000D114000-memory.dmp

Filesize
3.3MB

Download
memory/5048-70-0x000000000D120000-0x000000000D186000-memory.dmp

Filesize
408KB

Download
memory/5048-41-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/5048-72-0x000000000D190000-0x000000000D1B2000-memory.dmp

Filesize
136KB

Download
memory/5048-73-0x000000000D360000-0x000000000D3AC000-memory.dmp

Filesize
304KB

Download
memory/5048-83-0x000000000E600000-0x000000000E61E000-memory.dmp

Filesize
120KB

Download
memory/5048-84-0x000000000E620000-0x000000000E6C3000-memory.dmp

Filesize
652KB

Download
memory/5048-85-0x000000000E8A0000-0x000000000E8AA000-memory.dmp

Filesize
40KB

Download
memory/5048-86-0x000000000E8D0000-0x000000000E8E1000-memory.dmp

Filesize
68KB

Download
memory/5048-88-0x000000000E900000-0x000000000E90E000-memory.dmp

Filesize
56KB

Download
memory/5048-89-0x000000000E910000-0x000000000E924000-memory.dmp

Filesize
80KB

Download
memory/5048-90-0x000000000E950000-0x000000000E96A000-memory.dmp

Filesize
104KB

Download
memory/5048-91-0x000000000E970000-0x000000000E978000-memory.dmp

Filesize
32KB

Download
memory/5048-92-0x000000000D3E0000-0x000000000D3E8000-memory.dmp

Filesize
32KB

Download
memory/5048-25-0x0000000000780000-0x0000000000B74000-memory.dmp

Filesize
4.0MB

Download
memory/5048-24-0x0000000072F70000-0x0000000073720000-memory.dmp

Filesize
7.7MB

Download
memory/5048-96-0x0000000072F70000-0x0000000073720000-memory.dmp

Filesize
7.7MB

Download
memory/5048-97-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/5048-99-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/5048-100-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download