redline | fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559

Analysis

max time kernel
144s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2023, 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559.exe
Size

689KB
MD5

7d98888b36108e17ae146e333cd22777
SHA1

917cd2e4926c3a59d193a3991beb925f5c806f65
SHA256

fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559
SHA512

2f4d19a883a79af57b47315167f4ca0321a748619907dc8a85cac32a27ba00559e5bd245f519a49051839c7851d263a408d0fe4efa08eef2b45e4f316ad0dcbc
SSDEEP

12288:FMr8y905hvkMkxIE4gph9V7Uusknnzpp5JA/dyMKT965666Pes701Lddq:VyEhvkMaRjFUusknVp5Jzl46P101rq

Score

10^/10

redline boris dogma discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

dogma

193.233.20.32:4125

Attributes

auth_value
1b692976ca991040f2e8890409c35142

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5071.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5071.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5071.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5071.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5071.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro5071.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/4264-191-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-192-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-194-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-196-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-198-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-200-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-202-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-204-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-206-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-208-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-210-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-217-0x0000000007210000-0x0000000007220000-memory.dmp	family_redline
behavioral1/memory/4264-215-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-218-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-220-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-222-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-224-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-226-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4264-228-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2608	un572778.exe
1048	pro5071.exe
4264	qu9080.exe
836	si624984.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5071.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5071.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un572778.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un572778.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
440	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4524	1048	WerFault.exe	84
3716	4264	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1048	pro5071.exe
1048	pro5071.exe
4264	qu9080.exe
4264	qu9080.exe
836	si624984.exe
836	si624984.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	pro5071.exe
Token: SeDebugPrivilege	4264	qu9080.exe
Token: SeDebugPrivilege	836	si624984.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 2608	4976	fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559.exe	83
PID 4976 wrote to memory of 2608	4976	fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559.exe	83
PID 4976 wrote to memory of 2608	4976	fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559.exe	83
PID 2608 wrote to memory of 1048	2608	un572778.exe	84
PID 2608 wrote to memory of 1048	2608	un572778.exe	84
PID 2608 wrote to memory of 1048	2608	un572778.exe	84
PID 2608 wrote to memory of 4264	2608	un572778.exe	91
PID 2608 wrote to memory of 4264	2608	un572778.exe	91
PID 2608 wrote to memory of 4264	2608	un572778.exe	91
PID 4976 wrote to memory of 836	4976	fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559.exe	95
PID 4976 wrote to memory of 836	4976	fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559.exe	95
PID 4976 wrote to memory of 836	4976	fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559.exe	95

C:\Users\Admin\AppData\Local\Temp\fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559.exe
"C:\Users\Admin\AppData\Local\Temp\fa1a949697fd45d9be0ea62067cec38b9a31d45501850b02ac9936f6e5565559.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un572778.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un572778.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5071.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5071.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1080
      4⤵
      Program crash
      PID:4524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9080.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9080.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1308
      4⤵
      Program crash
      PID:3716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si624984.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si624984.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1048 -ip 1048
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4264 -ip 4264
1⤵
PID:4536

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si624984.exe

Filesize
175KB

MD5
17d09c18d868eb385ff28c360ac8c677

SHA1
480ce3c0115ebd6cb12c2d744f87b093c8f3ebc5

SHA256
5a2f4040629fb08a46561e5536e4f720d1ae02cb45b311602071d47913692c45

SHA512
3d61276e6e6f276491e2a77c6386cc9d4b9a2f12465acb57f34280c43af3b9dfad9c69156720566fa9cb36e2f3abf8fdbe298cd745232aadaaad6d63c0568c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si624984.exe

Filesize
175KB

MD5
17d09c18d868eb385ff28c360ac8c677

SHA1
480ce3c0115ebd6cb12c2d744f87b093c8f3ebc5

SHA256
5a2f4040629fb08a46561e5536e4f720d1ae02cb45b311602071d47913692c45

SHA512
3d61276e6e6f276491e2a77c6386cc9d4b9a2f12465acb57f34280c43af3b9dfad9c69156720566fa9cb36e2f3abf8fdbe298cd745232aadaaad6d63c0568c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un572778.exe

Filesize
547KB

MD5
45d2ffb6205a9f2d2ad9d3d03d019193

SHA1
d3d031eba5cc1f171b7c96e0b51c94f4d13bd7f1

SHA256
12361e2c0530fde432b8b807b0bf7f031281946bc36f7b5d0200b9ba14c63d33

SHA512
1d1602ca1461c029c6da2966573f9b4cdcf216734c3a79fd70d89a938127bd3bc472e6f3d9d33744333001f449164e3895620ba7a2d49bd2c7d3ca5902bff0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un572778.exe

Filesize
547KB

MD5
45d2ffb6205a9f2d2ad9d3d03d019193

SHA1
d3d031eba5cc1f171b7c96e0b51c94f4d13bd7f1

SHA256
12361e2c0530fde432b8b807b0bf7f031281946bc36f7b5d0200b9ba14c63d33

SHA512
1d1602ca1461c029c6da2966573f9b4cdcf216734c3a79fd70d89a938127bd3bc472e6f3d9d33744333001f449164e3895620ba7a2d49bd2c7d3ca5902bff0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5071.exe

Filesize
326KB

MD5
b0df25254ac2d21846299b89b5c6c7fb

SHA1
4a78921815f11ecb90206f21432165683933ff51

SHA256
d08dbb7f2a7cd3abc42f4f154f8b2b3334882256b53373bf198efd4dd2805671

SHA512
b1e1608b4e92f01300bda851763b319f4203cd7d00f4684fc97e8deeb28f498fd9b26200dc50b29e5255755ae008240e84422406a5cd305b2581b97fe8e2791b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5071.exe

Filesize
326KB

MD5
b0df25254ac2d21846299b89b5c6c7fb

SHA1
4a78921815f11ecb90206f21432165683933ff51

SHA256
d08dbb7f2a7cd3abc42f4f154f8b2b3334882256b53373bf198efd4dd2805671

SHA512
b1e1608b4e92f01300bda851763b319f4203cd7d00f4684fc97e8deeb28f498fd9b26200dc50b29e5255755ae008240e84422406a5cd305b2581b97fe8e2791b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9080.exe

Filesize
384KB

MD5
723585d815c3988f5ac6864bc3119eb3

SHA1
6f9689a2def453c0b65645497e204369671775dd

SHA256
90373862f1a95bd04f17448b943735f7fb49534c6ea436055d3950889e0a8348

SHA512
1dfe158115e441a4d0bcb92930b41fb234d16cd4878d5331bb0e7f1db28571ba563da261235a334cb9bba11affb42004d27213b244d3121b54288ac66d894222

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9080.exe

Filesize
384KB

MD5
723585d815c3988f5ac6864bc3119eb3

SHA1
6f9689a2def453c0b65645497e204369671775dd

SHA256
90373862f1a95bd04f17448b943735f7fb49534c6ea436055d3950889e0a8348

SHA512
1dfe158115e441a4d0bcb92930b41fb234d16cd4878d5331bb0e7f1db28571ba563da261235a334cb9bba11affb42004d27213b244d3121b54288ac66d894222

Download Submit
memory/836-1122-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/836-1121-0x0000000000DD0000-0x0000000000E02000-memory.dmp

Filesize
200KB

Download
memory/1048-156-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-170-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-150-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1048-152-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1048-153-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-154-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-149-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/1048-158-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-160-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-162-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-164-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-166-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-168-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-151-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1048-172-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-174-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-176-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-178-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-180-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1048-181-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/1048-182-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1048-183-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1048-184-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1048-186-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/1048-148-0x0000000007430000-0x00000000079D4000-memory.dmp

Filesize
5.6MB

Download
memory/4264-191-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-222-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-196-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-198-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-200-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-202-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-204-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-206-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-208-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-211-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/4264-210-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-213-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4264-217-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4264-215-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-214-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4264-218-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-220-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-194-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-224-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-226-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-228-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-1101-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/4264-1102-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/4264-1103-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4264-1104-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4264-1105-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4264-1107-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/4264-1108-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/4264-1109-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4264-1110-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4264-1111-0x0000000008B60000-0x0000000008BD6000-memory.dmp

Filesize
472KB

Download
memory/4264-1112-0x0000000008C00000-0x0000000008C50000-memory.dmp

Filesize
320KB

Download
memory/4264-192-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4264-1113-0x000000000A190000-0x000000000A352000-memory.dmp

Filesize
1.8MB

Download
memory/4264-1114-0x000000000A360000-0x000000000A88C000-memory.dmp

Filesize
5.2MB

Download
memory/4264-1116-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download