redline | 24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058

Analysis

max time kernel
48s
max time network
59s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
28-03-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058.exe
Size

690KB
MD5

ea16de1b886de878deba1e7d05096283
SHA1

6eeeeb3b5b0e4d6febb9f3fbbbec13b812f7959d
SHA256

24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058
SHA512

ff433d89b8c751adf34caa2e704363a03759ef26e66d11efd558956f9757b779906814ec73ae9a7699e05e9d4ba450d304c30b2032f784733e52568a59d5b918
SSDEEP

12288:oMrcy905+4tQZgOur6PyX165M4+D22l5JhazvPFoCfigyzaWBrsl:UymcZkWd+D2E4zFoCagyzS

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro6635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro6635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro6635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro6635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro6635.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4260-182-0x00000000037C0000-0x0000000003806000-memory.dmp	family_redline
behavioral1/memory/4260-183-0x00000000064F0000-0x0000000006534000-memory.dmp	family_redline
behavioral1/memory/4260-184-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-185-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-187-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-189-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-191-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-193-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-195-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-197-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-199-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-201-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-203-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-205-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-207-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-209-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-213-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-217-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-219-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline
behavioral1/memory/4260-221-0x00000000064F0000-0x000000000652F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2776	un010150.exe
3292	pro6635.exe
4260	qu4563.exe
4144	si500600.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro6635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro6635.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un010150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un010150.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3292	pro6635.exe
3292	pro6635.exe
4260	qu4563.exe
4260	qu4563.exe
4144	si500600.exe
4144	si500600.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3292	pro6635.exe
Token: SeDebugPrivilege	4260	qu4563.exe
Token: SeDebugPrivilege	4144	si500600.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 2776	4032	24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058.exe	66
PID 4032 wrote to memory of 2776	4032	24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058.exe	66
PID 4032 wrote to memory of 2776	4032	24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058.exe	66
PID 2776 wrote to memory of 3292	2776	un010150.exe	67
PID 2776 wrote to memory of 3292	2776	un010150.exe	67
PID 2776 wrote to memory of 3292	2776	un010150.exe	67
PID 2776 wrote to memory of 4260	2776	un010150.exe	68
PID 2776 wrote to memory of 4260	2776	un010150.exe	68
PID 2776 wrote to memory of 4260	2776	un010150.exe	68
PID 4032 wrote to memory of 4144	4032	24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058.exe	70
PID 4032 wrote to memory of 4144	4032	24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058.exe	70
PID 4032 wrote to memory of 4144	4032	24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058.exe	70

C:\Users\Admin\AppData\Local\Temp\24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058.exe
"C:\Users\Admin\AppData\Local\Temp\24b99488707fc1ebf1dd5cada5921609286f74fbb27a934f77fcd173232d2058.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un010150.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un010150.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6635.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6635.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4563.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4563.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si500600.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si500600.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si500600.exe

Filesize
175KB

MD5
7bcd9c1a1320fb3abb50defc0f60b51a

SHA1
e4a8c46282beef0286299fbf1776084413373151

SHA256
2993058611afe64dcf2a669eda16a3d17a3bd720ceee1e057ca2552c88b5feb3

SHA512
fd8cb49bdfa6b9b806bc5bc35dfab27a2078c0c0b5578aa49693ac8e92045e56c1f5158a4735e8611f51d174d1e6e44323fde05852ed8ae0d100e0c7dbecd75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si500600.exe

Filesize
175KB

MD5
7bcd9c1a1320fb3abb50defc0f60b51a

SHA1
e4a8c46282beef0286299fbf1776084413373151

SHA256
2993058611afe64dcf2a669eda16a3d17a3bd720ceee1e057ca2552c88b5feb3

SHA512
fd8cb49bdfa6b9b806bc5bc35dfab27a2078c0c0b5578aa49693ac8e92045e56c1f5158a4735e8611f51d174d1e6e44323fde05852ed8ae0d100e0c7dbecd75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un010150.exe

Filesize
548KB

MD5
0e93655f0a3811f5b43f99c87b21d951

SHA1
da3917fd9cbaee416443b3b51463134e13d47ff9

SHA256
64679d3ec0b9cbb6db4aa6189c35e2ea3693dba0b79116c9ae2e39f875dcae53

SHA512
b486553849fc1f4768953edae2aba4cd1ab1686388ea9a5d2191f28d0886c6bd6327985aa49ef5b6264351b7f2c2f3a52cd94572d6b6f28d1561a0be5e60c6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un010150.exe

Filesize
548KB

MD5
0e93655f0a3811f5b43f99c87b21d951

SHA1
da3917fd9cbaee416443b3b51463134e13d47ff9

SHA256
64679d3ec0b9cbb6db4aa6189c35e2ea3693dba0b79116c9ae2e39f875dcae53

SHA512
b486553849fc1f4768953edae2aba4cd1ab1686388ea9a5d2191f28d0886c6bd6327985aa49ef5b6264351b7f2c2f3a52cd94572d6b6f28d1561a0be5e60c6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6635.exe

Filesize
291KB

MD5
ed6c915eadf0ebbc6a94b375e61c336e

SHA1
5a79e9af2532c7dc1e9e4a00240dc4e8b10f3107

SHA256
eb8105f183f33ad320bfaeeb46dbc926c9e392a954e091aef2cb5c24b68eea0b

SHA512
207e05c91a84d2d0870b88348d753127f1002833313c2403578e74edc66016bbe17df7d953d7b9c99818e54dee32f05de74b27dabb6ff7fdb246962cfc8a2b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6635.exe

Filesize
291KB

MD5
ed6c915eadf0ebbc6a94b375e61c336e

SHA1
5a79e9af2532c7dc1e9e4a00240dc4e8b10f3107

SHA256
eb8105f183f33ad320bfaeeb46dbc926c9e392a954e091aef2cb5c24b68eea0b

SHA512
207e05c91a84d2d0870b88348d753127f1002833313c2403578e74edc66016bbe17df7d953d7b9c99818e54dee32f05de74b27dabb6ff7fdb246962cfc8a2b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4563.exe

Filesize
345KB

MD5
93bb6be447c008929efd1b84bf4de4bf

SHA1
c35067cf0c6a3ee85c5ae12cae03cd4980ee56b3

SHA256
b352e3504d3ba46caf027556be274342bed7264181fdca8a452153162e643bf5

SHA512
78782a466e603d36f4a76c95ba29902a7f176ed0c5acbc19a45117c6c9127162a26f4d993388ad160ffbc5d318a9282e96952b3900b4a8eecd49a296bc2ec657

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4563.exe

Filesize
345KB

MD5
93bb6be447c008929efd1b84bf4de4bf

SHA1
c35067cf0c6a3ee85c5ae12cae03cd4980ee56b3

SHA256
b352e3504d3ba46caf027556be274342bed7264181fdca8a452153162e643bf5

SHA512
78782a466e603d36f4a76c95ba29902a7f176ed0c5acbc19a45117c6c9127162a26f4d993388ad160ffbc5d318a9282e96952b3900b4a8eecd49a296bc2ec657

Download Submit
memory/3292-148-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-158-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-138-0x0000000004E10000-0x000000000530E000-memory.dmp

Filesize
5.0MB

Download
memory/3292-139-0x00000000028B0000-0x00000000028C8000-memory.dmp

Filesize
96KB

Download
memory/3292-140-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3292-141-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3292-142-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3292-143-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-144-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-146-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3292-150-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-152-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-154-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-156-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-137-0x0000000000AB0000-0x0000000000ACA000-memory.dmp

Filesize
104KB

Download
memory/3292-160-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-162-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-164-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-166-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-168-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-170-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/3292-171-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3292-172-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3292-173-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3292-174-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3292-175-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3292-177-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4144-1117-0x00000000006E0000-0x0000000000712000-memory.dmp

Filesize
200KB

Download
memory/4144-1119-0x0000000005130000-0x000000000517B000-memory.dmp

Filesize
300KB

Download
memory/4144-1118-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4260-183-0x00000000064F0000-0x0000000006534000-memory.dmp

Filesize
272KB

Download
memory/4260-216-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/4260-187-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-189-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-191-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-193-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-195-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-197-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-199-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-201-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-203-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-205-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-207-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-209-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-211-0x0000000001C20000-0x0000000001C6B000-memory.dmp

Filesize
300KB

Download
memory/4260-212-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/4260-214-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/4260-213-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-217-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-185-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-219-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-221-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-1094-0x0000000006B50000-0x0000000007156000-memory.dmp

Filesize
6.0MB

Download
memory/4260-1095-0x00000000065C0000-0x00000000066CA000-memory.dmp

Filesize
1.0MB

Download
memory/4260-1096-0x0000000006700000-0x0000000006712000-memory.dmp

Filesize
72KB

Download
memory/4260-1097-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/4260-1098-0x0000000006720000-0x000000000675E000-memory.dmp

Filesize
248KB

Download
memory/4260-1099-0x0000000006870000-0x00000000068BB000-memory.dmp

Filesize
300KB

Download
memory/4260-1101-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/4260-1102-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/4260-1103-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/4260-1104-0x0000000006A00000-0x0000000006A66000-memory.dmp

Filesize
408KB

Download
memory/4260-1105-0x00000000076D0000-0x0000000007762000-memory.dmp

Filesize
584KB

Download
memory/4260-1106-0x00000000078A0000-0x0000000007916000-memory.dmp

Filesize
472KB

Download
memory/4260-1107-0x0000000007920000-0x0000000007970000-memory.dmp

Filesize
320KB

Download
memory/4260-184-0x00000000064F0000-0x000000000652F000-memory.dmp

Filesize
252KB

Download
memory/4260-182-0x00000000037C0000-0x0000000003806000-memory.dmp

Filesize
280KB

Download
memory/4260-1108-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/4260-1109-0x00000000079B0000-0x0000000007B72000-memory.dmp

Filesize
1.8MB

Download
memory/4260-1110-0x0000000007B80000-0x00000000080AC000-memory.dmp

Filesize
5.2MB

Download