redline | 083f0f217bff41523e9faa49bb13e9e5d691a3c51341b12d0c4829d8cfc33292

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D412DF3AF3C10AF259FD4CC58E68F00B.exe
Size

210KB
MD5

d412df3af3c10af259fd4cc58e68f00b
SHA1

2de05f08b05fb0abb4b24616db00d0ce1dec420e
SHA256

083f0f217bff41523e9faa49bb13e9e5d691a3c51341b12d0c4829d8cfc33292
SHA512

9bcf5dca3811bed78e59bca04ca934965a93b00c53769de477f33d465279ec10d6355a66e841cecf439d783721784378fd570c0a7ce6af00c3c16aa58a29d808
SSDEEP

3072:01hoF2jJ6wiPa1XzwIxJLp7tUE1NgBS5Bs//dm63NzzEfWw:01hnJ6D1IxPtUyNrsHdmqEf

Score

10^/10

redline sectoprat stormkitty xworm metin credential_access defense_evasion discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

duclog23.duckdns.org:7000

Attributes

Install_directory
%AppData%
install_file
Chrome.exe

Extracted

Family

redline

Botnet

Metin

duclog23.duckdns.org:37552

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/408-306-0x000000001C250000-0x000000001C25E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000234e1-14.dat	family_xworm
behavioral2/memory/408-22-0x0000000000560000-0x0000000000574000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023483-4.dat	family_redline
behavioral2/memory/4300-25-0x00000000004F0000-0x000000000050E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023483-4.dat	family_sectoprat
behavioral2/memory/4300-25-0x00000000004F0000-0x000000000050E000-memory.dmp	family_sectoprat

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/408-313-0x000000001E540000-0x000000001E65E000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
452	powershell.exe
1172	powershell.exe
4124	powershell.exe
3420	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	D412DF3AF3C10AF259FD4CC58E68F00B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Metin.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	Metin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	Metin.exe

Executes dropped EXE 4 IoCs

pid	Process
4300	M2.exe
408	Metin.exe
1168	Chrome.exe
4668	Chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe"	Metin.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D412DF3AF3C10AF259FD4CC58E68F00B.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1600	powershell.exe
1600	powershell.exe
452	powershell.exe
452	powershell.exe
1172	powershell.exe
1172	powershell.exe
4124	powershell.exe
4124	powershell.exe
3420	powershell.exe
3420	powershell.exe
4300	M2.exe
4300	M2.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	408	Metin.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	4300	M2.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	408	Metin.exe
Token: SeDebugPrivilege	1168	Chrome.exe
Token: SeDebugPrivilege	4668	Chrome.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 1600	3908	D412DF3AF3C10AF259FD4CC58E68F00B.exe	85
PID 3908 wrote to memory of 1600	3908	D412DF3AF3C10AF259FD4CC58E68F00B.exe	85
PID 3908 wrote to memory of 1600	3908	D412DF3AF3C10AF259FD4CC58E68F00B.exe	85
PID 3908 wrote to memory of 4300	3908	D412DF3AF3C10AF259FD4CC58E68F00B.exe	87
PID 3908 wrote to memory of 4300	3908	D412DF3AF3C10AF259FD4CC58E68F00B.exe	87
PID 3908 wrote to memory of 4300	3908	D412DF3AF3C10AF259FD4CC58E68F00B.exe	87
PID 3908 wrote to memory of 408	3908	D412DF3AF3C10AF259FD4CC58E68F00B.exe	89
PID 3908 wrote to memory of 408	3908	D412DF3AF3C10AF259FD4CC58E68F00B.exe	89
PID 408 wrote to memory of 452	408	Metin.exe	92
PID 408 wrote to memory of 452	408	Metin.exe	92
PID 408 wrote to memory of 1172	408	Metin.exe	94
PID 408 wrote to memory of 1172	408	Metin.exe	94
PID 408 wrote to memory of 4124	408	Metin.exe	96
PID 408 wrote to memory of 4124	408	Metin.exe	96
PID 408 wrote to memory of 3420	408	Metin.exe	98
PID 408 wrote to memory of 3420	408	Metin.exe	98
PID 408 wrote to memory of 4516	408	Metin.exe	100
PID 408 wrote to memory of 4516	408	Metin.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\D412DF3AF3C10AF259FD4CC58E68F00B.exe
"C:\Users\Admin\AppData\Local\Temp\D412DF3AF3C10AF259FD4CC58E68F00B.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Users\Admin\AppData\Roaming\M2.exe
  "C:\Users\Admin\AppData\Roaming\M2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Users\Admin\AppData\Roaming\Metin.exe
  "C:\Users\Admin\AppData\Roaming\Metin.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Metin.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Metin.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\Admin\AppData\Roaming\Chrome.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4516

C:\Users\Admin\AppData\Roaming\Chrome.exe
C:\Users\Admin\AppData\Roaming\Chrome.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Users\Admin\AppData\Roaming\Chrome.exe
C:\Users\Admin\AppData\Roaming\Chrome.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Chrome.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1f8b23cd03fdfb5d4559ac10c445b89f

SHA1
cea378877687b1967095d5237e3c0111929f012d

SHA256
f1bb0869c1d26c4282aa06a4840a9ca86e9145c136af42bb85b6d2e77e684551

SHA512
3ffe559e174f4706d3e7681f0d88d53dfde5eef56ee5005ccf7b3036a5d6ba85e02fa4d0cb213d237afcb894d79fbe673b18f986f57db2904558f447e42fe550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fe535a6480933cae8297cb5a4380484e

SHA1
48f8846fc76f1fdb44607dd0014ee60db4ca155d

SHA256
b6fab54a2d1891e17db94e840fe82adb01db866d02cd483d3658aeb1db4bb984

SHA512
c2191026b9fe2e6a4ddce85e3b97b3e68870d7dc04b7be5c302a4487ebf28e60d97e23639e410318aaf410f2338b447a91d6a45520d4ec3aafc3f469cae039c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jz4kondy.yib.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB62.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB77.tmp

Filesize
114KB

MD5
0c1ed087a46b3f71327c7b00a935c342

SHA1
149e32ab98b640229886f9daca5fcf93a6a2ed62

SHA256
ff39b4812a90876b408365be758c698fd40b7f0b2d6591099e021f7d642ff991

SHA512
cc51370dc3ad9ad4c3cd34f18b2c2032d8f9ee8fa90ed8326e40d75c9d9f2c1070170551e4128de2089081c8518f8da048c3c7b9a1bd963b0a21b2f1e64fd3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB93.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBBA8.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBBAE.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBBCA.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Roaming\M2.exe

Filesize
95KB

MD5
2598b5fee38d9c0979f009e77f94ea33

SHA1
9c2c0f0734fbf16853de911868024dfbed91e5ec

SHA256
00a709baca231f15267526d7b5db11cd94b0089ed6cfd1667a1ff2ebd584c266

SHA512
d6fa07fdfa6493c3abe95c650dca114b1737d8812fe86476ef8afbb1d34e50b537821a7958acdc243246484fc4f28dd208db4328663bbc22ec79ae34f3340c8e

Download Submit
C:\Users\Admin\AppData\Roaming\Metin.exe

Filesize
51KB

MD5
1d846637aa409d6dd4fd14f70a63f907

SHA1
a0f494b321ef5bd5b95f60d4ee9e4ae836d73b8a

SHA256
08a5ab51f8eee96d3837aaef4d74bf672d937056118003ecfa0e4df9dae49125

SHA512
259bd4d63bd69cdfd9a29303dc5ef3174136353daad23747c4589ed5b760d9905285211850bf49fde37c0ba355f3e463df6633a518affb270cfeb9f24885508c

Download Submit
memory/408-306-0x000000001C250000-0x000000001C25E000-memory.dmp

Filesize
56KB

Download
memory/408-312-0x000000001C7F0000-0x000000001CB40000-memory.dmp

Filesize
3.3MB

Download
memory/408-51-0x000000001B0D0000-0x000000001B0E0000-memory.dmp

Filesize
64KB

Download
memory/408-313-0x000000001E540000-0x000000001E65E000-memory.dmp

Filesize
1.1MB

Download
memory/408-22-0x0000000000560000-0x0000000000574000-memory.dmp

Filesize
80KB

Download
memory/408-21-0x00007FF8D93D3000-0x00007FF8D93D5000-memory.dmp

Filesize
8KB

Download
memory/452-79-0x000001E0DBCA0000-0x000001E0DBCC2000-memory.dmp

Filesize
136KB

Download
memory/1600-41-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/1600-44-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/1600-49-0x0000000006340000-0x000000000635E000-memory.dmp

Filesize
120KB

Download
memory/1600-52-0x00000000072F0000-0x0000000007322000-memory.dmp

Filesize
200KB

Download
memory/1600-53-0x0000000074900000-0x000000007494C000-memory.dmp

Filesize
304KB

Download
memory/1600-63-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/1600-64-0x0000000007530000-0x00000000075D3000-memory.dmp

Filesize
652KB

Download
memory/1600-66-0x0000000007670000-0x000000000768A000-memory.dmp

Filesize
104KB

Download
memory/1600-65-0x0000000007CB0000-0x000000000832A000-memory.dmp

Filesize
6.5MB

Download
memory/1600-67-0x00000000076E0000-0x00000000076EA000-memory.dmp

Filesize
40KB

Download
memory/1600-68-0x0000000007900000-0x0000000007996000-memory.dmp

Filesize
600KB

Download
memory/1600-69-0x0000000007870000-0x0000000007881000-memory.dmp

Filesize
68KB

Download
memory/1600-32-0x0000000005570000-0x0000000005592000-memory.dmp

Filesize
136KB

Download
memory/1600-82-0x00000000078B0000-0x00000000078BE000-memory.dmp

Filesize
56KB

Download
memory/1600-83-0x00000000078C0000-0x00000000078D4000-memory.dmp

Filesize
80KB

Download
memory/1600-33-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/1600-85-0x00000000079A0000-0x00000000079BA000-memory.dmp

Filesize
104KB

Download
memory/1600-23-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/1600-96-0x00000000078F0000-0x00000000078F8000-memory.dmp

Filesize
32KB

Download
memory/1600-26-0x0000000002A10000-0x0000000002A46000-memory.dmp

Filesize
216KB

Download
memory/1600-101-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/1600-42-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/1600-28-0x0000000005610000-0x0000000005C38000-memory.dmp

Filesize
6.2MB

Download
memory/1600-35-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4300-304-0x0000000006970000-0x00000000069E6000-memory.dmp

Filesize
472KB

Download
memory/4300-302-0x0000000007540000-0x0000000007AE4000-memory.dmp

Filesize
5.6MB

Download
memory/4300-31-0x0000000004DE0000-0x0000000004E1C000-memory.dmp

Filesize
240KB

Download
memory/4300-128-0x0000000006360000-0x0000000006522000-memory.dmp

Filesize
1.8MB

Download
memory/4300-129-0x0000000006A60000-0x0000000006F8C000-memory.dmp

Filesize
5.2MB

Download
memory/4300-30-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4300-34-0x0000000004E20000-0x0000000004E6C000-memory.dmp

Filesize
304KB

Download
memory/4300-303-0x00000000068D0000-0x0000000006962000-memory.dmp

Filesize
584KB

Download
memory/4300-29-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4300-305-0x00000000069F0000-0x0000000006A0E000-memory.dmp

Filesize
120KB

Download
memory/4300-27-0x0000000005300000-0x0000000005918000-memory.dmp

Filesize
6.1MB

Download
memory/4300-307-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4300-50-0x0000000005080000-0x000000000518A000-memory.dmp

Filesize
1.0MB

Download
memory/4300-25-0x00000000004F0000-0x000000000050E000-memory.dmp

Filesize
120KB

Download
memory/4300-48-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4300-355-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download