redline | 5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419

Analysis

max time kernel
90s
max time network
142s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27/03/2023, 06:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419.exe
Size

686KB
MD5

3a6ff1a8e87965996e78bb3431417c99
SHA1

29f126428a9288cf5eb40ca8b38c0f5b97fa465d
SHA256

5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419
SHA512

acc40b8a166db603678bba52aa48a4c200a158c4df68a16fed8bfaa86338e36d240b84cee387130a6349960763ede26224cbe1dee555c374afb614cca690b4ee
SSDEEP

12288:4Mr0y90Cq6E13Cw9xzjQJVYkLoq7UblH4gQe1Af96zuos584pp:8yINCwLz0JVAq4blH4g9yFdTpp

Score

10^/10

redline dent sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

dent

193.233.20.33:4125

Attributes

auth_value
e795368557f02e28e8aef6bcb279a3b0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro3245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro3245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro3245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro3245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro3245.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 22 IoCs

resource	yara_rule
behavioral1/memory/1968-179-0x0000000002610000-0x0000000002656000-memory.dmp	family_redline
behavioral1/memory/1968-180-0x0000000004CC0000-0x0000000004D04000-memory.dmp	family_redline
behavioral1/memory/1968-181-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-182-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-184-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-186-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-188-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-196-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-192-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-198-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-200-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-202-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-204-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-206-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-208-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-210-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-212-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-214-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-216-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-218-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1968-1101-0x0000000004DD0000-0x0000000004DE0000-memory.dmp	family_redline
behavioral1/memory/1968-1100-0x0000000004DD0000-0x0000000004DE0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3220	un886829.exe
4280	pro3245.exe
1968	qu2800.exe
4608	si546847.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro3245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro3245.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un886829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un886829.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4280	pro3245.exe
4280	pro3245.exe
1968	qu2800.exe
1968	qu2800.exe
4608	si546847.exe
4608	si546847.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4280	pro3245.exe
Token: SeDebugPrivilege	1968	qu2800.exe
Token: SeDebugPrivilege	4608	si546847.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3220	2868	5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419.exe	66
PID 2868 wrote to memory of 3220	2868	5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419.exe	66
PID 2868 wrote to memory of 3220	2868	5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419.exe	66
PID 3220 wrote to memory of 4280	3220	un886829.exe	67
PID 3220 wrote to memory of 4280	3220	un886829.exe	67
PID 3220 wrote to memory of 4280	3220	un886829.exe	67
PID 3220 wrote to memory of 1968	3220	un886829.exe	68
PID 3220 wrote to memory of 1968	3220	un886829.exe	68
PID 3220 wrote to memory of 1968	3220	un886829.exe	68
PID 2868 wrote to memory of 4608	2868	5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419.exe	70
PID 2868 wrote to memory of 4608	2868	5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419.exe	70
PID 2868 wrote to memory of 4608	2868	5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419.exe	70

C:\Users\Admin\AppData\Local\Temp\5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419.exe
"C:\Users\Admin\AppData\Local\Temp\5494f80a7ee0df962b3a6038a2191fcdea2c81109f5ac518c0fd6119f4463419.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886829.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886829.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3245.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3245.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2800.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2800.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si546847.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si546847.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si546847.exe

Filesize
175KB

MD5
b505a5047e274e05fa166327a47ae6cd

SHA1
ad5783591086d6799343f1002cd46b6fb7bcc46b

SHA256
022c8ed2fabc74ddecf9a6f61bb66462db34912b787fe7fcd0863f3defbd67fc

SHA512
e0a359211e4ccef668941611dc0003094a8f9a9c4bdfcbf9d65cc19a0fe23a13472341001b1d3e8876a8b48f5a627e14c3bb5db24898f13f3051bdc55aa4899d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si546847.exe

Filesize
175KB

MD5
b505a5047e274e05fa166327a47ae6cd

SHA1
ad5783591086d6799343f1002cd46b6fb7bcc46b

SHA256
022c8ed2fabc74ddecf9a6f61bb66462db34912b787fe7fcd0863f3defbd67fc

SHA512
e0a359211e4ccef668941611dc0003094a8f9a9c4bdfcbf9d65cc19a0fe23a13472341001b1d3e8876a8b48f5a627e14c3bb5db24898f13f3051bdc55aa4899d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886829.exe

Filesize
544KB

MD5
7e405842fa806415f73632473fd5b325

SHA1
5a1ffeb979f8fd1a89e34d5598889d17b9e98eda

SHA256
6f9b8e1eb74697e254a7cf8e95e234c6a1fb091e3d8d403f9cf424cbbfe1b970

SHA512
c437792d05a7cb381a9fde04e18eb442ec9ed2950d8e3657604fb4282df0a7d9f8d0dab438285eff80235b221554b2aaec3ca66313bb62c628e1aeebe05f5b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886829.exe

Filesize
544KB

MD5
7e405842fa806415f73632473fd5b325

SHA1
5a1ffeb979f8fd1a89e34d5598889d17b9e98eda

SHA256
6f9b8e1eb74697e254a7cf8e95e234c6a1fb091e3d8d403f9cf424cbbfe1b970

SHA512
c437792d05a7cb381a9fde04e18eb442ec9ed2950d8e3657604fb4282df0a7d9f8d0dab438285eff80235b221554b2aaec3ca66313bb62c628e1aeebe05f5b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3245.exe

Filesize
300KB

MD5
096a2afc614b0552135c5ea9002e57f0

SHA1
659dbf1e0b550ee9d7947f02a3b1c3ee42698da8

SHA256
fef9554a8ead534e4a962719a5ed301021fcef20414f842778703b45c3073785

SHA512
966bdcb793850292cbef4cb720852e9335029472b74d3214483856efc3a31cb172768a37c32854c1d1f5c899f8103ce7864ed4b008e82152381a8d48c45e0504

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3245.exe

Filesize
300KB

MD5
096a2afc614b0552135c5ea9002e57f0

SHA1
659dbf1e0b550ee9d7947f02a3b1c3ee42698da8

SHA256
fef9554a8ead534e4a962719a5ed301021fcef20414f842778703b45c3073785

SHA512
966bdcb793850292cbef4cb720852e9335029472b74d3214483856efc3a31cb172768a37c32854c1d1f5c899f8103ce7864ed4b008e82152381a8d48c45e0504

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2800.exe

Filesize
359KB

MD5
2816406f006be48ce900efb1eb20cf29

SHA1
02113a5324126aca45af90345fe10a2005f7530c

SHA256
856ee3df74b0ac84261b85475128e55f964411f6865342624dd6765865baa8e1

SHA512
c88a373f6692321536e1175bbd7ddc6a0519f29e3aa06e088888a4b6035820be86b66785464688b8880622c3a2bde7b383c6333ad972ec5d4e6f18702ae16323

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2800.exe

Filesize
359KB

MD5
2816406f006be48ce900efb1eb20cf29

SHA1
02113a5324126aca45af90345fe10a2005f7530c

SHA256
856ee3df74b0ac84261b85475128e55f964411f6865342624dd6765865baa8e1

SHA512
c88a373f6692321536e1175bbd7ddc6a0519f29e3aa06e088888a4b6035820be86b66785464688b8880622c3a2bde7b383c6333ad972ec5d4e6f18702ae16323

Download Submit
memory/1968-218-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-216-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-1106-0x0000000006EB0000-0x0000000006F00000-memory.dmp

Filesize
320KB

Download
memory/1968-1105-0x0000000006E20000-0x0000000006E96000-memory.dmp

Filesize
472KB

Download
memory/1968-1104-0x00000000067D0000-0x0000000006CFC000-memory.dmp

Filesize
5.2MB

Download
memory/1968-1103-0x00000000065E0000-0x00000000067A2000-memory.dmp

Filesize
1.8MB

Download
memory/1968-1102-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1968-1100-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1968-1101-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1968-1098-0x00000000063C0000-0x0000000006452000-memory.dmp

Filesize
584KB

Download
memory/1968-1097-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/1968-1096-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1968-1095-0x0000000005560000-0x00000000055AB000-memory.dmp

Filesize
300KB

Download
memory/1968-1094-0x0000000005410000-0x000000000544E000-memory.dmp

Filesize
248KB

Download
memory/1968-1093-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/1968-1092-0x00000000052E0000-0x00000000053EA000-memory.dmp

Filesize
1.0MB

Download
memory/1968-193-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1968-194-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1968-1091-0x00000000058F0000-0x0000000005EF6000-memory.dmp

Filesize
6.0MB

Download
memory/1968-204-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-214-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-212-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-210-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-179-0x0000000002610000-0x0000000002656000-memory.dmp

Filesize
280KB

Download
memory/1968-180-0x0000000004CC0000-0x0000000004D04000-memory.dmp

Filesize
272KB

Download
memory/1968-181-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-182-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-184-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-186-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-188-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-189-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/1968-191-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1968-208-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-196-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-206-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-192-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-198-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-200-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1968-202-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4280-169-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-170-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4280-140-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4280-139-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4280-141-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4280-174-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4280-172-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4280-138-0x0000000005140000-0x0000000005158000-memory.dmp

Filesize
96KB

Download
memory/4280-171-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4280-167-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-165-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-163-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-161-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-159-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-157-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-155-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-153-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-151-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-149-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-147-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-145-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-143-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-142-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4280-137-0x0000000004C40000-0x000000000513E000-memory.dmp

Filesize
5.0MB

Download
memory/4280-136-0x00000000026A0000-0x00000000026BA000-memory.dmp

Filesize
104KB

Download
memory/4608-1112-0x0000000000490000-0x00000000004C2000-memory.dmp

Filesize
200KB

Download
memory/4608-1113-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4608-1114-0x0000000004D10000-0x0000000004D5B000-memory.dmp

Filesize
300KB

Download