redline | e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5

Analysis

max time kernel
54s
max time network
69s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25/05/2023, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5.exe
Size

1.0MB
MD5

1c2d5d984a07cf27da1313052de90d4d
SHA1

a48d6c3445b0aa614dbe4693be7998f6ed2023d4
SHA256

e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5
SHA512

524b835092b63f95174233762fa749fdd08cfc4681687f6050effdc103f98e730139f0d092beaadc80fe620107b56c0ce75f547c93e90843b96222aa188d9809
SSDEEP

24576:vycNulu/rvuY3Upj0puMKJwk+tz9msP4VdQ0DffO:6A/rvuLpj02EJUsP4T

Score

10^/10

redline fash mina discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mina

83.97.73.122:19062

Attributes

auth_value
3d04bf4b8ba2a11c4dcf9df0e388fa05

Extracted

Family

redline

Botnet

fash

83.97.73.122:19062

Attributes

auth_value
dd7165bcd22b0ed3df426d944e12f136

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2520	v1442483.exe
2616	v5692195.exe
4132	a1534779.exe
1436	b5421905.exe
5060	c0848500.exe
3228	c0848500.exe
5056	d5895893.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5692195.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1442483.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1442483.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5692195.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4132 set thread context of 2088	4132	a1534779.exe	70
PID 5060 set thread context of 3228	5060	c0848500.exe	74
PID 5056 set thread context of 776	5056	d5895893.exe	79

Program crash 1 IoCs

pid	pid_target	Process	procid_target
760	3228	WerFault.exe	74

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2088	AppLaunch.exe
2088	AppLaunch.exe
1436	b5421905.exe
1436	b5421905.exe
776	AppLaunch.exe
776	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	AppLaunch.exe
Token: SeDebugPrivilege	1436	b5421905.exe
Token: SeDebugPrivilege	5060	c0848500.exe
Token: SeDebugPrivilege	776	AppLaunch.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2520	2268	e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5.exe	66
PID 2268 wrote to memory of 2520	2268	e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5.exe	66
PID 2268 wrote to memory of 2520	2268	e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5.exe	66
PID 2520 wrote to memory of 2616	2520	v1442483.exe	67
PID 2520 wrote to memory of 2616	2520	v1442483.exe	67
PID 2520 wrote to memory of 2616	2520	v1442483.exe	67
PID 2616 wrote to memory of 4132	2616	v5692195.exe	68
PID 2616 wrote to memory of 4132	2616	v5692195.exe	68
PID 2616 wrote to memory of 4132	2616	v5692195.exe	68
PID 4132 wrote to memory of 2088	4132	a1534779.exe	70
PID 4132 wrote to memory of 2088	4132	a1534779.exe	70
PID 4132 wrote to memory of 2088	4132	a1534779.exe	70
PID 4132 wrote to memory of 2088	4132	a1534779.exe	70
PID 4132 wrote to memory of 2088	4132	a1534779.exe	70
PID 2616 wrote to memory of 1436	2616	v5692195.exe	71
PID 2616 wrote to memory of 1436	2616	v5692195.exe	71
PID 2616 wrote to memory of 1436	2616	v5692195.exe	71
PID 2520 wrote to memory of 5060	2520	v1442483.exe	73
PID 2520 wrote to memory of 5060	2520	v1442483.exe	73
PID 2520 wrote to memory of 5060	2520	v1442483.exe	73
PID 5060 wrote to memory of 3228	5060	c0848500.exe	74
PID 5060 wrote to memory of 3228	5060	c0848500.exe	74
PID 5060 wrote to memory of 3228	5060	c0848500.exe	74
PID 5060 wrote to memory of 3228	5060	c0848500.exe	74
PID 5060 wrote to memory of 3228	5060	c0848500.exe	74
PID 5060 wrote to memory of 3228	5060	c0848500.exe	74
PID 5060 wrote to memory of 3228	5060	c0848500.exe	74
PID 5060 wrote to memory of 3228	5060	c0848500.exe	74
PID 5060 wrote to memory of 3228	5060	c0848500.exe	74
PID 5060 wrote to memory of 3228	5060	c0848500.exe	74
PID 2268 wrote to memory of 5056	2268	e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5.exe	76
PID 2268 wrote to memory of 5056	2268	e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5.exe	76
PID 2268 wrote to memory of 5056	2268	e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5.exe	76
PID 5056 wrote to memory of 776	5056	d5895893.exe	79
PID 5056 wrote to memory of 776	5056	d5895893.exe	79
PID 5056 wrote to memory of 776	5056	d5895893.exe	79
PID 5056 wrote to memory of 776	5056	d5895893.exe	79
PID 5056 wrote to memory of 776	5056	d5895893.exe	79

C:\Users\Admin\AppData\Local\Temp\e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5.exe
"C:\Users\Admin\AppData\Local\Temp\e48ef93bda259ca469f78ac8959deb6faddadd5322db82468240a914794dfcb5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1442483.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1442483.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5692195.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5692195.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1534779.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1534779.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4132
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5421905.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5421905.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0848500.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0848500.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0848500.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0848500.exe
      4⤵
      Executes dropped EXE
      PID:3228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 24
        5⤵
        Program crash
        
        PID:760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5895893.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5895893.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5895893.exe

Filesize
328KB

MD5
909528dd4aa5c7001a8224061afa5a1d

SHA1
f23306d422974af5fd374eef26f192903fd53612

SHA256
1a9c3d51351f20aa754afb9a9ad79578f47d9e71314602286048300682c662c9

SHA512
b7460ad9fcaa110dde27a4b587ec65fa4c6791b312f1da0cfa054e76e6c42ae20782c24cbae7833330c0d8ca0caae2067fd3271baf58e1eaa8a04b19e4125d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5895893.exe

Filesize
328KB

MD5
909528dd4aa5c7001a8224061afa5a1d

SHA1
f23306d422974af5fd374eef26f192903fd53612

SHA256
1a9c3d51351f20aa754afb9a9ad79578f47d9e71314602286048300682c662c9

SHA512
b7460ad9fcaa110dde27a4b587ec65fa4c6791b312f1da0cfa054e76e6c42ae20782c24cbae7833330c0d8ca0caae2067fd3271baf58e1eaa8a04b19e4125d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1442483.exe

Filesize
723KB

MD5
6817b7bdb35a040d13927a92950a256e

SHA1
3c853c1dd1e13aad2a1a16bd8ed72f41a64e2380

SHA256
dc49017db66f1b39c99ebab626f86a997c357d33eed00704ab982ce4ad851537

SHA512
a1c40120312397b217d3162d40f512eecdd7ac1c2e0812563c1938661876286cec55d69130311480e8333304635b7919fb22b6ef35d42de6f6744d561b85c9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1442483.exe

Filesize
723KB

MD5
6817b7bdb35a040d13927a92950a256e

SHA1
3c853c1dd1e13aad2a1a16bd8ed72f41a64e2380

SHA256
dc49017db66f1b39c99ebab626f86a997c357d33eed00704ab982ce4ad851537

SHA512
a1c40120312397b217d3162d40f512eecdd7ac1c2e0812563c1938661876286cec55d69130311480e8333304635b7919fb22b6ef35d42de6f6744d561b85c9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0848500.exe

Filesize
963KB

MD5
3f644846135caaec5315a2d45b11e76b

SHA1
d6c6fa27e14a7800c4d2671118d0bcf6da5082fe

SHA256
d3f31803e2908ab8793170ad2efe89591fae9120cf3c39ccb66092cd7fabe597

SHA512
bcb68bbdc1e044c05ce88d0a70429f10df455cc261ec538e23ff5aae0673d622eb1e695324e2068cd6bcc6c0a1cc709691e3d498067cb00b2cb1e556626db1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0848500.exe

Filesize
963KB

MD5
3f644846135caaec5315a2d45b11e76b

SHA1
d6c6fa27e14a7800c4d2671118d0bcf6da5082fe

SHA256
d3f31803e2908ab8793170ad2efe89591fae9120cf3c39ccb66092cd7fabe597

SHA512
bcb68bbdc1e044c05ce88d0a70429f10df455cc261ec538e23ff5aae0673d622eb1e695324e2068cd6bcc6c0a1cc709691e3d498067cb00b2cb1e556626db1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0848500.exe

Filesize
963KB

MD5
3f644846135caaec5315a2d45b11e76b

SHA1
d6c6fa27e14a7800c4d2671118d0bcf6da5082fe

SHA256
d3f31803e2908ab8793170ad2efe89591fae9120cf3c39ccb66092cd7fabe597

SHA512
bcb68bbdc1e044c05ce88d0a70429f10df455cc261ec538e23ff5aae0673d622eb1e695324e2068cd6bcc6c0a1cc709691e3d498067cb00b2cb1e556626db1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5692195.exe

Filesize
280KB

MD5
4bfa4c1ad2128b38d45c26d71fd4313d

SHA1
cd2da710cd2daa70dc52e2169a8fdcd1e4b8591c

SHA256
f5a7c4b4f85b70822a716d6800dd8271cd613d9cd874023036925fc69e4dbe2c

SHA512
c0ded18461dabcf37b6a52e1600b2b43a5f96f9625e20d9df8bc53c8f2b7984f4c043c6bb9085cb19862191a852fba33b580aa35419c8ce039cddf34f2c0c733

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5692195.exe

Filesize
280KB

MD5
4bfa4c1ad2128b38d45c26d71fd4313d

SHA1
cd2da710cd2daa70dc52e2169a8fdcd1e4b8591c

SHA256
f5a7c4b4f85b70822a716d6800dd8271cd613d9cd874023036925fc69e4dbe2c

SHA512
c0ded18461dabcf37b6a52e1600b2b43a5f96f9625e20d9df8bc53c8f2b7984f4c043c6bb9085cb19862191a852fba33b580aa35419c8ce039cddf34f2c0c733

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1534779.exe

Filesize
194KB

MD5
5a4e2319dc4287b36810a2458f968ccb

SHA1
eb9c5106fd617d372ee7be67b978c488bbab18e6

SHA256
ae18031029c688d4fcd69ee2ad3de4999325926b3c570f80e0b0b107093cc840

SHA512
42379394a79d9920f8ff2d53873e99480a1e1740e307d1c41828b14fc13627da0c33a6fc56f84033fecec6032fd21e7103e2bb579a66a7423752ab2af7eb63e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1534779.exe

Filesize
194KB

MD5
5a4e2319dc4287b36810a2458f968ccb

SHA1
eb9c5106fd617d372ee7be67b978c488bbab18e6

SHA256
ae18031029c688d4fcd69ee2ad3de4999325926b3c570f80e0b0b107093cc840

SHA512
42379394a79d9920f8ff2d53873e99480a1e1740e307d1c41828b14fc13627da0c33a6fc56f84033fecec6032fd21e7103e2bb579a66a7423752ab2af7eb63e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5421905.exe

Filesize
145KB

MD5
2d9bfb376c35f000c6d42ce7aa172c8a

SHA1
ea7579bb06f7861130c71a13820531a95e560674

SHA256
07867d9baed5fbb869ef6cca856720c6a81d92d51f92035c6d22a715a4b721ab

SHA512
c2c16f8070073a675b7080f63937a738e59020e01ec1b2f6552996f3850e5cf4259cd700a9467a3813eb70c144f24b757de261cc7d5d6cfa6fbe65ccc93e7e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5421905.exe

Filesize
145KB

MD5
2d9bfb376c35f000c6d42ce7aa172c8a

SHA1
ea7579bb06f7861130c71a13820531a95e560674

SHA256
07867d9baed5fbb869ef6cca856720c6a81d92d51f92035c6d22a715a4b721ab

SHA512
c2c16f8070073a675b7080f63937a738e59020e01ec1b2f6552996f3850e5cf4259cd700a9467a3813eb70c144f24b757de261cc7d5d6cfa6fbe65ccc93e7e3d

Download Submit
memory/776-205-0x00000000001A0000-0x00000000001CA000-memory.dmp

Filesize
168KB

Download
memory/776-214-0x0000000008B40000-0x0000000008B8B000-memory.dmp

Filesize
300KB

Download
memory/776-215-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

Filesize
64KB

Download
memory/1436-171-0x0000000005EA0000-0x000000000639E000-memory.dmp

Filesize
5.0MB

Download
memory/1436-158-0x0000000004A30000-0x0000000004A6E000-memory.dmp

Filesize
248KB

Download
memory/1436-172-0x00000000063A0000-0x0000000006562000-memory.dmp

Filesize
1.8MB

Download
memory/1436-173-0x0000000006AA0000-0x0000000006FCC000-memory.dmp

Filesize
5.2MB

Download
memory/1436-188-0x0000000005C60000-0x0000000005CD6000-memory.dmp

Filesize
472KB

Download
memory/1436-189-0x0000000005CE0000-0x0000000005D30000-memory.dmp

Filesize
320KB

Download
memory/1436-190-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1436-169-0x0000000004D50000-0x0000000004DB6000-memory.dmp

Filesize
408KB

Download
memory/1436-160-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1436-154-0x0000000000180000-0x00000000001AA000-memory.dmp

Filesize
168KB

Download
memory/1436-155-0x0000000004F50000-0x0000000005556000-memory.dmp

Filesize
6.0MB

Download
memory/1436-156-0x0000000004AA0000-0x0000000004BAA000-memory.dmp

Filesize
1.0MB

Download
memory/1436-159-0x0000000004BB0000-0x0000000004BFB000-memory.dmp

Filesize
300KB

Download
memory/1436-170-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/1436-157-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/2088-143-0x0000000004380000-0x000000000438A000-memory.dmp

Filesize
40KB

Download
memory/3228-197-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5060-196-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/5060-195-0x0000000000800000-0x00000000008F8000-memory.dmp

Filesize
992KB

Download