redline | c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71

Analysis

max time kernel
97s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2023, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71.exe
Size

695KB
MD5

1246c40d4288a87c0ff60c787b63c0dc
SHA1

1cb5a778f8b56dd9b04be931cd405b6191162ac4
SHA256

c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71
SHA512

e80e1800ed5dee46276f0e66140af2ec3ce754b1c20792ff09fc9ffedb04cef622cdd7a251bb0b4b4030ecd322f03a8862a939f9de3f23b0d6ebeed8578a899e
SSDEEP

12288:6Mrjy90iJEFqEiBilkvahiWurr+22LCmQhAemqxVOY/Jl1DvtoGIEfw:BylBXahFuX+KBqbqaYZq

Score

10^/10

redline muse rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

muse

176.113.115.145:4125

Attributes

auth_value
b91988a63a24940038d9262827a5320c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5355.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro5355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5355.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/4188-195-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-196-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-198-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-200-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-202-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-204-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-206-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-208-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-210-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-212-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-214-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-216-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-218-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-220-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-222-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-224-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-226-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4188-228-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2940	un466056.exe
1308	pro5355.exe
4188	qu9559.exe
528	si625251.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5355.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un466056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un466056.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3872	1308	WerFault.exe	84
4632	4188	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1308	pro5355.exe
1308	pro5355.exe
4188	qu9559.exe
4188	qu9559.exe
528	si625251.exe
528	si625251.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	pro5355.exe
Token: SeDebugPrivilege	4188	qu9559.exe
Token: SeDebugPrivilege	528	si625251.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2940	5012	c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71.exe	83
PID 5012 wrote to memory of 2940	5012	c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71.exe	83
PID 5012 wrote to memory of 2940	5012	c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71.exe	83
PID 2940 wrote to memory of 1308	2940	un466056.exe	84
PID 2940 wrote to memory of 1308	2940	un466056.exe	84
PID 2940 wrote to memory of 1308	2940	un466056.exe	84
PID 2940 wrote to memory of 4188	2940	un466056.exe	91
PID 2940 wrote to memory of 4188	2940	un466056.exe	91
PID 2940 wrote to memory of 4188	2940	un466056.exe	91
PID 5012 wrote to memory of 528	5012	c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71.exe	95
PID 5012 wrote to memory of 528	5012	c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71.exe	95
PID 5012 wrote to memory of 528	5012	c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71.exe	95

C:\Users\Admin\AppData\Local\Temp\c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71.exe
"C:\Users\Admin\AppData\Local\Temp\c1c7d26c918812b63a67a9d525f987dccd525da73501eb17ce6776bbc056ce71.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466056.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466056.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1084
      4⤵
      Program crash
      PID:3872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9559.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9559.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1352
      4⤵
      Program crash
      PID:4632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si625251.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si625251.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1308 -ip 1308
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4188 -ip 4188
1⤵
PID:3032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si625251.exe

Filesize
175KB

MD5
8b8a8959b48a1d5d858c63abfbe9bc67

SHA1
775adab7d7c13cf0d1631a6d2c1143c0648e736f

SHA256
d82c1e65d408f895ae1812bb4efb80e2bd88bed8eb704aad90afd5bead7639d7

SHA512
359071ce8aadbf0220a37813781c63048e4f5ede463a7017373b8e61be11f0a4bdfdeaa74bd5f5bf3044e8fedb7298fa78d502f74e340e6eb30598dd939aa82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si625251.exe

Filesize
175KB

MD5
8b8a8959b48a1d5d858c63abfbe9bc67

SHA1
775adab7d7c13cf0d1631a6d2c1143c0648e736f

SHA256
d82c1e65d408f895ae1812bb4efb80e2bd88bed8eb704aad90afd5bead7639d7

SHA512
359071ce8aadbf0220a37813781c63048e4f5ede463a7017373b8e61be11f0a4bdfdeaa74bd5f5bf3044e8fedb7298fa78d502f74e340e6eb30598dd939aa82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466056.exe

Filesize
553KB

MD5
b93a7b8f848e62e8fd60efa825e547c7

SHA1
e5527722ea5a34f9053c34d550efd351fb2a78b8

SHA256
cfc2f46ca41505ac006f8ed1900978c76557e1187b407e6c8bff07cd30a697c7

SHA512
33b1ef92a2e1b36f8bc923444f3613fceac817f0a31f076d614d641636391747ec9bdca3347c50b808bb17ac1828ccde9f267558064169c357002dbf3db06f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un466056.exe

Filesize
553KB

MD5
b93a7b8f848e62e8fd60efa825e547c7

SHA1
e5527722ea5a34f9053c34d550efd351fb2a78b8

SHA256
cfc2f46ca41505ac006f8ed1900978c76557e1187b407e6c8bff07cd30a697c7

SHA512
33b1ef92a2e1b36f8bc923444f3613fceac817f0a31f076d614d641636391747ec9bdca3347c50b808bb17ac1828ccde9f267558064169c357002dbf3db06f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe

Filesize
345KB

MD5
73fc95fdaf42cb2b1b296e0385eb5f81

SHA1
6a4997602f238ee00d3dc8092176df442b59e133

SHA256
478aa6371a562b642cbfff7be1fe8b867998b6c0c6be093190724c46923d2cb0

SHA512
63bdebf648717a9e04bc88ffc7adf48cd4c85b756d6732bbeaba80f5ca1027f0c6f8460d36d313c38c41affedf77644c5945f2503be9fb233d7852cd40c22142

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe

Filesize
345KB

MD5
73fc95fdaf42cb2b1b296e0385eb5f81

SHA1
6a4997602f238ee00d3dc8092176df442b59e133

SHA256
478aa6371a562b642cbfff7be1fe8b867998b6c0c6be093190724c46923d2cb0

SHA512
63bdebf648717a9e04bc88ffc7adf48cd4c85b756d6732bbeaba80f5ca1027f0c6f8460d36d313c38c41affedf77644c5945f2503be9fb233d7852cd40c22142

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9559.exe

Filesize
403KB

MD5
d0ba59c7b7c84e7cb811cb3d0c93b22e

SHA1
84ec16f96fd000a77463730a3762c5ddd90364f7

SHA256
83710ec608341f68992a2280a3fc82657d13663a1ec45fabf5542ee49e61985d

SHA512
d053b98f0ef14cbde96d0e9d83f83356a7947ca02e67c68ae24f957c95178392613edf803ec03eb48f649bdaffd9e5d5f68789056c1669d2017c1d08580b0af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9559.exe

Filesize
403KB

MD5
d0ba59c7b7c84e7cb811cb3d0c93b22e

SHA1
84ec16f96fd000a77463730a3762c5ddd90364f7

SHA256
83710ec608341f68992a2280a3fc82657d13663a1ec45fabf5542ee49e61985d

SHA512
d053b98f0ef14cbde96d0e9d83f83356a7947ca02e67c68ae24f957c95178392613edf803ec03eb48f649bdaffd9e5d5f68789056c1669d2017c1d08580b0af8

Download Submit
memory/528-1122-0x00000000007B0000-0x00000000007E2000-memory.dmp

Filesize
200KB

Download
memory/528-1123-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/528-1124-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/1308-160-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-172-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-152-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1308-153-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-154-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-156-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-158-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-150-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1308-162-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-164-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-166-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-168-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-170-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-151-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1308-174-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-176-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-178-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-180-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1308-181-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/1308-184-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1308-183-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1308-185-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1308-186-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/1308-149-0x0000000007360000-0x0000000007904000-memory.dmp

Filesize
5.6MB

Download
memory/1308-148-0x0000000002C70000-0x0000000002C9D000-memory.dmp

Filesize
180KB

Download
memory/4188-193-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4188-228-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-195-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-196-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-198-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-200-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-202-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-204-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-206-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-208-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-210-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-212-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-214-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-216-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-218-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-220-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-222-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-224-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-226-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4188-194-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4188-1101-0x0000000007930000-0x0000000007F48000-memory.dmp

Filesize
6.1MB

Download
memory/4188-1102-0x0000000007F80000-0x000000000808A000-memory.dmp

Filesize
1.0MB

Download
memory/4188-1103-0x00000000080C0000-0x00000000080D2000-memory.dmp

Filesize
72KB

Download
memory/4188-1105-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/4188-1104-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4188-1107-0x00000000083D0000-0x0000000008462000-memory.dmp

Filesize
584KB

Download
memory/4188-1108-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4188-1109-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4188-1110-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4188-1111-0x0000000008470000-0x00000000084D6000-memory.dmp

Filesize
408KB

Download
memory/4188-1112-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4188-1113-0x0000000008DD0000-0x0000000008F92000-memory.dmp

Filesize
1.8MB

Download
memory/4188-192-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4188-191-0x0000000002CD0000-0x0000000002D1B000-memory.dmp

Filesize
300KB

Download
memory/4188-1114-0x0000000008FB0000-0x00000000094DC000-memory.dmp

Filesize
5.2MB

Download
memory/4188-1115-0x0000000009620000-0x0000000009696000-memory.dmp

Filesize
472KB

Download
memory/4188-1116-0x00000000096B0000-0x0000000009700000-memory.dmp

Filesize
320KB

Download