redline | 596cec9e4e862d185a53e3f7190c81926b9bafc55fdac7f28e8a32e4fb35d04f

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2023 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

596cec9e4e862d185a53e3f7190c81926b9bafc55fdac7f28e8a32e4fb35d04f.exe
Size

729KB
MD5

9a3edf0c98540f00d08bc89a386a1829
SHA1

9d46912ad6dcfb7db55badbd7cbe36e4fc166869
SHA256

596cec9e4e862d185a53e3f7190c81926b9bafc55fdac7f28e8a32e4fb35d04f
SHA512

7394ebfb300d0cf19b81ef0376c363a75bded0961a6dfeabbc0c0c2fe70dff0c239f9bb43376bb34c7a3f213661923c4053db429439ac1c1d68a82a226f71264
SSDEEP

12288:cMrRy90RmptDm64Q+wCCVCElzH3psdbX9EEXTW94qYYL3Q:tyUgsQzCCdXps5NEEXTC4M3Q

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a5950562.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5950562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5950562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5950562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5950562.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5950562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5950562.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 6 IoCs

Processes:

v4576752.exev4321216.exev1130851.exea5950562.exeb0985947.exec5605535.exe

pid process

2912 v4576752.exe
648 v4321216.exe
1464 v1130851.exe
2896 a5950562.exe
3512 b0985947.exe
4260 c5605535.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a5950562.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5950562.exe

pid	process
2912	v4576752.exe
648	v4321216.exe
1464	v1130851.exe
2896	a5950562.exe
3512	b0985947.exe
4260	c5605535.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5950562.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

596cec9e4e862d185a53e3f7190c81926b9bafc55fdac7f28e8a32e4fb35d04f.exev4576752.exev4321216.exev1130851.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	596cec9e4e862d185a53e3f7190c81926b9bafc55fdac7f28e8a32e4fb35d04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	596cec9e4e862d185a53e3f7190c81926b9bafc55fdac7f28e8a32e4fb35d04f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4576752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4576752.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4321216.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4321216.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1130851.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1130851.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

b0985947.exe

description pid process target process

PID 3512 set thread context of 2568 3512 b0985947.exe AppLaunch.exe

description	pid	process	target process
PID 3512 set thread context of 2568	3512	b0985947.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

a5950562.exeAppLaunch.exec5605535.exe

pid	process
2896	a5950562.exe
2896	a5950562.exe
2568	AppLaunch.exe
2568	AppLaunch.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe
4260	c5605535.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a5950562.exeAppLaunch.exec5605535.exe

description pid process

Token: SeDebugPrivilege 2896 a5950562.exe
Token: SeDebugPrivilege 2568 AppLaunch.exe
Token: SeDebugPrivilege 4260 c5605535.exe

description	pid	process
Token: SeDebugPrivilege	2896	a5950562.exe
Token: SeDebugPrivilege	2568	AppLaunch.exe
Token: SeDebugPrivilege	4260	c5605535.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

596cec9e4e862d185a53e3f7190c81926b9bafc55fdac7f28e8a32e4fb35d04f.exev4576752.exev4321216.exev1130851.exeb0985947.exe

description	pid	process	target process
PID 4400 wrote to memory of 2912	4400	596cec9e4e862d185a53e3f7190c81926b9bafc55fdac7f28e8a32e4fb35d04f.exe	v4576752.exe
PID 4400 wrote to memory of 2912	4400	596cec9e4e862d185a53e3f7190c81926b9bafc55fdac7f28e8a32e4fb35d04f.exe	v4576752.exe
PID 4400 wrote to memory of 2912	4400	596cec9e4e862d185a53e3f7190c81926b9bafc55fdac7f28e8a32e4fb35d04f.exe	v4576752.exe
PID 2912 wrote to memory of 648	2912	v4576752.exe	v4321216.exe
PID 2912 wrote to memory of 648	2912	v4576752.exe	v4321216.exe
PID 2912 wrote to memory of 648	2912	v4576752.exe	v4321216.exe
PID 648 wrote to memory of 1464	648	v4321216.exe	v1130851.exe
PID 648 wrote to memory of 1464	648	v4321216.exe	v1130851.exe
PID 648 wrote to memory of 1464	648	v4321216.exe	v1130851.exe
PID 1464 wrote to memory of 2896	1464	v1130851.exe	a5950562.exe
PID 1464 wrote to memory of 2896	1464	v1130851.exe	a5950562.exe
PID 1464 wrote to memory of 3512	1464	v1130851.exe	b0985947.exe
PID 1464 wrote to memory of 3512	1464	v1130851.exe	b0985947.exe
PID 1464 wrote to memory of 3512	1464	v1130851.exe	b0985947.exe
PID 3512 wrote to memory of 2568	3512	b0985947.exe	AppLaunch.exe
PID 3512 wrote to memory of 2568	3512	b0985947.exe	AppLaunch.exe
PID 3512 wrote to memory of 2568	3512	b0985947.exe	AppLaunch.exe
PID 3512 wrote to memory of 2568	3512	b0985947.exe	AppLaunch.exe
PID 3512 wrote to memory of 2568	3512	b0985947.exe	AppLaunch.exe
PID 648 wrote to memory of 4260	648	v4321216.exe	c5605535.exe
PID 648 wrote to memory of 4260	648	v4321216.exe	c5605535.exe
PID 648 wrote to memory of 4260	648	v4321216.exe	c5605535.exe

C:\Users\Admin\AppData\Local\Temp\596cec9e4e862d185a53e3f7190c81926b9bafc55fdac7f28e8a32e4fb35d04f.exe
"C:\Users\Admin\AppData\Local\Temp\596cec9e4e862d185a53e3f7190c81926b9bafc55fdac7f28e8a32e4fb35d04f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4576752.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4576752.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4321216.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4321216.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1130851.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1130851.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5950562.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5950562.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0985947.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0985947.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5605535.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5605535.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4576752.exe

Filesize
526KB

MD5
34c6dd09d4922c972824645e9cd61b05

SHA1
cd545e13ff9b9b17e06e521b4e46c49db250dc0f

SHA256
f24e67a8ca4152912d55e19362a5b388d82a65d2d04fd449f3e4c9a6e945b59d

SHA512
b0fd13d149c544d904692b9e08d3256e93ef378941e1fcaec3e945a5c7b6c878d4dc971e6b48dddc52d784702c9df6a228559c18d727610f1e21cda98ffcc348

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4576752.exe

Filesize
526KB

MD5
34c6dd09d4922c972824645e9cd61b05

SHA1
cd545e13ff9b9b17e06e521b4e46c49db250dc0f

SHA256
f24e67a8ca4152912d55e19362a5b388d82a65d2d04fd449f3e4c9a6e945b59d

SHA512
b0fd13d149c544d904692b9e08d3256e93ef378941e1fcaec3e945a5c7b6c878d4dc971e6b48dddc52d784702c9df6a228559c18d727610f1e21cda98ffcc348

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4321216.exe

Filesize
354KB

MD5
30f5a00c62837d107b8e1a090ccb3a87

SHA1
bd91009daf24f83027df85725eb82323bf80f9a9

SHA256
b7d72b179e6b52cf73ca159e70c92acca14c502b58ce4ca00b9988777d3f6957

SHA512
f2303abc517c7defff7d44881c7c5297152ec89a5d3998d2289ca7869c7988de20b7ee27bee3a60e95805bec52a057803e8a10448e78af7907dd9f25bb413370

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4321216.exe

Filesize
354KB

MD5
30f5a00c62837d107b8e1a090ccb3a87

SHA1
bd91009daf24f83027df85725eb82323bf80f9a9

SHA256
b7d72b179e6b52cf73ca159e70c92acca14c502b58ce4ca00b9988777d3f6957

SHA512
f2303abc517c7defff7d44881c7c5297152ec89a5d3998d2289ca7869c7988de20b7ee27bee3a60e95805bec52a057803e8a10448e78af7907dd9f25bb413370

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5605535.exe

Filesize
172KB

MD5
5732d2286fe6618ef8f5789c5d05f9fa

SHA1
c90a81b7c53045a209abf9ca88bc0e143bcdfa7c

SHA256
07349ec6e3a6f2af0b0d19824f6e3db543ab5fa28226f989bf84742d53236129

SHA512
bb1c2ce7712ebc9d6ed70e78c6aa743401eca1954bcdaf1597b68085e97f2f7f823e6b86f209f0ec334b2aa3eea4ed3ceb4a7700b491175baa0b29d122470cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5605535.exe

Filesize
172KB

MD5
5732d2286fe6618ef8f5789c5d05f9fa

SHA1
c90a81b7c53045a209abf9ca88bc0e143bcdfa7c

SHA256
07349ec6e3a6f2af0b0d19824f6e3db543ab5fa28226f989bf84742d53236129

SHA512
bb1c2ce7712ebc9d6ed70e78c6aa743401eca1954bcdaf1597b68085e97f2f7f823e6b86f209f0ec334b2aa3eea4ed3ceb4a7700b491175baa0b29d122470cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1130851.exe

Filesize
199KB

MD5
553c59263f755a272f072b23787f7226

SHA1
38fc75cd4a00ae7d3e7395896bbc40d162c42762

SHA256
abe75f7a97b4d8c4199c1bd37a4a16a9e2918618da04b9432ae7adc80feb5c92

SHA512
e68aaad8811aef608834a0641037581b6e2ad1f489d4b0710ad90129b9b0d6277850f375e4a73822ec270559e0af18787be39c43bfd2d8acc8eca667876955d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1130851.exe

Filesize
199KB

MD5
553c59263f755a272f072b23787f7226

SHA1
38fc75cd4a00ae7d3e7395896bbc40d162c42762

SHA256
abe75f7a97b4d8c4199c1bd37a4a16a9e2918618da04b9432ae7adc80feb5c92

SHA512
e68aaad8811aef608834a0641037581b6e2ad1f489d4b0710ad90129b9b0d6277850f375e4a73822ec270559e0af18787be39c43bfd2d8acc8eca667876955d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5950562.exe

Filesize
12KB

MD5
764537fb4d489772d8325c4ccce4ee93

SHA1
6170db4cca8676a19a460afedd5882ceadd5c261

SHA256
3f23c71475984f1e921a2955739f08207daa7e499a20758c490b45d266a31d9e

SHA512
198b25233656edff290790d56867114ac8f16a1d0b4025913fbcac8d53da9f4fa340f829c851995e9e7ac9619915303ee269ffa76893c2c06af683cc6fbd537f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5950562.exe

Filesize
12KB

MD5
764537fb4d489772d8325c4ccce4ee93

SHA1
6170db4cca8676a19a460afedd5882ceadd5c261

SHA256
3f23c71475984f1e921a2955739f08207daa7e499a20758c490b45d266a31d9e

SHA512
198b25233656edff290790d56867114ac8f16a1d0b4025913fbcac8d53da9f4fa340f829c851995e9e7ac9619915303ee269ffa76893c2c06af683cc6fbd537f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0985947.exe

Filesize
105KB

MD5
3bb0154e3cae7af5477dbd8039fa5b27

SHA1
112441470494b971c07b0a8ccf8fc07b3c63a813

SHA256
e6884d952d5b553a0ddeb0da57933dbd861176b6b90a13a42aa51b1ae1d48fa9

SHA512
b4d30018c09244edfcb4e9a89d1eb986769ae8b53cec3e448d2c82dae9867684579bb4d1d529087511f867dfcd3d07b4120c95cea7d82171b49be72203301867

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0985947.exe

Filesize
105KB

MD5
3bb0154e3cae7af5477dbd8039fa5b27

SHA1
112441470494b971c07b0a8ccf8fc07b3c63a813

SHA256
e6884d952d5b553a0ddeb0da57933dbd861176b6b90a13a42aa51b1ae1d48fa9

SHA512
b4d30018c09244edfcb4e9a89d1eb986769ae8b53cec3e448d2c82dae9867684579bb4d1d529087511f867dfcd3d07b4120c95cea7d82171b49be72203301867

Download Submit
memory/2568-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2896-161-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/4260-174-0x00000000009B0000-0x00000000009E0000-memory.dmp

Filesize
192KB

Download
memory/4260-175-0x000000000ADC0000-0x000000000B3D8000-memory.dmp

Filesize
6.1MB

Download
memory/4260-176-0x000000000A930000-0x000000000AA3A000-memory.dmp

Filesize
1.0MB

Download
memory/4260-177-0x000000000A870000-0x000000000A882000-memory.dmp

Filesize
72KB

Download
memory/4260-178-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/4260-179-0x000000000A8D0000-0x000000000A90C000-memory.dmp

Filesize
240KB

Download
memory/4260-180-0x000000000ABE0000-0x000000000AC56000-memory.dmp

Filesize
472KB

Download
memory/4260-181-0x000000000B480000-0x000000000B512000-memory.dmp

Filesize
584KB

Download
memory/4260-182-0x000000000B3E0000-0x000000000B446000-memory.dmp

Filesize
408KB

Download
memory/4260-183-0x000000000BDD0000-0x000000000C374000-memory.dmp

Filesize
5.6MB

Download
memory/4260-184-0x000000000BA40000-0x000000000BA90000-memory.dmp

Filesize
320KB

Download
memory/4260-186-0x000000000C380000-0x000000000C542000-memory.dmp

Filesize
1.8MB

Download
memory/4260-187-0x000000000CA80000-0x000000000CFAC000-memory.dmp

Filesize
5.2MB

Download
memory/4260-188-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download