redline | ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4

Analysis

max time kernel
117s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09-02-2023 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe
Size

766KB
MD5

9309efba2a7b7ac7f0cb727bf6df9ea2
SHA1

8434e86093fe1bfdcc7956cab3769d1d297e8586
SHA256

ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4
SHA512

b541e1498e2cacfad78a30ab5fb86f4fc7136110616f80c9abc6dc4598ac72dc38ae668dd7b5d7adaa4d2a72ca59de906da7bd2178f40d12ce23b29a733b77b2
SSDEEP

12288:mMrNy90XUIWIw/O5NCjxwNCvhzOAUAdf2YEh8NWl628SirVXsn:Tyu6WNAlvhUAgY3VSiVsn

Score

10^/10

redline crypt dubna discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dubna

193.233.20.11:4131

Attributes

auth_value
f324b1269094b7462e56bab025f032f4

Extracted

Family

redline

Botnet

crypt

176.113.115.17:4132

Attributes

auth_value
407e05c9b3a74d99a20f90b091547bd6

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

afs68.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	afs68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	afs68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	afs68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	afs68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	afs68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	afs68.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 6 IoCs

Processes:

dkw69.exedhc65.exeafs68.exebCI01.execFS13.exedkt78.exe

pid process

4832 dkw69.exe
4776 dhc65.exe
1256 afs68.exe
4576 bCI01.exe
2876 cFS13.exe
5000 dkt78.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

afs68.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" afs68.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4832	dkw69.exe
4776	dhc65.exe
1256	afs68.exe
4576	bCI01.exe
2876	cFS13.exe
5000	dkt78.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	afs68.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exedkw69.exedhc65.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dkw69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dkw69.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dhc65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dhc65.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

dkt78.exe

description pid process target process

PID 5000 set thread context of 3512 5000 dkt78.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

112 2876 WerFault.exe cFS13.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

afs68.exebCI01.execFS13.exeAppLaunch.exe

pid process

1256 afs68.exe
1256 afs68.exe
4576 bCI01.exe
4576 bCI01.exe
2876 cFS13.exe
2876 cFS13.exe
3512 AppLaunch.exe
3512 AppLaunch.exe

description	pid	process	target process
PID 5000 set thread context of 3512	5000	dkt78.exe	AppLaunch.exe

pid	pid_target	process	target process
112	2876	WerFault.exe	cFS13.exe

pid	process
1256	afs68.exe
1256	afs68.exe
4576	bCI01.exe
4576	bCI01.exe
2876	cFS13.exe
2876	cFS13.exe
3512	AppLaunch.exe
3512	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

afs68.exebCI01.execFS13.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1256	afs68.exe
Token: SeDebugPrivilege	4576	bCI01.exe
Token: SeDebugPrivilege	2876	cFS13.exe
Token: SeDebugPrivilege	3512	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exedkw69.exedhc65.exedkt78.exe

description	pid	process	target process
PID 4876 wrote to memory of 4832	4876	ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe	dkw69.exe
PID 4876 wrote to memory of 4832	4876	ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe	dkw69.exe
PID 4876 wrote to memory of 4832	4876	ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe	dkw69.exe
PID 4832 wrote to memory of 4776	4832	dkw69.exe	dhc65.exe
PID 4832 wrote to memory of 4776	4832	dkw69.exe	dhc65.exe
PID 4832 wrote to memory of 4776	4832	dkw69.exe	dhc65.exe
PID 4776 wrote to memory of 1256	4776	dhc65.exe	afs68.exe
PID 4776 wrote to memory of 1256	4776	dhc65.exe	afs68.exe
PID 4776 wrote to memory of 4576	4776	dhc65.exe	bCI01.exe
PID 4776 wrote to memory of 4576	4776	dhc65.exe	bCI01.exe
PID 4776 wrote to memory of 4576	4776	dhc65.exe	bCI01.exe
PID 4832 wrote to memory of 2876	4832	dkw69.exe	cFS13.exe
PID 4832 wrote to memory of 2876	4832	dkw69.exe	cFS13.exe
PID 4832 wrote to memory of 2876	4832	dkw69.exe	cFS13.exe
PID 4876 wrote to memory of 5000	4876	ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe	dkt78.exe
PID 4876 wrote to memory of 5000	4876	ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe	dkt78.exe
PID 4876 wrote to memory of 5000	4876	ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe	dkt78.exe
PID 5000 wrote to memory of 3512	5000	dkt78.exe	AppLaunch.exe
PID 5000 wrote to memory of 3512	5000	dkt78.exe	AppLaunch.exe
PID 5000 wrote to memory of 3512	5000	dkt78.exe	AppLaunch.exe
PID 5000 wrote to memory of 3512	5000	dkt78.exe	AppLaunch.exe
PID 5000 wrote to memory of 3512	5000	dkt78.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe
"C:\Users\Admin\AppData\Local\Temp\ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkw69.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkw69.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dhc65.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dhc65.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\afs68.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\afs68.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bCI01.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bCI01.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFS13.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFS13.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1320
4⤵
- Program crash
PID:112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkt78.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkt78.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2876 -ip 2876
1⤵
PID:5096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkt78.exe
Filesize
283KB

MD5
457dcca2cfa8e1592521e4bc580d2097

SHA1
de855fa7934126fd1cde834b752999ebe79e367f

SHA256
54ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc

SHA512
d15709dd44e184612a86e7201c78887771e7cc062e8b4daf83c5bbf1d6dd74320e8c5058cde295d412d8e5b135f8686f8ed56aa9aa2a439b022319e6723bb752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkt78.exe
Filesize
283KB

MD5
457dcca2cfa8e1592521e4bc580d2097

SHA1
de855fa7934126fd1cde834b752999ebe79e367f

SHA256
54ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc

SHA512
d15709dd44e184612a86e7201c78887771e7cc062e8b4daf83c5bbf1d6dd74320e8c5058cde295d412d8e5b135f8686f8ed56aa9aa2a439b022319e6723bb752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkw69.exe
Filesize
533KB

MD5
e01375023cf173027afed87a31a236a2

SHA1
c34f08fb74a9c65880281930feb42331dbe0cc41

SHA256
816fbd0d96481e375d9c459dc6facfb3258c033745e9ec9bc0df45555e7d1ed4

SHA512
80418091b09b0568abc293e759bcbe5fdf49678fe51ac2f943e10f9007be26958401ab405bff246e930fe7a3cdbfc3a72f23fd1bd73c69ed4022485823b53ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkw69.exe
Filesize
533KB

MD5
e01375023cf173027afed87a31a236a2

SHA1
c34f08fb74a9c65880281930feb42331dbe0cc41

SHA256
816fbd0d96481e375d9c459dc6facfb3258c033745e9ec9bc0df45555e7d1ed4

SHA512
80418091b09b0568abc293e759bcbe5fdf49678fe51ac2f943e10f9007be26958401ab405bff246e930fe7a3cdbfc3a72f23fd1bd73c69ed4022485823b53ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFS13.exe
Filesize
294KB

MD5
9cb6d089c5dbcb55ff923bd6284fbcb7

SHA1
8c7b12dba74c380b009a0709ecc916bd724b2958

SHA256
b574767f81c77eee3e648805547b525692645f122b6bfd2461790c506ba7e339

SHA512
f9cdc7f8272ab230056534c587de70ecd41e62814c44f6861b50218237ab0142a3d2451cd1ab9058866eca5ca29db4558b76d2bbc668a333043b8e31bee5dfe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFS13.exe
Filesize
294KB

MD5
9cb6d089c5dbcb55ff923bd6284fbcb7

SHA1
8c7b12dba74c380b009a0709ecc916bd724b2958

SHA256
b574767f81c77eee3e648805547b525692645f122b6bfd2461790c506ba7e339

SHA512
f9cdc7f8272ab230056534c587de70ecd41e62814c44f6861b50218237ab0142a3d2451cd1ab9058866eca5ca29db4558b76d2bbc668a333043b8e31bee5dfe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dhc65.exe
Filesize
202KB

MD5
1cf1aa71c805152b1e49d65fa15502b0

SHA1
c8cbe4faca8f10efe62d64b8c52edf4d84b8b9d2

SHA256
303a6ffa2e0f8e0a0db12ef102064970ec575a44ae3480d427695ab845d6867e

SHA512
d469e7b0e02b2b350fab8f8e67a084dd6756e7da88c056b37b762a381cf35f8654945423aed2bd4bdc8dbc8e41cddf26aa7c5cc026406a75862af3f27c786beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dhc65.exe
Filesize
202KB

MD5
1cf1aa71c805152b1e49d65fa15502b0

SHA1
c8cbe4faca8f10efe62d64b8c52edf4d84b8b9d2

SHA256
303a6ffa2e0f8e0a0db12ef102064970ec575a44ae3480d427695ab845d6867e

SHA512
d469e7b0e02b2b350fab8f8e67a084dd6756e7da88c056b37b762a381cf35f8654945423aed2bd4bdc8dbc8e41cddf26aa7c5cc026406a75862af3f27c786beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\afs68.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\afs68.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bCI01.exe
Filesize
175KB

MD5
ef8079cf160510d0da7162bc08f753d8

SHA1
e786cc8bee83e4a37433ddccf9d3540e1f6533fe

SHA256
a6416ca607f03e7d02dd9c8b546113c71f421c0ba8438dafb941d25f8cf2c9e6

SHA512
959b08126358527b794a276f6e9f818250f888d9f108b46766f6c2e50186acc8f406acbeb94ca97b5f0e329b27f3851003446715d5d040b5c0fef4010011a2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bCI01.exe
Filesize
175KB

MD5
ef8079cf160510d0da7162bc08f753d8

SHA1
e786cc8bee83e4a37433ddccf9d3540e1f6533fe

SHA256
a6416ca607f03e7d02dd9c8b546113c71f421c0ba8438dafb941d25f8cf2c9e6

SHA512
959b08126358527b794a276f6e9f818250f888d9f108b46766f6c2e50186acc8f406acbeb94ca97b5f0e329b27f3851003446715d5d040b5c0fef4010011a2c3

Download Submit
memory/1256-142-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/1256-138-0x0000000000000000-mapping.dmp

Download
memory/1256-141-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/1256-143-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/1256-144-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2876-165-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2876-168-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2876-167-0x00000000005C4000-0x00000000005F3000-memory.dmp

Filesize
188KB

Download
memory/2876-166-0x00000000005C4000-0x00000000005F3000-memory.dmp

Filesize
188KB

Download
memory/2876-160-0x0000000000000000-mapping.dmp

Download
memory/2876-164-0x00000000021F0000-0x000000000223B000-memory.dmp

Filesize
300KB

Download
memory/2876-163-0x00000000005C4000-0x00000000005F3000-memory.dmp

Filesize
188KB

Download
memory/3512-172-0x0000000000000000-mapping.dmp

Download
memory/3512-173-0x0000000000510000-0x0000000000542000-memory.dmp

Filesize
200KB

Download
memory/4576-152-0x0000000004E80000-0x0000000004EBC000-memory.dmp

Filesize
240KB

Download
memory/4576-154-0x0000000006380000-0x0000000006924000-memory.dmp

Filesize
5.6MB

Download
memory/4576-158-0x0000000006930000-0x0000000006AF2000-memory.dmp

Filesize
1.8MB

Download
memory/4576-145-0x0000000000000000-mapping.dmp

Download
memory/4576-157-0x0000000006050000-0x00000000060A0000-memory.dmp

Filesize
320KB

Download
memory/4576-156-0x0000000005FD0000-0x0000000006046000-memory.dmp

Filesize
472KB

Download
memory/4576-155-0x0000000005EB0000-0x0000000005F42000-memory.dmp

Filesize
584KB

Download
memory/4576-159-0x0000000007030000-0x000000000755C000-memory.dmp

Filesize
5.2MB

Download
memory/4576-153-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/4576-151-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/4576-150-0x0000000004ED0000-0x0000000004FDA000-memory.dmp

Filesize
1.0MB

Download
memory/4576-148-0x0000000000430000-0x0000000000462000-memory.dmp

Filesize
200KB

Download
memory/4576-149-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/4776-135-0x0000000000000000-mapping.dmp

Download
memory/4832-132-0x0000000000000000-mapping.dmp

Download
memory/5000-169-0x0000000000000000-mapping.dmp

Download