redline | 3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638

Analysis

max time kernel
87s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638.exe
Size

687KB
MD5

6a95b83ddd4aebcdc18ef8f03c61d092
SHA1

7f129537f3c11f5a273f21cc066e7d29477a2fd5
SHA256

3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638
SHA512

932f5df02ed4f32d91237c962709b5845b3e4477e0fd9b9b47ef755b9727aec7e7e51623c725c144b2ffbc9c8bbdedfdf718717e4ce69cb17aa0d8fa39dfa87e
SSDEEP

12288:XMrKy90GT6LyD/4V22wa6Vk6MyBqFR2TCsAaFHaZmoetNgiFRcW:NyHuLi/4VmaukbwaAsctNgiFRcW

Score

10^/10

redline nice sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

193.233.20.33:4125

Attributes

auth_value
a7371b75699e8bc7c51fb960e8ac9e81

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4210.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4210.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4210.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4210.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4210.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4210.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/4604-190-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-191-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-193-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-195-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-197-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-199-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-201-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-203-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-205-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-207-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-209-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-211-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-213-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-215-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-217-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-219-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-221-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4604-223-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3724	un028995.exe
684	pro4210.exe
4604	qu3595.exe
5100	si860352.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4210.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4210.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un028995.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un028995.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4744	684	WerFault.exe	84
664	4604	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
684	pro4210.exe
684	pro4210.exe
4604	qu3595.exe
4604	qu3595.exe
5100	si860352.exe
5100	si860352.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	684	pro4210.exe
Token: SeDebugPrivilege	4604	qu3595.exe
Token: SeDebugPrivilege	5100	si860352.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 3724	3744	3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638.exe	83
PID 3744 wrote to memory of 3724	3744	3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638.exe	83
PID 3744 wrote to memory of 3724	3744	3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638.exe	83
PID 3724 wrote to memory of 684	3724	un028995.exe	84
PID 3724 wrote to memory of 684	3724	un028995.exe	84
PID 3724 wrote to memory of 684	3724	un028995.exe	84
PID 3724 wrote to memory of 4604	3724	un028995.exe	92
PID 3724 wrote to memory of 4604	3724	un028995.exe	92
PID 3724 wrote to memory of 4604	3724	un028995.exe	92
PID 3744 wrote to memory of 5100	3744	3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638.exe	96
PID 3744 wrote to memory of 5100	3744	3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638.exe	96
PID 3744 wrote to memory of 5100	3744	3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638.exe	96

C:\Users\Admin\AppData\Local\Temp\3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638.exe
"C:\Users\Admin\AppData\Local\Temp\3312eab99f6709480fe86c649e7d480c65e6ddbd790e56875b5a003f4e11d638.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un028995.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un028995.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4210.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4210.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 1080
      4⤵
      Program crash
      PID:4744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3595.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3595.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1348
      4⤵
      Program crash
      PID:664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si860352.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si860352.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 684 -ip 684
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4604 -ip 4604
1⤵
PID:2520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si860352.exe

Filesize
175KB

MD5
adc6e1a11aaae24efd5f1ed970295a1e

SHA1
0330cea408705cd57f811dda87a48fb6d3af4133

SHA256
5f9c63cb2e74bc104fe7328e13cadfbf89491dcca0ac65dc8add03d9fbef7fd3

SHA512
47929cf8de2c95b4fdbdcc4ce1ec3490432085e7a93a176c8ddbbdfe80da4ac71d8d7028379dc5200c382c262ffd2a2932da2354f85c216dac57ee7647b72c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si860352.exe

Filesize
175KB

MD5
adc6e1a11aaae24efd5f1ed970295a1e

SHA1
0330cea408705cd57f811dda87a48fb6d3af4133

SHA256
5f9c63cb2e74bc104fe7328e13cadfbf89491dcca0ac65dc8add03d9fbef7fd3

SHA512
47929cf8de2c95b4fdbdcc4ce1ec3490432085e7a93a176c8ddbbdfe80da4ac71d8d7028379dc5200c382c262ffd2a2932da2354f85c216dac57ee7647b72c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un028995.exe

Filesize
545KB

MD5
56b13424e3d8edf742678ec97f3d9fa5

SHA1
a8d82ca7ac2a723f6ce50c65d59388fdfa9c7189

SHA256
bd4b5d7d2403b53c672cfe39b883efe75ea3dd63e0ce0ca2e72ac2f5d0a0ee4d

SHA512
811de4f2746296becc3db6407cb50bb1e38f24375d19e8a5e63fea3ca7cf6de86c44a9e4c1566c79327515ac3e34f57b59db938c30ab4b57d76a389a3c31d738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un028995.exe

Filesize
545KB

MD5
56b13424e3d8edf742678ec97f3d9fa5

SHA1
a8d82ca7ac2a723f6ce50c65d59388fdfa9c7189

SHA256
bd4b5d7d2403b53c672cfe39b883efe75ea3dd63e0ce0ca2e72ac2f5d0a0ee4d

SHA512
811de4f2746296becc3db6407cb50bb1e38f24375d19e8a5e63fea3ca7cf6de86c44a9e4c1566c79327515ac3e34f57b59db938c30ab4b57d76a389a3c31d738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4210.exe

Filesize
300KB

MD5
8610e0a90237d4a7737dad8614a7ab47

SHA1
4803a2cef89b330bcd95913d7097d9f309bd7557

SHA256
6781ae2bc6af46d3ff67ec28c8dc6470420f1123cc9d1d8b2d6221c7b84a08a8

SHA512
3507b319d1890e45b246c85d3fe2350d4e6e08738409d07917dfea393a61479ab501e8fe7718f3a0014ced822a91225f1628b65d6a1a4ba2fb6d3f56c3459aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4210.exe

Filesize
300KB

MD5
8610e0a90237d4a7737dad8614a7ab47

SHA1
4803a2cef89b330bcd95913d7097d9f309bd7557

SHA256
6781ae2bc6af46d3ff67ec28c8dc6470420f1123cc9d1d8b2d6221c7b84a08a8

SHA512
3507b319d1890e45b246c85d3fe2350d4e6e08738409d07917dfea393a61479ab501e8fe7718f3a0014ced822a91225f1628b65d6a1a4ba2fb6d3f56c3459aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3595.exe

Filesize
359KB

MD5
f28c088a29d3366aa4f79cf312d37457

SHA1
83829f2952961558e20ab0b85c658885942ec706

SHA256
42c5fd7d5ba4438ce0db89e51303d0711a5db7d3590e4633bb4d396c3387779f

SHA512
651c8c1e7f839388b5c04e1e13f067ee14b10ac77a453aa20ab39e632def2a0c351adc5a9aade8b71b86f3f6b360b646deb64923da8b9538e9e7fe622bd40ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3595.exe

Filesize
359KB

MD5
f28c088a29d3366aa4f79cf312d37457

SHA1
83829f2952961558e20ab0b85c658885942ec706

SHA256
42c5fd7d5ba4438ce0db89e51303d0711a5db7d3590e4633bb4d396c3387779f

SHA512
651c8c1e7f839388b5c04e1e13f067ee14b10ac77a453aa20ab39e632def2a0c351adc5a9aade8b71b86f3f6b360b646deb64923da8b9538e9e7fe622bd40ce6

Download Submit
memory/684-148-0x0000000002330000-0x000000000235D000-memory.dmp

Filesize
180KB

Download
memory/684-149-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/684-150-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/684-151-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/684-152-0x0000000004EA0000-0x0000000005444000-memory.dmp

Filesize
5.6MB

Download
memory/684-153-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-154-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-156-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-158-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-160-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-162-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-164-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-166-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-168-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-170-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-172-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-174-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-176-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-178-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-180-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/684-181-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/684-182-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/684-183-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/684-185-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4604-190-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-191-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-193-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-195-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-197-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-199-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-201-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-203-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-205-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-207-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-209-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-211-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-213-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-215-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-217-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-219-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-221-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-223-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4604-228-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4604-226-0x0000000002220000-0x000000000226B000-memory.dmp

Filesize
300KB

Download
memory/4604-230-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4604-232-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4604-1100-0x00000000054B0000-0x0000000005AC8000-memory.dmp

Filesize
6.1MB

Download
memory/4604-1101-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/4604-1102-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/4604-1103-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/4604-1104-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4604-1105-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/4604-1106-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/4604-1108-0x00000000066E0000-0x0000000006756000-memory.dmp

Filesize
472KB

Download
memory/4604-1109-0x0000000006780000-0x00000000067D0000-memory.dmp

Filesize
320KB

Download
memory/4604-1110-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4604-1111-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4604-1112-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4604-1113-0x0000000007CA0000-0x0000000007E62000-memory.dmp

Filesize
1.8MB

Download
memory/4604-1114-0x0000000007E70000-0x000000000839C000-memory.dmp

Filesize
5.2MB

Download
memory/5100-1120-0x0000000000420000-0x0000000000452000-memory.dmp

Filesize
200KB

Download
memory/5100-1121-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download