redline | 4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.7MB
MD5

a615f2eee64c5d7449a8792cc782b6d6
SHA1

cf1dff4fbbf172c6870c30fc3784bdbd53d49a69
SHA256

4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389
SHA512

9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c
SSDEEP

49152:8kQTAxXCwWJ7d2JtVYtcbQk4fkr73Vreyvi1wwlaYjYMm3:8axbhJItfxMP3Visi1r7sMm

Score

10^/10

redline zgrat @oleh_ps discovery infostealer rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Signatures

Detect ZGRat V1 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3068-44-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
behavioral2/memory/4836-73-0x00000000008D0000-0x0000000000928000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
behavioral2/memory/2400-75-0x0000000000E80000-0x0000000000ED4000-memory.dmp	family_redline
behavioral2/memory/4836-73-0x00000000008D0000-0x0000000000928000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 23 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/1060-2-0x0000000005270000-0x000000000541C000-memory.dmp	net_reactor
behavioral2/memory/1060-4-0x00000000050C0000-0x000000000526C000-memory.dmp	net_reactor
behavioral2/memory/1060-6-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-7-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-11-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-9-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-13-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-17-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-15-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-19-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-21-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-23-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-25-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-27-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-29-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-31-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-33-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-37-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-39-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-41-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/1060-35-0x00000000050C0000-0x0000000005265000-memory.dmp	net_reactor
behavioral2/memory/3068-44-0x0000000000400000-0x0000000000592000-memory.dmp	net_reactor
behavioral2/memory/1060-46-0x0000000002AD0000-0x0000000004AD0000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeLogs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	Logs.exe

Drops startup file 1 IoCs

Processes:

Logs.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe Logs.exe
Executes dropped EXE 3 IoCs

Processes:

Logs.exeolehps.exeqemu-ga.exe

pid process

4836 Logs.exe
2400 olehps.exe
3604 qemu-ga.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1060 set thread context of 3068 1060 tmp.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Logs.exeolehps.exe

pid process

4836 Logs.exe
2400 olehps.exe
2400 olehps.exe
2400 olehps.exe
2400 olehps.exe
2400 olehps.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Logs.exe

pid	process
4836	Logs.exe
2400	olehps.exe
3604	qemu-ga.exe

description	pid	process	target process
PID 1060 set thread context of 3068	1060	tmp.exe	RegAsm.exe

pid	process
4836	Logs.exe
2400	olehps.exe
2400	olehps.exe
2400	olehps.exe
2400	olehps.exe
2400	olehps.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmp.exeLogs.exeolehps.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1060	tmp.exe
Token: SeDebugPrivilege	4836	Logs.exe
Token: SeDebugPrivilege	2400	olehps.exe
Token: SeDebugPrivilege	3068	RegAsm.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

tmp.exeRegAsm.exeLogs.execmd.exe

description	pid	process	target process
PID 1060 wrote to memory of 4592	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 4592	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 4592	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 2908	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 2908	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 2908	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 3068	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 3068	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 3068	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 3068	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 3068	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 3068	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 3068	1060	tmp.exe	RegAsm.exe
PID 1060 wrote to memory of 3068	1060	tmp.exe	RegAsm.exe
PID 3068 wrote to memory of 2400	3068	RegAsm.exe	olehps.exe
PID 3068 wrote to memory of 2400	3068	RegAsm.exe	olehps.exe
PID 3068 wrote to memory of 2400	3068	RegAsm.exe	olehps.exe
PID 3068 wrote to memory of 4836	3068	RegAsm.exe	Logs.exe
PID 3068 wrote to memory of 4836	3068	RegAsm.exe	Logs.exe
PID 3068 wrote to memory of 4836	3068	RegAsm.exe	Logs.exe
PID 4836 wrote to memory of 3604	4836	Logs.exe	qemu-ga.exe
PID 4836 wrote to memory of 3604	4836	Logs.exe	qemu-ga.exe
PID 3068 wrote to memory of 3920	3068	RegAsm.exe	cmd.exe
PID 3068 wrote to memory of 3920	3068	RegAsm.exe	cmd.exe
PID 3068 wrote to memory of 3920	3068	RegAsm.exe	cmd.exe
PID 3920 wrote to memory of 4448	3920	cmd.exe	choice.exe
PID 3920 wrote to memory of 4448	3920	cmd.exe	choice.exe
PID 3920 wrote to memory of 4448	3920	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
      4⤵
      Executes dropped EXE
      PID:3604
- - C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
319KB

MD5
e907345a80ff14d72966bc7cf9fb6403

SHA1
75e81e785a3c526917eef9ca5d4bb2e74d2d4923

SHA256
42583a620499351ec1db35bc757b4ef921a364ae92351c55a0961b25a09dfe84

SHA512
7e3fa0cb40b08eb6cfcc8b07c726ce402cd9e2e04a901d079d5d7352c5c1c9bd8389acba0e06ef91c3b00edb9e224c73ee19df33c3dda1a157fb299976eb0cc4

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
227KB

MD5
eb9a725de2daba94ae5d0266cbb564c9

SHA1
962ed32858cafa89600982688d2803a40d98c62b

SHA256
8086dd7832b6e6bc4d23448ad8bdfb05e7892fe69813d0a340fa3cef32fe72a3

SHA512
b8fd59ee207d0476898b4218002d021458540e94d6b4deff246bb9111d2a17c5fbd83b101f3df277223301ec5a35791e99afba38c46b1bf5e8939ccde24c09ea

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

Filesize
238KB

MD5
b3f5a5363b5311629f7dc05d1c29db25

SHA1
1fd44a8f1e2eee3dcedab74ef6237e7b298a0671

SHA256
ce6a588ee74ec89dae5a369d5232a92cdf1d041b03163211fb6fe7ae2ad7e88f

SHA512
dc16226128389dfb369ba59b4b670c8f0a4f9ce048cfd8855fa2dc7d5f5985b5bc2dfe21ddc0158c6f3a7da7877f1a5a625b121198d1c2adeab1ee7e4b5b9148

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
269KB

MD5
30cbfb4593e67dd1a92a93e16d48c120

SHA1
0ab14002975c1ae694a476f49e000b46e8d94fdb

SHA256
8133a632b0d1fe480ca5e3231b2e19107ed89cf091414f9673114b963cf1e80e

SHA512
eff8e62c45a8e713712dbf8de7c95d188575bf86107e085ee205819fd2dce6359ccf79dfa43fdb2825aa919b3c75e8dc483c77697ef434eb3995351d26439802

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
204KB

MD5
cf5c29816541252f6d6b525dcf2078f3

SHA1
ccd267ee3ec5c567f191bae73279cbca0ec94a74

SHA256
33b8473d4a59d2dc703b7fb2976f11c816f5bfb23c328f48e43effa8f92cff9e

SHA512
be0dd1fd3533bf738fd75e35e04af8bb4ef08565b46a7c010258feadabe8a25856320710e2a0d311c8251f577f569ddc232654e53ada3817513818c95848a126

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

Filesize
204KB

MD5
41cb9940c93222058a28447eb6f6fa78

SHA1
b9f14d53105862d6bde5e9a183255252d2e6644f

SHA256
45f0fa82d89e0af179f475d6ca6294d4fb73d5a9e4429c4b5fae59576c1a2f71

SHA512
34f38b273d8e704e544527a033a4e1d255a200e7919fc4c3d071ffd399fc9c8a032b6fbfc65383135fdacc0b8c29808f6ee42e3071dbf632fbf2dfc9f00fcb12

Download Submit
memory/1060-25-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-46-0x0000000002AD0000-0x0000000004AD0000-memory.dmp

Filesize
32.0MB

Download
memory/1060-9-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-13-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-17-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-15-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-1-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/1060-21-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-23-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-0-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1060-27-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-29-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-31-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-33-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-37-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-39-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-41-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-35-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-2-0x0000000005270000-0x000000000541C000-memory.dmp

Filesize
1.7MB

Download
memory/1060-3-0x0000000005420000-0x00000000059C4000-memory.dmp

Filesize
5.6MB

Download
memory/1060-11-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-50-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1060-19-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-5-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/1060-7-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-6-0x00000000050C0000-0x0000000005265000-memory.dmp

Filesize
1.6MB

Download
memory/1060-4-0x00000000050C0000-0x000000000526C000-memory.dmp

Filesize
1.7MB

Download
memory/2400-78-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/2400-82-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download
memory/2400-76-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/2400-107-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/2400-110-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/2400-75-0x0000000000E80000-0x0000000000ED4000-memory.dmp

Filesize
336KB

Download
memory/2400-108-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3068-111-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/3068-91-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/3068-47-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/3068-44-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/3068-49-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/3604-106-0x00007FF91D300000-0x00007FF91DDC1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-104-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/3604-112-0x00007FF91D300000-0x00007FF91DDC1000-memory.dmp

Filesize
10.8MB

Download
memory/4836-81-0x00000000053A0000-0x00000000054AA000-memory.dmp

Filesize
1.0MB

Download
memory/4836-87-0x00000000063A0000-0x00000000063BE000-memory.dmp

Filesize
120KB

Download
memory/4836-88-0x0000000007380000-0x0000000007542000-memory.dmp

Filesize
1.8MB

Download
memory/4836-89-0x0000000007260000-0x00000000072B0000-memory.dmp

Filesize
320KB

Download
memory/4836-90-0x0000000007A80000-0x0000000007FAC000-memory.dmp

Filesize
5.2MB

Download
memory/4836-74-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-77-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/4836-83-0x0000000005220000-0x000000000525C000-memory.dmp

Filesize
240KB

Download
memory/4836-105-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-73-0x00000000008D0000-0x0000000000928000-memory.dmp

Filesize
352KB

Download
memory/4836-86-0x00000000060E0000-0x0000000006156000-memory.dmp

Filesize
472KB

Download
memory/4836-80-0x00000000051C0000-0x00000000051D2000-memory.dmp

Filesize
72KB

Download
memory/4836-79-0x00000000059C0000-0x0000000005FD8000-memory.dmp

Filesize
6.1MB

Download
memory/4836-84-0x00000000054B0000-0x00000000054FC000-memory.dmp

Filesize
304KB

Download
memory/4836-85-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download