redline | b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52

Analysis

max time kernel
52s
max time network
67s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52.exe
Size

700KB
MD5

175fd4809b141fb958f798cad088852d
SHA1

b49f531354150261323e515975d67a4fe7306a49
SHA256

b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52
SHA512

7897a16fceb30224cf42289e4fe290df4f889685336006704ac6c3429e990f8d1ced800d317040ccc789b03e114e08550fd64fd7a2bc11dc8e82126a1b904e92
SSDEEP

12288:5MrXy90fYi0Qj4iOp+KuEAhqpNxueZ3902lbVvXP2BRvg4lzYQl3kr:CynQj4iOp+MgO3E2LXP2k4VM

Score

10^/10

redline nice sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

193.233.20.33:4125

Attributes

auth_value
a7371b75699e8bc7c51fb960e8ac9e81

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0523.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4644-181-0x0000000002690000-0x00000000026D6000-memory.dmp	family_redline
behavioral1/memory/4644-182-0x0000000004BB0000-0x0000000004BF4000-memory.dmp	family_redline
behavioral1/memory/4644-183-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-184-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-186-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-188-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-190-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-195-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-198-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-200-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-202-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-204-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-206-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-208-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-210-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-212-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-214-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-216-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-218-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline
behavioral1/memory/4644-220-0x0000000004BB0000-0x0000000004BEE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1440	un367624.exe
1780	pro0523.exe
4644	qu4372.exe
1296	si257188.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0523.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un367624.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un367624.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1780	pro0523.exe
1780	pro0523.exe
4644	qu4372.exe
4644	qu4372.exe
1296	si257188.exe
1296	si257188.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	pro0523.exe
Token: SeDebugPrivilege	4644	qu4372.exe
Token: SeDebugPrivilege	1296	si257188.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1440	1220	b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52.exe	66
PID 1220 wrote to memory of 1440	1220	b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52.exe	66
PID 1220 wrote to memory of 1440	1220	b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52.exe	66
PID 1440 wrote to memory of 1780	1440	un367624.exe	67
PID 1440 wrote to memory of 1780	1440	un367624.exe	67
PID 1440 wrote to memory of 1780	1440	un367624.exe	67
PID 1440 wrote to memory of 4644	1440	un367624.exe	68
PID 1440 wrote to memory of 4644	1440	un367624.exe	68
PID 1440 wrote to memory of 4644	1440	un367624.exe	68
PID 1220 wrote to memory of 1296	1220	b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52.exe	70
PID 1220 wrote to memory of 1296	1220	b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52.exe	70
PID 1220 wrote to memory of 1296	1220	b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52.exe	70

C:\Users\Admin\AppData\Local\Temp\b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52.exe
"C:\Users\Admin\AppData\Local\Temp\b4a4c42028747a0579a7795ba7163d68d87f24cc190c2f6ea9442595b09dce52.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un367624.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un367624.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0523.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0523.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4372.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4372.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si257188.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si257188.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si257188.exe

Filesize
175KB

MD5
4484fbc8aceb4817394e9ca4eef2409e

SHA1
6e440ecbdf6da62c74c1fdd75dc5c5d8d6132b0e

SHA256
bf2e66fcbf451da3b5c6a37eb1bd970e2641c10dd12c47469ba3e61d10171b1c

SHA512
496e5d95c6099b2f10eab1388b73e231a81c474858e233b53dfaef793a58fc192423bf006622a053916d3c71ca149c2870e854b7e05c8edfc21cbc0b4a6c94e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si257188.exe

Filesize
175KB

MD5
4484fbc8aceb4817394e9ca4eef2409e

SHA1
6e440ecbdf6da62c74c1fdd75dc5c5d8d6132b0e

SHA256
bf2e66fcbf451da3b5c6a37eb1bd970e2641c10dd12c47469ba3e61d10171b1c

SHA512
496e5d95c6099b2f10eab1388b73e231a81c474858e233b53dfaef793a58fc192423bf006622a053916d3c71ca149c2870e854b7e05c8edfc21cbc0b4a6c94e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un367624.exe

Filesize
557KB

MD5
c4a1ddd853e9148a3c9ceed95c7d9ad4

SHA1
663383e351e008c545971840db1869e797ac17ab

SHA256
d36f15355c8fd2ee6c975d941e341e8909f37af8988d58470105dae077b81587

SHA512
fda4cb24b816b8ef236e0811eca424ee7ef630f0b19dee3aa7c62204b2b0c7cf61c3230abaf823af783b23d731b77c471854f7dad065b54503de7a8e370b3a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un367624.exe

Filesize
557KB

MD5
c4a1ddd853e9148a3c9ceed95c7d9ad4

SHA1
663383e351e008c545971840db1869e797ac17ab

SHA256
d36f15355c8fd2ee6c975d941e341e8909f37af8988d58470105dae077b81587

SHA512
fda4cb24b816b8ef236e0811eca424ee7ef630f0b19dee3aa7c62204b2b0c7cf61c3230abaf823af783b23d731b77c471854f7dad065b54503de7a8e370b3a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0523.exe

Filesize
308KB

MD5
128581f6bf64eba64b4a0bc514ae93dd

SHA1
ef3a25374df2457189184d7efd541b5919ae1bdc

SHA256
44edc25318615406697222b434a54d29adfe14086ec803314c84775d3a315f7e

SHA512
6fde8c229ad2a45ce5ec88a03f2619ba6f7c2e526d2b72e121226bd8b409f44e6a86dd6d871fba999bd494c1063d656c619b7d878d1f157174f8cd00582fd8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0523.exe

Filesize
308KB

MD5
128581f6bf64eba64b4a0bc514ae93dd

SHA1
ef3a25374df2457189184d7efd541b5919ae1bdc

SHA256
44edc25318615406697222b434a54d29adfe14086ec803314c84775d3a315f7e

SHA512
6fde8c229ad2a45ce5ec88a03f2619ba6f7c2e526d2b72e121226bd8b409f44e6a86dd6d871fba999bd494c1063d656c619b7d878d1f157174f8cd00582fd8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4372.exe

Filesize
366KB

MD5
348a60f6a1c11d9b2461ebea31e8a6d1

SHA1
46931f5626a1475170c2e59a2e42f4c4a1c2b1d5

SHA256
67999c9673765771da7496e07cf03f89c4d929110e7cc7ea704d7a543ddca4a4

SHA512
9a7052729394140691312c82b97e81c95066da0e9a4606770deac64e34cf5f99ce077771ab2d1ea2786189149af1e68f881b8aec1685d9693400c8e6d57d82ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4372.exe

Filesize
366KB

MD5
348a60f6a1c11d9b2461ebea31e8a6d1

SHA1
46931f5626a1475170c2e59a2e42f4c4a1c2b1d5

SHA256
67999c9673765771da7496e07cf03f89c4d929110e7cc7ea704d7a543ddca4a4

SHA512
9a7052729394140691312c82b97e81c95066da0e9a4606770deac64e34cf5f99ce077771ab2d1ea2786189149af1e68f881b8aec1685d9693400c8e6d57d82ab

Download Submit
memory/1296-1114-0x0000000000FD0000-0x0000000001002000-memory.dmp

Filesize
200KB

Download
memory/1296-1115-0x0000000005A10000-0x0000000005A5B000-memory.dmp

Filesize
300KB

Download
memory/1296-1116-0x0000000005BE0000-0x0000000005BF0000-memory.dmp

Filesize
64KB

Download
memory/1780-146-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-158-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-140-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1780-141-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1780-142-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1780-143-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-144-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-138-0x0000000002520000-0x0000000002538000-memory.dmp

Filesize
96KB

Download
memory/1780-148-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-150-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-152-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-154-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-156-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-139-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/1780-160-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-162-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-164-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-166-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-168-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-170-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/1780-171-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1780-172-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1780-173-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1780-174-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1780-176-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1780-137-0x0000000004DE0000-0x00000000052DE000-memory.dmp

Filesize
5.0MB

Download
memory/1780-136-0x0000000000A90000-0x0000000000AAA000-memory.dmp

Filesize
104KB

Download
memory/4644-183-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-216-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-186-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-188-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-190-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-191-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/4644-194-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4644-195-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-196-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4644-193-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4644-198-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-200-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-202-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-204-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-206-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-208-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-210-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-212-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-214-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-184-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-218-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-220-0x0000000004BB0000-0x0000000004BEE000-memory.dmp

Filesize
248KB

Download
memory/4644-1093-0x0000000005850000-0x0000000005E56000-memory.dmp

Filesize
6.0MB

Download
memory/4644-1094-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/4644-1095-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/4644-1096-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4644-1097-0x0000000005410000-0x000000000544E000-memory.dmp

Filesize
248KB

Download
memory/4644-1098-0x0000000005560000-0x00000000055AB000-memory.dmp

Filesize
300KB

Download
memory/4644-1100-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/4644-1101-0x00000000063F0000-0x0000000006482000-memory.dmp

Filesize
584KB

Download
memory/4644-1102-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4644-1103-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4644-1104-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4644-1105-0x00000000064B0000-0x0000000006672000-memory.dmp

Filesize
1.8MB

Download
memory/4644-182-0x0000000004BB0000-0x0000000004BF4000-memory.dmp

Filesize
272KB

Download
memory/4644-181-0x0000000002690000-0x00000000026D6000-memory.dmp

Filesize
280KB

Download
memory/4644-1106-0x0000000006690000-0x0000000006BBC000-memory.dmp

Filesize
5.2MB

Download
memory/4644-1107-0x0000000007080000-0x00000000070F6000-memory.dmp

Filesize
472KB

Download
memory/4644-1108-0x0000000007100000-0x0000000007150000-memory.dmp

Filesize
320KB

Download