redline | 0372f8e2ae02cf9e52cbd226ff8e1f5fd3c0404858dc41439dd2fe49adfbfadf

Analysis

max time kernel
22s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Script.exe
Size

436KB
MD5

db9f3a98bc34ba5cd74ea5fdbac2fd64
SHA1

9521048c031804b3a004e8817d814fd388de4ebd
SHA256

0372f8e2ae02cf9e52cbd226ff8e1f5fd3c0404858dc41439dd2fe49adfbfadf
SHA512

19ab07f4368d7b91a703b65ee7bc7dc7ddaf3f4a1f10561ac7b38d258bcf1f06c26a7dd3945d2e50bf05ecff65c7219f47aa26fcc59c7586a76e8b13e8ae6b9d
SSDEEP

6144:qM0jq5dOzh7bSLd0dRwVA8mIXagfTG6O0L4WP2UZia8xNeI/rr3S3U:90jq5dYj8vXagfTG6O0LcUkxNH3S3U

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

45.15.156.127:48665

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3224-0-0x0000000000640000-0x0000000000690000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	Script.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe
3224	Script.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3224	Script.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 1812	3224	Script.exe	109
PID 3224 wrote to memory of 1812	3224	Script.exe	109
PID 1812 wrote to memory of 3784	1812	msedge.exe	110
PID 1812 wrote to memory of 3784	1812	msedge.exe	110
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 1880	1812	msedge.exe	111
PID 1812 wrote to memory of 384	1812	msedge.exe	112
PID 1812 wrote to memory of 384	1812	msedge.exe	112
PID 1812 wrote to memory of 220	1812	msedge.exe	113
PID 1812 wrote to memory of 220	1812	msedge.exe	113
PID 1812 wrote to memory of 220	1812	msedge.exe	113
PID 1812 wrote to memory of 220	1812	msedge.exe	113
PID 1812 wrote to memory of 220	1812	msedge.exe	113
PID 1812 wrote to memory of 220	1812	msedge.exe	113
PID 1812 wrote to memory of 220	1812	msedge.exe	113

C:\Users\Admin\AppData\Local\Temp\Script.exe
"C:\Users\Admin\AppData\Local\Temp\Script.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.129 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.92 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x348,0x7ffa067e5fd8,0x7ffa067e5fe4,0x7ffa067e5ff0
    3⤵
    PID:3784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2612 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:2
    3⤵
    PID:1880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2944 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:3
    3⤵
    PID:384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3064 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:8
    3⤵
    PID:220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3468 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:1
    3⤵
    PID:2836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3644 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:1
    3⤵
    PID:1112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3896 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:1
    3⤵
    PID:4396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5092 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:1
    3⤵
    PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4380 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:1
    3⤵
    PID:1492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5316 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:1
    3⤵
    PID:1244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:8
    3⤵
    PID:1060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=3404 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:8
    3⤵
    PID:2564
- - C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6056 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:8
    3⤵
    PID:4668
- - C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6056 --field-trial-handle=2616,i,15821290511423019391,5759160254650535517,262144 --variations-seed-version /prefetch:8
    3⤵
    PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
d846aa1b9e899ccd9e477287b0d26f2e

SHA1
015b419e83869caf82608abe582ccde8076f3be3

SHA256
b77f98f3064c6573fab74a05d76398099a936f577a25cb49df279139bd40738e

SHA512
f291559aa56c00344282aa067abf1efa51274c467734c865823f8a1135780a7d3d72770bf0abe3a38ebeae28f347d0c254358e2855bb5d4b5cf23cef21b0af4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
6ef0c033e9fea3eeb6fd914457cf0417

SHA1
326332b51cc78d5640f62317c13cb1396b5642fb

SHA256
b890204e7ea019b63a4ffb11e8688675b2c1ed0adb68bacb7f1c4b25e6d99e75

SHA512
0a5e5fef85f94eca8884e7a72ce143fd4a22dc47982d06adbb1ca2fa6dd885cfd4b7fea229f515dec135e0daaa108841d7de514d52a7c645d74dd7092dae918d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
36KB

MD5
5c5e3df47797b10abafe5654f3c3c805

SHA1
bc66fa9ebc38fb03df57b799cedae41fb01d46d3

SHA256
8cbad776dd9b34d99acf808bf45e67f80cbec628c9da76feca77bcf29531b2e0

SHA512
18664942337c0a67a2eb935f6701ee68d058400fcb5dd45febaa627e164eb6e67d179f95779219f8186a151ffd6b3afe5214bd4964f79963d7709dc5eb1a93f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
05a45ac6a35c60b4ec9bd7e36ab09f30

SHA1
efd7207ec6ccc39a7215c7d3bc869504e7777780

SHA256
af7267664f15f0a4dcd21679d4d057ee209955beb489f0952e40eef1a27d2327

SHA512
18173792a1243325e7040b89b2fae3ddc92736d643aab3e5c7323dd6a1929284d155a7bade262d72591cbbab9d02fda5dd4e7da16da5e4c81162db79b124a4a9

Download Submit
memory/3224-8-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/3224-17-0x00000000074E0000-0x0000000007A0C000-memory.dmp

Filesize
5.2MB

Download
memory/3224-12-0x0000000005420000-0x000000000545C000-memory.dmp

Filesize
240KB

Download
memory/3224-13-0x00000000054D0000-0x000000000551C000-memory.dmp

Filesize
304KB

Download
memory/3224-14-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/3224-15-0x0000000007260000-0x00000000072B0000-memory.dmp

Filesize
320KB

Download
memory/3224-16-0x00000000072F0000-0x00000000074B2000-memory.dmp

Filesize
1.8MB

Download
memory/3224-11-0x0000000005400000-0x0000000005412000-memory.dmp

Filesize
72KB

Download
memory/3224-10-0x00000000052F0000-0x00000000053FA000-memory.dmp

Filesize
1.0MB

Download
memory/3224-9-0x00000000057A0000-0x0000000005DB8000-memory.dmp

Filesize
6.1MB

Download
memory/3224-0-0x0000000000640000-0x0000000000690000-memory.dmp

Filesize
320KB

Download
memory/3224-7-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/3224-6-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/3224-5-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/3224-4-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download