Overview

overview

10

Static

static

27a01bb6c3...11.exe

windows7_x64

10

27a01bb6c3...11.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    23-11-2021 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27a01bb6c3c0fb64872fcc735c5a0c11.exe

  • Size

    292KB

  • MD5

    27a01bb6c3c0fb64872fcc735c5a0c11

  • SHA1

    fd04391befff7c59157ae802daf0d89f53dde9bb

  • SHA256

    53a53bf9f523096ddbdf4f6a65cb51464d9c0c8458c2994cdc1e467d20742e64

  • SHA512

    6eeae3bafbc546caf4b3e75fa1b1ef383d9c201afd8ae1e94cfa60ec2fc1d7750e08e28b0b4b1314f187978974dff88e72ccef9e6e29777b49bc79cf2d552ab9

Score
10/10
arkeiredlinesmokeloadertofsee@123defaultbackdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

http://nalirou70.top/

http://xacokuo80.top/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

C2

185.159.80.90:38637

Extracted

Family

redline

Botnet

@123

C2

141.95.82.50:63652

Extracted

Family

arkei

Botnet

Default

C2

http://file-file-host4.com/tratata.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata
  • Arkei Stealer Payload 2 IoCs
    stealer
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27a01bb6c3c0fb64872fcc735c5a0c11.exe
    "C:\Users\Admin\AppData\Local\Temp\27a01bb6c3c0fb64872fcc735c5a0c11.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\27a01bb6c3c0fb64872fcc735c5a0c11.exe
      "C:\Users\Admin\AppData\Local\Temp\27a01bb6c3c0fb64872fcc735c5a0c11.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1336
  • C:\Users\Admin\AppData\Local\Temp\BD56.exe
    C:\Users\Admin\AppData\Local\Temp\BD56.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\BD56.exe
      C:\Users\Admin\AppData\Local\Temp\BD56.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1088
  • C:\Users\Admin\AppData\Local\Temp\C14D.exe
    C:\Users\Admin\AppData\Local\Temp\C14D.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\eugbgeca\
      2⤵
        PID:1932
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pitjurkd.exe" C:\Windows\SysWOW64\eugbgeca\
        2⤵
          PID:848
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create eugbgeca binPath= "C:\Windows\SysWOW64\eugbgeca\pitjurkd.exe /d\"C:\Users\Admin\AppData\Local\Temp\C14D.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1864
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description eugbgeca "wifi internet conection"
            2⤵
              PID:1868
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start eugbgeca
              2⤵
                PID:1820
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:936
              • C:\Users\Admin\AppData\Local\Temp\CE59.exe
                C:\Users\Admin\AppData\Local\Temp\CE59.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1060
                • C:\Users\Admin\AppData\Local\Temp\CE59.exe
                  C:\Users\Admin\AppData\Local\Temp\CE59.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:588
              • C:\Windows\SysWOW64\eugbgeca\pitjurkd.exe
                C:\Windows\SysWOW64\eugbgeca\pitjurkd.exe /d"C:\Users\Admin\AppData\Local\Temp\C14D.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1188
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  PID:956
              • C:\Users\Admin\AppData\Local\Temp\2983.exe
                C:\Users\Admin\AppData\Local\Temp\2983.exe
                1⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:1984
              • C:\Users\Admin\AppData\Local\Temp\2C62.exe
                C:\Users\Admin\AppData\Local\Temp\2C62.exe
                1⤵
                • Executes dropped EXE
                PID:1960
              • C:\Users\Admin\AppData\Local\Temp\3CEA.exe
                C:\Users\Admin\AppData\Local\Temp\3CEA.exe
                1⤵
                • Executes dropped EXE
                PID:304

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              2
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\2983.exe
                MD5

                03651bfa0fa57d86e5a612e0cc81bc09

                SHA1

                67738024bea02128f0d7a9939e193dc706bcd0d8

                SHA256

                48183fd297159559ea5ca3f626bf6ade7bdbaeefec816116a30da7969642ce6b

                SHA512

                b9efdef3230478dc4691034bc7e556c313c536115166e4493f7754755d6ab9515c771f51620a5bf5c21bf19b42eb77d95bd040b0f1d3205c715cb21175cffbd4

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\2C62.exe
                MD5

                b25fdabef081394cfc659b7f9574e323

                SHA1

                84c00d9786f82767814033f70401cb193e0024c0

                SHA256

                ebc4acabf30b159e1a855e529b5c045fa7af9356e70433fa3ce8ce9599b151e6

                SHA512

                42dae5ed2501280d02102d9969a60f7415a688af4db9b93949e1e6c4e3928916e374a9e47416aad32e6eb6f30b0e7966bc699bd13fbbd14b3c7059f8540f45a8

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\2C62.exe
                MD5

                b25fdabef081394cfc659b7f9574e323

                SHA1

                84c00d9786f82767814033f70401cb193e0024c0

                SHA256

                ebc4acabf30b159e1a855e529b5c045fa7af9356e70433fa3ce8ce9599b151e6

                SHA512

                42dae5ed2501280d02102d9969a60f7415a688af4db9b93949e1e6c4e3928916e374a9e47416aad32e6eb6f30b0e7966bc699bd13fbbd14b3c7059f8540f45a8

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\3CEA.exe
                MD5

                dd139264535ee2af7df528a629b11caf

                SHA1

                630b5895a6f411623177e0112dc778384af0bf6c

                SHA256

                5abb764896f6173f1973b439fd705b9522e59bd3b57b362892ba20d9929e8455

                SHA512

                5d9a3a904b8531a18f24835dde842ac48677682a09611e7606b7c2ed3426cdb2ad56095e2f739111e05f62761c76203459f5afa837833420a7feb787e1167772

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\BD56.exe
                MD5

                b7981b3c71da88741c5be4349f691829

                SHA1

                e0fe38a33bffdabcf37b2ce7b6a2bf0bd21cd3eb

                SHA256

                14267da9eb76e935a0e22c8700ba8916d3e31b5997d2a1bc0edfe439d09f435b

                SHA512

                2e9376b0739f02cabc1736aab34e15d97499a461214a0944e80ef6c0afcf5202e2c35878710090948417a0a39cea3689e7d76b0b21d56d2c9fa21ac42cbf61d9

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\BD56.exe
                MD5

                b7981b3c71da88741c5be4349f691829

                SHA1

                e0fe38a33bffdabcf37b2ce7b6a2bf0bd21cd3eb

                SHA256

                14267da9eb76e935a0e22c8700ba8916d3e31b5997d2a1bc0edfe439d09f435b

                SHA512

                2e9376b0739f02cabc1736aab34e15d97499a461214a0944e80ef6c0afcf5202e2c35878710090948417a0a39cea3689e7d76b0b21d56d2c9fa21ac42cbf61d9

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\BD56.exe
                MD5

                b7981b3c71da88741c5be4349f691829

                SHA1

                e0fe38a33bffdabcf37b2ce7b6a2bf0bd21cd3eb

                SHA256

                14267da9eb76e935a0e22c8700ba8916d3e31b5997d2a1bc0edfe439d09f435b

                SHA512

                2e9376b0739f02cabc1736aab34e15d97499a461214a0944e80ef6c0afcf5202e2c35878710090948417a0a39cea3689e7d76b0b21d56d2c9fa21ac42cbf61d9

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\C14D.exe
                MD5

                2a19f07c0c822efed923fccc2fbfd3ee

                SHA1

                21892b14eae94d9efc116d4c26179ea7259736e7

                SHA256

                ebc9363be598521bca4653506ed233ea8f7a52a0c7ed4a121130bbc1a1f27e2f

                SHA512

                421190d41cc983b0e7de72b8e60460dbb9ad8b67341b17a711738befa8a443e19aee0c982d7541ae1a3265dd0f86203ab1287f48320bc0b95be06a100a1be682

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\C14D.exe
                MD5

                2a19f07c0c822efed923fccc2fbfd3ee

                SHA1

                21892b14eae94d9efc116d4c26179ea7259736e7

                SHA256

                ebc9363be598521bca4653506ed233ea8f7a52a0c7ed4a121130bbc1a1f27e2f

                SHA512

                421190d41cc983b0e7de72b8e60460dbb9ad8b67341b17a711738befa8a443e19aee0c982d7541ae1a3265dd0f86203ab1287f48320bc0b95be06a100a1be682

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\CE59.exe
                MD5

                a50ee9aad29943a28a90270c948aa700

                SHA1

                188bfab768eb5d04f6d637838ebdc4e5583febd0

                SHA256

                162182dc55594ee769bc830588561c7ba9ae2be7d2b2139b0b2dfc485cfb2fcc

                SHA512

                556422af21215937dde56718a5dbcea547c70460ba1b4c36d075297b3574dfe2cd7c6641211d97aabe5eec8efc2b9d3ce83f8e1d36a5b8e4d1d00a093cd6b3d2

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\CE59.exe
                MD5

                a50ee9aad29943a28a90270c948aa700

                SHA1

                188bfab768eb5d04f6d637838ebdc4e5583febd0

                SHA256

                162182dc55594ee769bc830588561c7ba9ae2be7d2b2139b0b2dfc485cfb2fcc

                SHA512

                556422af21215937dde56718a5dbcea547c70460ba1b4c36d075297b3574dfe2cd7c6641211d97aabe5eec8efc2b9d3ce83f8e1d36a5b8e4d1d00a093cd6b3d2

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\CE59.exe
                MD5

                a50ee9aad29943a28a90270c948aa700

                SHA1

                188bfab768eb5d04f6d637838ebdc4e5583febd0

                SHA256

                162182dc55594ee769bc830588561c7ba9ae2be7d2b2139b0b2dfc485cfb2fcc

                SHA512

                556422af21215937dde56718a5dbcea547c70460ba1b4c36d075297b3574dfe2cd7c6641211d97aabe5eec8efc2b9d3ce83f8e1d36a5b8e4d1d00a093cd6b3d2

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\pitjurkd.exe
                MD5

                391e0fd9be70db079395821dbc354983

                SHA1

                c253d65ddc45a1ecc80506db9206d48697a48ce2

                SHA256

                26e80078b727014378f42150d2a806eba81b0a3983fab516feb5a3983b84e6bf

                SHA512

                a108f3b52f5bbb665a40780d72dcd3017ab55fdaed0e14b028028e46785c79f8e31dc18212e86d601dcea0ccc0949d35657997d356100215e327b316a8264de3

                Download Submit
              • C:\Windows\SysWOW64\eugbgeca\pitjurkd.exe
                MD5

                391e0fd9be70db079395821dbc354983

                SHA1

                c253d65ddc45a1ecc80506db9206d48697a48ce2

                SHA256

                26e80078b727014378f42150d2a806eba81b0a3983fab516feb5a3983b84e6bf

                SHA512

                a108f3b52f5bbb665a40780d72dcd3017ab55fdaed0e14b028028e46785c79f8e31dc18212e86d601dcea0ccc0949d35657997d356100215e327b316a8264de3

                Download Submit
              • \Users\Admin\AppData\Local\Temp\BD56.exe
                MD5

                b7981b3c71da88741c5be4349f691829

                SHA1

                e0fe38a33bffdabcf37b2ce7b6a2bf0bd21cd3eb

                SHA256

                14267da9eb76e935a0e22c8700ba8916d3e31b5997d2a1bc0edfe439d09f435b

                SHA512

                2e9376b0739f02cabc1736aab34e15d97499a461214a0944e80ef6c0afcf5202e2c35878710090948417a0a39cea3689e7d76b0b21d56d2c9fa21ac42cbf61d9

                Download Submit
              • \Users\Admin\AppData\Local\Temp\CE59.exe
                MD5

                a50ee9aad29943a28a90270c948aa700

                SHA1

                188bfab768eb5d04f6d637838ebdc4e5583febd0

                SHA256

                162182dc55594ee769bc830588561c7ba9ae2be7d2b2139b0b2dfc485cfb2fcc

                SHA512

                556422af21215937dde56718a5dbcea547c70460ba1b4c36d075297b3574dfe2cd7c6641211d97aabe5eec8efc2b9d3ce83f8e1d36a5b8e4d1d00a093cd6b3d2

                Download Submit
              • memory/304-125-0x0000000000000000-mapping.dmp
                Download
              • memory/304-128-0x0000000002C8B000-0x0000000002C9F000-memory.dmp
                Filesize

                80KB

                Download
              • memory/304-131-0x0000000000400000-0x0000000002B45000-memory.dmp
                Filesize

                39.3MB

                Download
              • memory/304-130-0x0000000000220000-0x0000000000241000-memory.dmp
                Filesize

                132KB

                Download
              • memory/588-104-0x0000000004960000-0x0000000004961000-memory.dmp
                Filesize

                4KB

                Download
              • memory/588-100-0x0000000000418EE6-mapping.dmp
                Download
              • memory/588-102-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/588-99-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/588-98-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/588-97-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/588-95-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/588-96-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/756-55-0x0000000002BED000-0x0000000002BFE000-memory.dmp
                Filesize

                68KB

                Download
              • memory/756-59-0x0000000000220000-0x0000000000229000-memory.dmp
                Filesize

                36KB

                Download
              • memory/848-84-0x0000000000000000-mapping.dmp
                Download
              • memory/936-91-0x0000000000000000-mapping.dmp
                Download
              • memory/956-108-0x0000000000080000-0x0000000000095000-memory.dmp
                Filesize

                84KB

                Download
              • memory/956-109-0x0000000000089A6B-mapping.dmp
                Download
              • memory/956-107-0x0000000000080000-0x0000000000095000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1060-77-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1060-86-0x00000000020E0000-0x00000000020E1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1060-72-0x0000000000000000-mapping.dmp
                Download
              • memory/1088-68-0x0000000000400000-0x0000000000408000-memory.dmp
                Filesize

                32KB

                Download
              • memory/1088-69-0x0000000000402DC6-mapping.dmp
                Download
              • memory/1188-111-0x0000000000400000-0x0000000002B41000-memory.dmp
                Filesize

                39.3MB

                Download
              • memory/1188-105-0x000000000024B000-0x000000000025C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1268-93-0x0000000003E50000-0x0000000003E66000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1268-60-0x00000000021A0000-0x00000000021B6000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1268-127-0x0000000005FD0000-0x0000000005FE6000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1336-58-0x0000000075BA1000-0x0000000075BA3000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1336-56-0x0000000000400000-0x0000000000409000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1336-57-0x0000000000402DD8-mapping.dmp
                Download
              • memory/1524-82-0x0000000000400000-0x0000000002B41000-memory.dmp
                Filesize

                39.3MB

                Download
              • memory/1524-81-0x0000000000220000-0x0000000000233000-memory.dmp
                Filesize

                76KB

                Download
              • memory/1524-63-0x0000000000000000-mapping.dmp
                Download
              • memory/1524-76-0x0000000002CAB000-0x0000000002CBC000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1808-61-0x0000000000000000-mapping.dmp
                Download
              • memory/1808-73-0x0000000000220000-0x0000000000229000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1808-65-0x0000000002C0B000-0x0000000002C1C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1820-89-0x0000000000000000-mapping.dmp
                Download
              • memory/1864-87-0x0000000000000000-mapping.dmp
                Download
              • memory/1868-88-0x0000000000000000-mapping.dmp
                Download
              • memory/1932-83-0x0000000000000000-mapping.dmp
                Download
              • memory/1960-120-0x00000000003E0000-0x00000000003FB000-memory.dmp
                Filesize

                108KB

                Download
              • memory/1960-119-0x000000001A790000-0x000000001A792000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1960-117-0x0000000000A90000-0x0000000000A91000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1960-114-0x0000000000000000-mapping.dmp
                Download
              • memory/1984-121-0x00000000002AB000-0x00000000002BC000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1984-124-0x0000000000400000-0x0000000001085000-memory.dmp
                Filesize

                12.5MB

                Download
              • memory/1984-123-0x00000000001B0000-0x00000000001B9000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1984-112-0x0000000000000000-mapping.dmp
                Download