redline | b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277

Analysis

max time kernel
79s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe
Size

688KB
MD5

55f8f5af46c32287f95222faf9a31521
SHA1

37f33271fe8734a16b7ac883937d5d7ffc2e02bf
SHA256

b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277
SHA512

c8d9b8eede45a38b60e4d4d63beda9e2e02fc7de1c2286e2ae2e988a497de2180d6973584fc536252e53cfb419cce4aab170558eb5f3bc513df0406c9801e258
SSDEEP

12288:eMroy90LdgxsZadxQOLllhFOCeHkjIdx6Nag+dBWeMZ1Pp2Rh:qyMgxBqO2YIdYa9dYbjh+

Score

10^/10

redline boris lenka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

lenka

193.233.20.32:4125

Attributes

auth_value
8a60e8b2ec79d6a7e92f9feac39b8830

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro6606.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro6606.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro6606.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro6606.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro6606.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro6606.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/564-191-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-190-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-193-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-195-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-197-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-199-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-201-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-203-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-205-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-207-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-209-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-213-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-211-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-215-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-220-0x00000000071B0000-0x00000000071C0000-memory.dmp	family_redline
behavioral1/memory/564-223-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-225-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-218-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-227-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/564-1110-0x00000000071B0000-0x00000000071C0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1340	unio0693.exe
1784	pro6606.exe
564	qu1501.exe
4892	si677554.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro6606.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro6606.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	unio0693.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	unio0693.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4508	1784	WerFault.exe	85
4348	564	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1784	pro6606.exe
1784	pro6606.exe
564	qu1501.exe
564	qu1501.exe
4892	si677554.exe
4892	si677554.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	pro6606.exe
Token: SeDebugPrivilege	564	qu1501.exe
Token: SeDebugPrivilege	4892	si677554.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1340	2156	b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe	84
PID 2156 wrote to memory of 1340	2156	b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe	84
PID 2156 wrote to memory of 1340	2156	b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe	84
PID 1340 wrote to memory of 1784	1340	unio0693.exe	85
PID 1340 wrote to memory of 1784	1340	unio0693.exe	85
PID 1340 wrote to memory of 1784	1340	unio0693.exe	85
PID 1340 wrote to memory of 564	1340	unio0693.exe	96
PID 1340 wrote to memory of 564	1340	unio0693.exe	96
PID 1340 wrote to memory of 564	1340	unio0693.exe	96
PID 2156 wrote to memory of 4892	2156	b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe	103
PID 2156 wrote to memory of 4892	2156	b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe	103
PID 2156 wrote to memory of 4892	2156	b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe	103

C:\Users\Admin\AppData\Local\Temp\b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe
"C:\Users\Admin\AppData\Local\Temp\b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0693.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0693.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6606.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6606.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1084
      4⤵
      Program crash
      PID:4508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1501.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1501.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1352
      4⤵
      Program crash
      PID:4348
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si677554.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si677554.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1784 -ip 1784
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 564 -ip 564
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si677554.exe

Filesize
175KB

MD5
d8cb00a7413040c5ee062137deac5809

SHA1
9fb09584bbb1502edbca55c4e1f8e36ae47466b0

SHA256
e5ff58141efbc15dcbb4075821787863b9465a872d95ad75b34f2301a2970a76

SHA512
faa350ed1548c3f9305d35f5bc8c147545757ce3f10e43767dd4f3e4855af64dfc5bbb4fc0690198a5d9211354c912425fee1b382c6d19d69bb616df2ace3827

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si677554.exe

Filesize
175KB

MD5
d8cb00a7413040c5ee062137deac5809

SHA1
9fb09584bbb1502edbca55c4e1f8e36ae47466b0

SHA256
e5ff58141efbc15dcbb4075821787863b9465a872d95ad75b34f2301a2970a76

SHA512
faa350ed1548c3f9305d35f5bc8c147545757ce3f10e43767dd4f3e4855af64dfc5bbb4fc0690198a5d9211354c912425fee1b382c6d19d69bb616df2ace3827

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0693.exe

Filesize
547KB

MD5
0f85e493b3ce4e7617dc6b223770c6ed

SHA1
b5d611c3c8ceb654676c47ed3f9aa2235e16db14

SHA256
aa6c6e30cc3db333e2b3031bd69ae62335ee1f1958bdca2e8b7605444b55c40b

SHA512
cc5914ac19f88d05f81c42894413ad73a7f020ca2df7183e8ce98ed9c628d324b38c1c227e29a185a8e8e1c4c6e04c01aa7861827096360a869245feea5c5935

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0693.exe

Filesize
547KB

MD5
0f85e493b3ce4e7617dc6b223770c6ed

SHA1
b5d611c3c8ceb654676c47ed3f9aa2235e16db14

SHA256
aa6c6e30cc3db333e2b3031bd69ae62335ee1f1958bdca2e8b7605444b55c40b

SHA512
cc5914ac19f88d05f81c42894413ad73a7f020ca2df7183e8ce98ed9c628d324b38c1c227e29a185a8e8e1c4c6e04c01aa7861827096360a869245feea5c5935

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6606.exe

Filesize
329KB

MD5
ca7bb1b8982d3a2b836893de2e74b3ed

SHA1
4954325e6b2f197e4f35b6b8ee451e03d6c930b1

SHA256
259b22256fb3cf62d1364dccfeb56e55c18ed306cb36972e672c8b05957bd384

SHA512
ea1c94dc338b9512634bfae188d553c9950e19783164552f8b7e6f6502209fb23a95f88ea4c0f9c237074821fbada3c9296562da896581cc540883b693912d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6606.exe

Filesize
329KB

MD5
ca7bb1b8982d3a2b836893de2e74b3ed

SHA1
4954325e6b2f197e4f35b6b8ee451e03d6c930b1

SHA256
259b22256fb3cf62d1364dccfeb56e55c18ed306cb36972e672c8b05957bd384

SHA512
ea1c94dc338b9512634bfae188d553c9950e19783164552f8b7e6f6502209fb23a95f88ea4c0f9c237074821fbada3c9296562da896581cc540883b693912d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1501.exe

Filesize
387KB

MD5
71eb2d0b5a34ebca3cbcbd99d2df28a0

SHA1
d72964624b8557466dd55ace800efa21f2058871

SHA256
626ff3c3bd5211bdeedb3f9199101c5bb735db56b4fe9f8202809e392c599477

SHA512
980afa88966031bce26dbe37931940f6b15b4324cc6057c6a8061417fc2c35db8ac456aacfb47b1210678e4c319e079e5acd9a2575c5bd2d74d4e1e31d87571a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1501.exe

Filesize
387KB

MD5
71eb2d0b5a34ebca3cbcbd99d2df28a0

SHA1
d72964624b8557466dd55ace800efa21f2058871

SHA256
626ff3c3bd5211bdeedb3f9199101c5bb735db56b4fe9f8202809e392c599477

SHA512
980afa88966031bce26dbe37931940f6b15b4324cc6057c6a8061417fc2c35db8ac456aacfb47b1210678e4c319e079e5acd9a2575c5bd2d74d4e1e31d87571a

Download Submit
memory/564-227-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-1102-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/564-1115-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/564-1114-0x0000000008F50000-0x000000000947C000-memory.dmp

Filesize
5.2MB

Download
memory/564-1113-0x0000000008D70000-0x0000000008F32000-memory.dmp

Filesize
1.8MB

Download
memory/564-1112-0x0000000008D00000-0x0000000008D50000-memory.dmp

Filesize
320KB

Download
memory/564-1111-0x0000000008C80000-0x0000000008CF6000-memory.dmp

Filesize
472KB

Download
memory/564-1110-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/564-1109-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/564-1108-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/564-1107-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/564-1106-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/564-1104-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/564-1103-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/564-1101-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/564-1100-0x0000000007790000-0x0000000007DA8000-memory.dmp

Filesize
6.1MB

Download
memory/564-218-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-225-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-222-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/564-223-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-220-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/564-219-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/564-191-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-190-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-193-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-195-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-197-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-199-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-201-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-203-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-205-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-207-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-209-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-213-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-211-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-215-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/564-217-0x0000000002C90000-0x0000000002CDB000-memory.dmp

Filesize
300KB

Download
memory/1784-172-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-149-0x0000000002D60000-0x0000000002D8D000-memory.dmp

Filesize
180KB

Download
memory/1784-185-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/1784-183-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/1784-184-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/1784-181-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/1784-150-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/1784-180-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-178-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-153-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-176-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-174-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-152-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/1784-151-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/1784-162-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-166-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-164-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-160-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-168-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-158-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-156-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-154-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-170-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1784-148-0x00000000073D0000-0x0000000007974000-memory.dmp

Filesize
5.6MB

Download
memory/4892-1122-0x0000000000670000-0x00000000006A2000-memory.dmp

Filesize
200KB

Download
memory/4892-1123-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download