redline | 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a

Analysis

max time kernel
55s
max time network
65s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
01/04/2023, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe
Size

530KB
MD5

526bd70f0dc169ad212ec2af3834422d
SHA1

6aca1ab6ac74a1eb12b54befdbb097faecf7faca
SHA256

8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a
SHA512

38267139e950c3c2c74b2c6125ac699567cfeaba6510ae3b0e01b09aee795de9f07c02f0ef638782ca003cc48ea6e25e765f21af042cfb9fb42e583200b29e32
SSDEEP

12288:LMr2y905kn9qiQO2jV4bmFf5KXa/4mMMYJ1FC0D9os:1ymk9xD4AfmVY7FC0Jos

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr350483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr350483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr350483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr350483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr350483.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3892-140-0x00000000023E0000-0x0000000002426000-memory.dmp	family_redline
behavioral1/memory/3892-142-0x0000000002630000-0x0000000002674000-memory.dmp	family_redline
behavioral1/memory/3892-147-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-148-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-150-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-152-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-154-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-156-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-158-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-160-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-162-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-164-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-166-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-168-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-170-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-172-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-174-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-176-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-178-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-180-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-184-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-182-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-186-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-188-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-190-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-192-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-194-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-196-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-198-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-200-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-202-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-204-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-206-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-208-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline
behavioral1/memory/3892-210-0x0000000002630000-0x000000000266F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4044	ziGu9219.exe
1720	jr350483.exe
3892	ku895889.exe
4728	lr948369.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr350483.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziGu9219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziGu9219.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1720	jr350483.exe
1720	jr350483.exe
3892	ku895889.exe
3892	ku895889.exe
4728	lr948369.exe
4728	lr948369.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	jr350483.exe
Token: SeDebugPrivilege	3892	ku895889.exe
Token: SeDebugPrivilege	4728	lr948369.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 4044	4300	8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe	66
PID 4300 wrote to memory of 4044	4300	8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe	66
PID 4300 wrote to memory of 4044	4300	8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe	66
PID 4044 wrote to memory of 1720	4044	ziGu9219.exe	67
PID 4044 wrote to memory of 1720	4044	ziGu9219.exe	67
PID 4044 wrote to memory of 3892	4044	ziGu9219.exe	68
PID 4044 wrote to memory of 3892	4044	ziGu9219.exe	68
PID 4044 wrote to memory of 3892	4044	ziGu9219.exe	68
PID 4300 wrote to memory of 4728	4300	8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe	70
PID 4300 wrote to memory of 4728	4300	8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe	70
PID 4300 wrote to memory of 4728	4300	8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe	70

C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe
"C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr948369.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr948369.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr948369.exe

Filesize
176KB

MD5
525ae3187dd01aad55954e30c22f1a63

SHA1
e84d665f57bb7bee917308676f7aa0d72583bb05

SHA256
57ff5d0cc8d8d4c53048ab0ecf39013a59fb6a1294685d58e842039d24c60380

SHA512
f75c3b02a6bf4f75d7e686fac43cfcd2cb0f458313819106124cff62f4c83cb51c65fc5dc0919014456812b22ec5402ac1dbcfd6636cd3ea864296059e7df4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr948369.exe

Filesize
176KB

MD5
525ae3187dd01aad55954e30c22f1a63

SHA1
e84d665f57bb7bee917308676f7aa0d72583bb05

SHA256
57ff5d0cc8d8d4c53048ab0ecf39013a59fb6a1294685d58e842039d24c60380

SHA512
f75c3b02a6bf4f75d7e686fac43cfcd2cb0f458313819106124cff62f4c83cb51c65fc5dc0919014456812b22ec5402ac1dbcfd6636cd3ea864296059e7df4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe

Filesize
388KB

MD5
3e91b0adc4ce2421d09efd4231a2b9e1

SHA1
45688cee5dd411d460670ca1a1d5e68c8702b634

SHA256
54d4789f22d957f4583cf3c1c6f333827268a90873f9ff51ab1f046521871d93

SHA512
e2972d7ba7967e2ca8dee3e2a265fc36376674e0e80ec3b21efc2c038b3ade1e84b8d08ae27d6e3cb1eb8a25cb20848c4f1a6e70ad214a62b62b372b1d1e3a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe

Filesize
388KB

MD5
3e91b0adc4ce2421d09efd4231a2b9e1

SHA1
45688cee5dd411d460670ca1a1d5e68c8702b634

SHA256
54d4789f22d957f4583cf3c1c6f333827268a90873f9ff51ab1f046521871d93

SHA512
e2972d7ba7967e2ca8dee3e2a265fc36376674e0e80ec3b21efc2c038b3ade1e84b8d08ae27d6e3cb1eb8a25cb20848c4f1a6e70ad214a62b62b372b1d1e3a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe

Filesize
11KB

MD5
78c3c8212cb8c23b1adfa1c970a5ea61

SHA1
70cb7000ca8a18ed2da17a59ead6f905fc13eaee

SHA256
04cdace3f1f541f266f553f581943d847b765821a933c7695a6830ea3ae37a48

SHA512
87474d9f045b6c32e2555c95d45f6c8628ce953fc9fc8c4dfbe538b8b48d12164bc5cea0d8df6eaa32b2e52a356c13f712b7ea7eaeb385a077ea7536f8b58e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe

Filesize
11KB

MD5
78c3c8212cb8c23b1adfa1c970a5ea61

SHA1
70cb7000ca8a18ed2da17a59ead6f905fc13eaee

SHA256
04cdace3f1f541f266f553f581943d847b765821a933c7695a6830ea3ae37a48

SHA512
87474d9f045b6c32e2555c95d45f6c8628ce953fc9fc8c4dfbe538b8b48d12164bc5cea0d8df6eaa32b2e52a356c13f712b7ea7eaeb385a077ea7536f8b58e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe

Filesize
434KB

MD5
99fe8a12de549bc4afa5ddfe635fae38

SHA1
6f339d74d8913b23384b9236463b8978f4af1bb6

SHA256
5f627e3af21dcadff429f64fb608429c0564935d2ae2360b9c1b56bdfcb0c8bd

SHA512
af4f9d865fb67aef5506d3ded3018dfa3f844a6ec3db7d5c3353c782cba09511521a4c247512420234ec1ba7eb5acf542360d44841d8edbbb648b278d98d2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe

Filesize
434KB

MD5
99fe8a12de549bc4afa5ddfe635fae38

SHA1
6f339d74d8913b23384b9236463b8978f4af1bb6

SHA256
5f627e3af21dcadff429f64fb608429c0564935d2ae2360b9c1b56bdfcb0c8bd

SHA512
af4f9d865fb67aef5506d3ded3018dfa3f844a6ec3db7d5c3353c782cba09511521a4c247512420234ec1ba7eb5acf542360d44841d8edbbb648b278d98d2226

Download Submit
memory/1720-134-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/3892-140-0x00000000023E0000-0x0000000002426000-memory.dmp

Filesize
280KB

Download
memory/3892-141-0x0000000004C20000-0x000000000511E000-memory.dmp

Filesize
5.0MB

Download
memory/3892-143-0x00000000005C0000-0x000000000060B000-memory.dmp

Filesize
300KB

Download
memory/3892-145-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/3892-144-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/3892-146-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/3892-142-0x0000000002630000-0x0000000002674000-memory.dmp

Filesize
272KB

Download
memory/3892-147-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-148-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-150-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-152-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-154-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-156-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-158-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-160-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-162-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-164-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-166-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-168-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-170-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-172-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-174-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-176-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-178-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-180-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-184-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-182-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-186-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-188-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-190-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-192-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-194-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-196-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-198-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-200-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-202-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-204-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-206-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-208-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-210-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/3892-1053-0x0000000005830000-0x0000000005E36000-memory.dmp

Filesize
6.0MB

Download
memory/3892-1054-0x0000000005290000-0x000000000539A000-memory.dmp

Filesize
1.0MB

Download
memory/3892-1055-0x00000000053D0000-0x00000000053E2000-memory.dmp

Filesize
72KB

Download
memory/3892-1056-0x00000000053F0000-0x000000000542E000-memory.dmp

Filesize
248KB

Download
memory/3892-1057-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/3892-1058-0x0000000005540000-0x000000000558B000-memory.dmp

Filesize
300KB

Download
memory/3892-1060-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/3892-1061-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/3892-1062-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/3892-1063-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/3892-1064-0x0000000006480000-0x0000000006642000-memory.dmp

Filesize
1.8MB

Download
memory/3892-1065-0x0000000006670000-0x0000000006B9C000-memory.dmp

Filesize
5.2MB

Download
memory/3892-1066-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/3892-1067-0x0000000006DC0000-0x0000000006E36000-memory.dmp

Filesize
472KB

Download
memory/3892-1068-0x0000000006E50000-0x0000000006EA0000-memory.dmp

Filesize
320KB

Download
memory/4728-1074-0x0000000000AF0000-0x0000000000B22000-memory.dmp

Filesize
200KB

Download
memory/4728-1075-0x00000000053F0000-0x000000000543B000-memory.dmp

Filesize
300KB

Download
memory/4728-1076-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download