redline | 0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746

Analysis

max time kernel
61s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2023 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746.exe
Size

522KB
MD5

7eeaebca48e66bc48eb1b8d4fdf9c475
SHA1

2b8f7a8da06490bbd32f5ac62cb646d59fabfae9
SHA256

0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746
SHA512

235bf2f958223efc7272d455de827dcf474b3c721caf6777b7bf2ed7bd47a4180daf2d6eddb30640da5e940a50e07d3b9d9bf90a0f96cb0ca155e85dc03ab90b
SSDEEP

12288:/Mrby90iPO5fY6D0FmrTr58Pr28xO4vEzWK/iNveQureoc:Qy8YYnrTyr/xnvtKeVoc

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr740219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr740219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr740219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr740219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr740219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr740219.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4736-155-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-156-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-158-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-160-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-162-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-164-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-166-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-168-0x0000000002580000-0x0000000002590000-memory.dmp	family_redline
behavioral1/memory/4736-169-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-173-0x0000000002580000-0x0000000002590000-memory.dmp	family_redline
behavioral1/memory/4736-172-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-175-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-177-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-179-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-181-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-183-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-185-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-187-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-189-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-191-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-193-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-195-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-197-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-199-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-201-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-203-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-205-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-207-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-209-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-211-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-213-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-215-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-217-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-219-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline
behavioral1/memory/4736-221-0x0000000005030000-0x000000000506F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3196	zidK4975.exe
1156	jr740219.exe
4736	ku682018.exe
448	lr974767.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr740219.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zidK4975.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zidK4975.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1360	4736	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1156	jr740219.exe
1156	jr740219.exe
4736	ku682018.exe
4736	ku682018.exe
448	lr974767.exe
448	lr974767.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1156	jr740219.exe
Token: SeDebugPrivilege	4736	ku682018.exe
Token: SeDebugPrivilege	448	lr974767.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 3196	384	0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746.exe	78
PID 384 wrote to memory of 3196	384	0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746.exe	78
PID 384 wrote to memory of 3196	384	0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746.exe	78
PID 3196 wrote to memory of 1156	3196	zidK4975.exe	79
PID 3196 wrote to memory of 1156	3196	zidK4975.exe	79
PID 3196 wrote to memory of 4736	3196	zidK4975.exe	86
PID 3196 wrote to memory of 4736	3196	zidK4975.exe	86
PID 3196 wrote to memory of 4736	3196	zidK4975.exe	86
PID 384 wrote to memory of 448	384	0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746.exe	94
PID 384 wrote to memory of 448	384	0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746.exe	94
PID 384 wrote to memory of 448	384	0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746.exe	94

C:\Users\Admin\AppData\Local\Temp\0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746.exe
"C:\Users\Admin\AppData\Local\Temp\0ace34e17d5adc9b4769716d17c69c45e009bb74c6146cf21f25aacd72a94746.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidK4975.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidK4975.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740219.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740219.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku682018.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku682018.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1344
      4⤵
      Program crash
      PID:1360
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr974767.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr974767.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4736 -ip 4736
1⤵
PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr974767.exe

Filesize
175KB

MD5
44319c9326834f0da3afdb98f2a17daa

SHA1
902f06799dfc6971867ccf1b60b7b4d53ddc5b31

SHA256
8b9fa3b3205e559d01f787b5e76ea0c033cab4996e85213403c12ad7a3adc470

SHA512
e856d446abeb45abc0f36d7ab4b54074e284ee87604e979202d480c53d61c41fdf5307953dee43006fa18855a8edb1576ae2587debc276c2c0dbf8fd7298a2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr974767.exe

Filesize
175KB

MD5
44319c9326834f0da3afdb98f2a17daa

SHA1
902f06799dfc6971867ccf1b60b7b4d53ddc5b31

SHA256
8b9fa3b3205e559d01f787b5e76ea0c033cab4996e85213403c12ad7a3adc470

SHA512
e856d446abeb45abc0f36d7ab4b54074e284ee87604e979202d480c53d61c41fdf5307953dee43006fa18855a8edb1576ae2587debc276c2c0dbf8fd7298a2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidK4975.exe

Filesize
380KB

MD5
87969c4a4379a4d78ceff3fb40b8eb03

SHA1
4137b7654aacf3a9ddb11b94243c87801bfd938c

SHA256
ee0cfe8e8eadeec468b541b644b5636119bc371b54351b4976411baf7ea1b9ad

SHA512
f8c79eb6dad621713191ad4f5d1d70315b00a96f0b9adc94b2a5cd4961c1d396b51e52923eec3c68e8d0c38de2d6c0e7ae2dad4026e29a717348e123043dd8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidK4975.exe

Filesize
380KB

MD5
87969c4a4379a4d78ceff3fb40b8eb03

SHA1
4137b7654aacf3a9ddb11b94243c87801bfd938c

SHA256
ee0cfe8e8eadeec468b541b644b5636119bc371b54351b4976411baf7ea1b9ad

SHA512
f8c79eb6dad621713191ad4f5d1d70315b00a96f0b9adc94b2a5cd4961c1d396b51e52923eec3c68e8d0c38de2d6c0e7ae2dad4026e29a717348e123043dd8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740219.exe

Filesize
15KB

MD5
1ace0d190fb3c085528edf603c5518af

SHA1
86828d26d61d46d3c0f7df8ec7ea85cc320f45f5

SHA256
f6405b4b30e3cc3eda0e23691bd5cd918694b5a588b39ac9a07634dc7dcc95d8

SHA512
a906af498253c49c2a658816210b723ab1fd8b42eecd97598eadeb7cbf9305c3b2bbf93b50532fc91484480840f82bec1b5748f95e3e99574049520e1e5c6d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740219.exe

Filesize
15KB

MD5
1ace0d190fb3c085528edf603c5518af

SHA1
86828d26d61d46d3c0f7df8ec7ea85cc320f45f5

SHA256
f6405b4b30e3cc3eda0e23691bd5cd918694b5a588b39ac9a07634dc7dcc95d8

SHA512
a906af498253c49c2a658816210b723ab1fd8b42eecd97598eadeb7cbf9305c3b2bbf93b50532fc91484480840f82bec1b5748f95e3e99574049520e1e5c6d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku682018.exe

Filesize
294KB

MD5
dc4b767bdf99c7de7e5af0300540a59f

SHA1
7c1c25c370e2a3ccaa5dc40aa96bf0137d087230

SHA256
c519577ce4ec6e4fd53d7d4f4928af54ec061409051f580bb47e93d80a9f88c8

SHA512
1dba4ae984da019ed123a944fb9ada090a6aa08a269096584f0621ee299a1527d7cdf11826186a89cff1b80a40aa8fbd75fa6ece2f18d4264fc05c4fd31c1870

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku682018.exe

Filesize
294KB

MD5
dc4b767bdf99c7de7e5af0300540a59f

SHA1
7c1c25c370e2a3ccaa5dc40aa96bf0137d087230

SHA256
c519577ce4ec6e4fd53d7d4f4928af54ec061409051f580bb47e93d80a9f88c8

SHA512
1dba4ae984da019ed123a944fb9ada090a6aa08a269096584f0621ee299a1527d7cdf11826186a89cff1b80a40aa8fbd75fa6ece2f18d4264fc05c4fd31c1870

Download Submit
memory/448-1085-0x0000000000010000-0x0000000000042000-memory.dmp

Filesize
200KB

Download
memory/448-1086-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1156-147-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/4736-189-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-201-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-155-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-156-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-158-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-160-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-162-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-164-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-166-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-168-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/4736-169-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-171-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/4736-173-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/4736-172-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-175-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-177-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-179-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-181-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-183-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-185-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-187-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-153-0x0000000002030000-0x000000000207B000-memory.dmp

Filesize
300KB

Download
memory/4736-191-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-193-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-195-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-197-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-199-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-154-0x0000000004A80000-0x0000000005024000-memory.dmp

Filesize
5.6MB

Download
memory/4736-203-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-205-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-207-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-209-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-211-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-213-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-215-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-217-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-219-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-221-0x0000000005030000-0x000000000506F000-memory.dmp

Filesize
252KB

Download
memory/4736-1064-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/4736-1065-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/4736-1066-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/4736-1067-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/4736-1068-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/4736-1070-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/4736-1071-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/4736-1072-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/4736-1073-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/4736-1074-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/4736-1075-0x0000000006490000-0x0000000006506000-memory.dmp

Filesize
472KB

Download
memory/4736-1076-0x0000000006520000-0x0000000006570000-memory.dmp

Filesize
320KB

Download
memory/4736-1077-0x00000000066A0000-0x0000000006862000-memory.dmp

Filesize
1.8MB

Download
memory/4736-1078-0x0000000006870000-0x0000000006D9C000-memory.dmp

Filesize
5.2MB

Download
memory/4736-1079-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download