redline | 700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf.exe
Size

701KB
MD5

fada7b1d0aee98290d2aead51835bc24
SHA1

f4e6923e8212b3a86de2e03f57d7d4be42a79528
SHA256

700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf
SHA512

a9bb864014f6afb1870567685a10181bee06f291d343175b259106ec6470ce9b14b016a35b420ecb6e2895d7bc300d1541c0f2ab0a6c479e6bc4251a15156ad6
SSDEEP

12288:xMrby90h0JiovfJfoOlRc5SuMbXu8xP0KXTsz6Fh082JM:myS0Jiovf925SuMbXBP0KXTszMEJM

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8116.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8116.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8116.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8116.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8116.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8116.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/1272-194-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-196-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-193-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-198-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-200-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-202-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-204-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-206-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-208-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-210-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-212-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-214-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-216-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-218-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-220-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-224-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-222-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1272-226-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4576	un885273.exe
4884	pro8116.exe
1272	qu5415.exe
3772	si366287.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8116.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8116.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un885273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un885273.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2104	4884	WerFault.exe	86
1124	1272	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4884	pro8116.exe
4884	pro8116.exe
1272	qu5415.exe
1272	qu5415.exe
3772	si366287.exe
3772	si366287.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	pro8116.exe
Token: SeDebugPrivilege	1272	qu5415.exe
Token: SeDebugPrivilege	3772	si366287.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 4576	4548	700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf.exe	85
PID 4548 wrote to memory of 4576	4548	700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf.exe	85
PID 4548 wrote to memory of 4576	4548	700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf.exe	85
PID 4576 wrote to memory of 4884	4576	un885273.exe	86
PID 4576 wrote to memory of 4884	4576	un885273.exe	86
PID 4576 wrote to memory of 4884	4576	un885273.exe	86
PID 4576 wrote to memory of 1272	4576	un885273.exe	92
PID 4576 wrote to memory of 1272	4576	un885273.exe	92
PID 4576 wrote to memory of 1272	4576	un885273.exe	92
PID 4548 wrote to memory of 3772	4548	700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf.exe	96
PID 4548 wrote to memory of 3772	4548	700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf.exe	96
PID 4548 wrote to memory of 3772	4548	700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf.exe	96

C:\Users\Admin\AppData\Local\Temp\700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf.exe
"C:\Users\Admin\AppData\Local\Temp\700c963dbd412f9aeb24431c3d5b238f11b37e058ba4a40a8bbb510b0106f3cf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un885273.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un885273.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8116.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8116.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1080
      4⤵
      Program crash
      PID:2104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5415.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5415.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1368
      4⤵
      Program crash
      PID:1124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si366287.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si366287.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4884 -ip 4884
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1272 -ip 1272
1⤵
PID:2344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si366287.exe

Filesize
175KB

MD5
5966c6b575ed1d089b951d0e24a66b43

SHA1
5e4b71461acf1da512d42316036f22ce6c3ff34b

SHA256
f03f7006cf04da1cb8098b40a05d53fc5ee70888a2ff010fd9d605b9e89f1b18

SHA512
2c2d2afb8038ca548037e54dad81849ba5ef30e4bfdd475e3200c16371372f2422bad3750cd84139c464f8fd285c0938ceefc07cac4c9eee22b08699ae7ac3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si366287.exe

Filesize
175KB

MD5
5966c6b575ed1d089b951d0e24a66b43

SHA1
5e4b71461acf1da512d42316036f22ce6c3ff34b

SHA256
f03f7006cf04da1cb8098b40a05d53fc5ee70888a2ff010fd9d605b9e89f1b18

SHA512
2c2d2afb8038ca548037e54dad81849ba5ef30e4bfdd475e3200c16371372f2422bad3750cd84139c464f8fd285c0938ceefc07cac4c9eee22b08699ae7ac3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un885273.exe

Filesize
558KB

MD5
2752b2d110e0efce72597808b303648e

SHA1
cf3713b17225ca49ed0e4b48b002aaf69700cfb3

SHA256
c54f3491492aa08b01bec90bad09519ad9a222d1dfc2189c894de1142e5d40eb

SHA512
ce8444a45e0d4cca9ddbd9e3d2f10cc702d4b4479fedd3d3e1ff7b46eef3f64a0196480110e534ffd0343d5d993530dd20f39e890e083593d636cfb826e53935

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un885273.exe

Filesize
558KB

MD5
2752b2d110e0efce72597808b303648e

SHA1
cf3713b17225ca49ed0e4b48b002aaf69700cfb3

SHA256
c54f3491492aa08b01bec90bad09519ad9a222d1dfc2189c894de1142e5d40eb

SHA512
ce8444a45e0d4cca9ddbd9e3d2f10cc702d4b4479fedd3d3e1ff7b46eef3f64a0196480110e534ffd0343d5d993530dd20f39e890e083593d636cfb826e53935

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8116.exe

Filesize
307KB

MD5
d3a6ff880f37db1da559f03a87bd00be

SHA1
608a6ac8b88bd18f49adefb9f1c22e68df13908d

SHA256
fee305dbe173164cecccf2dcd9450c47427bc156187f1ddf90bfd359c58c39ce

SHA512
0743c0c060c3b54ad9d0d406b7b6d7b6b12ea8c9f42130448be774d51934550cb6a7ab16ea203219abf9689e4b2e5421cc506ea238b625fb5a10eceac1267d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8116.exe

Filesize
307KB

MD5
d3a6ff880f37db1da559f03a87bd00be

SHA1
608a6ac8b88bd18f49adefb9f1c22e68df13908d

SHA256
fee305dbe173164cecccf2dcd9450c47427bc156187f1ddf90bfd359c58c39ce

SHA512
0743c0c060c3b54ad9d0d406b7b6d7b6b12ea8c9f42130448be774d51934550cb6a7ab16ea203219abf9689e4b2e5421cc506ea238b625fb5a10eceac1267d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5415.exe

Filesize
365KB

MD5
0e188965a55ac5624c45175c9249c5fe

SHA1
3e59980dc93e243ba3c0b3534272c164531912af

SHA256
666eeb7e6a05a82fcaddd33725d79b4047b7c676f74799ea682300e438a92dec

SHA512
789e7407e146dd0078a62437db2abe2057787158ee43d1ee157a9486de8dd13b104fa0b630672895525f425c3af914f223965d0d504979565fcb3a26e56d4187

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5415.exe

Filesize
365KB

MD5
0e188965a55ac5624c45175c9249c5fe

SHA1
3e59980dc93e243ba3c0b3534272c164531912af

SHA256
666eeb7e6a05a82fcaddd33725d79b4047b7c676f74799ea682300e438a92dec

SHA512
789e7407e146dd0078a62437db2abe2057787158ee43d1ee157a9486de8dd13b104fa0b630672895525f425c3af914f223965d0d504979565fcb3a26e56d4187

Download Submit
memory/1272-1099-0x0000000005480000-0x0000000005A98000-memory.dmp

Filesize
6.1MB

Download
memory/1272-1102-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/1272-1114-0x00000000083C0000-0x0000000008410000-memory.dmp

Filesize
320KB

Download
memory/1272-1113-0x0000000008340000-0x00000000083B6000-memory.dmp

Filesize
472KB

Download
memory/1272-1112-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1272-1111-0x00000000069E0000-0x0000000006F0C000-memory.dmp

Filesize
5.2MB

Download
memory/1272-1110-0x0000000006810000-0x00000000069D2000-memory.dmp

Filesize
1.8MB

Download
memory/1272-1109-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1272-1108-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1272-1107-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1272-1105-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/1272-1104-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/1272-1103-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/1272-1101-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1272-1100-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/1272-226-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-222-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-224-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-220-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-218-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-216-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-214-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-190-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/1272-191-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1272-192-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1272-194-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-196-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-193-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-198-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-200-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-202-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-204-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-206-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-208-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-210-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1272-212-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/3772-1120-0x0000000000370000-0x00000000003A2000-memory.dmp

Filesize
200KB

Download
memory/3772-1121-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/4884-173-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-148-0x0000000004F80000-0x0000000005524000-memory.dmp

Filesize
5.6MB

Download
memory/4884-182-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/4884-181-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/4884-180-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4884-150-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/4884-179-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-177-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-153-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-175-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-152-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-183-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/4884-165-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-167-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-169-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-163-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-161-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-159-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-157-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-155-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-149-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/4884-171-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4884-185-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4884-151-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download