amadey | 510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 14:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13.exe
Size

217KB
MD5

b0929538ca1c6518ce2280c62daf4383
SHA1

5cae6b0c7254659c66ca14e7d6e1b5bfc481acf4
SHA256

510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13
SHA512

c22881eb36ea57b2594c452c5fd5011f0a03952f7cb33173ba25f4a2a94aa1cada626ac2b37e994438459e5bbbbe0db1cd5fcf4a910316dbfd0b679a6e442e65
SSDEEP

3072:h3tinQnUoC0pvo/UwLsxGqNWUE7FO2XnazDDP0zgGCV5HVFUjWjJkp:h3cnQnO+vAsxzGO0a/DP005HYjWjm

Score

10^/10

amadey smokeloader pub3 backdoor spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

amadey

Version

4.14

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1356	Process not Found

Executes dropped EXE 4 IoCs

pid	Process
2620	tvabccu
2376	D652.exe
2512	Utsysc.exe
1132	Utsysc.exe

Loads dropped DLL 44 IoCs

pid	Process
2376	D652.exe
2376	D652.exe
2008	rundll32.exe
2008	rundll32.exe
2008	rundll32.exe
2008	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
2600	WerFault.exe
2600	WerFault.exe
780	rundll32.exe
780	rundll32.exe
780	rundll32.exe
780	rundll32.exe
2356	rundll32.exe
2356	rundll32.exe
2356	rundll32.exe
2356	rundll32.exe
448	WerFault.exe
448	WerFault.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
1228	rundll32.exe
1228	rundll32.exe
1228	rundll32.exe
1228	rundll32.exe
1064	WerFault.exe
1064	WerFault.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvabccu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvabccu
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvabccu

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13.exe
2340	510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13.exe
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2340	510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13.exe
2620	tvabccu

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1356	Process not Found
Token: SeShutdownPrivilege	1356	Process not Found
Token: SeShutdownPrivilege	1356	Process not Found

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1356	Process not Found
1356	Process not Found
2376	D652.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1356	Process not Found
1356	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2620	2632	taskeng.exe	29
PID 2632 wrote to memory of 2620	2632	taskeng.exe	29
PID 2632 wrote to memory of 2620	2632	taskeng.exe	29
PID 2632 wrote to memory of 2620	2632	taskeng.exe	29
PID 1356 wrote to memory of 2376	1356	Process not Found	32
PID 1356 wrote to memory of 2376	1356	Process not Found	32
PID 1356 wrote to memory of 2376	1356	Process not Found	32
PID 1356 wrote to memory of 2376	1356	Process not Found	32
PID 2376 wrote to memory of 2512	2376	D652.exe	33
PID 2376 wrote to memory of 2512	2376	D652.exe	33
PID 2376 wrote to memory of 2512	2376	D652.exe	33
PID 2376 wrote to memory of 2512	2376	D652.exe	33
PID 2512 wrote to memory of 2384	2512	Utsysc.exe	34
PID 2512 wrote to memory of 2384	2512	Utsysc.exe	34
PID 2512 wrote to memory of 2384	2512	Utsysc.exe	34
PID 2512 wrote to memory of 2384	2512	Utsysc.exe	34
PID 2512 wrote to memory of 2008	2512	Utsysc.exe	38
PID 2512 wrote to memory of 2008	2512	Utsysc.exe	38
PID 2512 wrote to memory of 2008	2512	Utsysc.exe	38
PID 2512 wrote to memory of 2008	2512	Utsysc.exe	38
PID 2512 wrote to memory of 2008	2512	Utsysc.exe	38
PID 2512 wrote to memory of 2008	2512	Utsysc.exe	38
PID 2512 wrote to memory of 2008	2512	Utsysc.exe	38
PID 2008 wrote to memory of 484	2008	rundll32.exe	39
PID 2008 wrote to memory of 484	2008	rundll32.exe	39
PID 2008 wrote to memory of 484	2008	rundll32.exe	39
PID 2008 wrote to memory of 484	2008	rundll32.exe	39
PID 484 wrote to memory of 2600	484	rundll32.exe	40
PID 484 wrote to memory of 2600	484	rundll32.exe	40
PID 484 wrote to memory of 2600	484	rundll32.exe	40
PID 2512 wrote to memory of 780	2512	Utsysc.exe	41
PID 2512 wrote to memory of 780	2512	Utsysc.exe	41
PID 2512 wrote to memory of 780	2512	Utsysc.exe	41
PID 2512 wrote to memory of 780	2512	Utsysc.exe	41
PID 2512 wrote to memory of 780	2512	Utsysc.exe	41
PID 2512 wrote to memory of 780	2512	Utsysc.exe	41
PID 2512 wrote to memory of 780	2512	Utsysc.exe	41
PID 780 wrote to memory of 2356	780	rundll32.exe	42
PID 780 wrote to memory of 2356	780	rundll32.exe	42
PID 780 wrote to memory of 2356	780	rundll32.exe	42
PID 780 wrote to memory of 2356	780	rundll32.exe	42
PID 2356 wrote to memory of 448	2356	rundll32.exe	43
PID 2356 wrote to memory of 448	2356	rundll32.exe	43
PID 2356 wrote to memory of 448	2356	rundll32.exe	43
PID 2512 wrote to memory of 832	2512	Utsysc.exe	44
PID 2512 wrote to memory of 832	2512	Utsysc.exe	44
PID 2512 wrote to memory of 832	2512	Utsysc.exe	44
PID 2512 wrote to memory of 832	2512	Utsysc.exe	44
PID 2512 wrote to memory of 832	2512	Utsysc.exe	44
PID 2512 wrote to memory of 832	2512	Utsysc.exe	44
PID 2512 wrote to memory of 832	2512	Utsysc.exe	44
PID 832 wrote to memory of 1228	832	rundll32.exe	45
PID 832 wrote to memory of 1228	832	rundll32.exe	45
PID 832 wrote to memory of 1228	832	rundll32.exe	45
PID 832 wrote to memory of 1228	832	rundll32.exe	45
PID 1228 wrote to memory of 1064	1228	rundll32.exe	46
PID 1228 wrote to memory of 1064	1228	rundll32.exe	46
PID 1228 wrote to memory of 1064	1228	rundll32.exe	46
PID 2632 wrote to memory of 1132	2632	taskeng.exe	47
PID 2632 wrote to memory of 1132	2632	taskeng.exe	47
PID 2632 wrote to memory of 1132	2632	taskeng.exe	47
PID 2632 wrote to memory of 1132	2632	taskeng.exe	47
PID 2512 wrote to memory of 2952	2512	Utsysc.exe	48
PID 2512 wrote to memory of 2952	2512	Utsysc.exe	48

C:\Users\Admin\AppData\Local\Temp\510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13.exe
"C:\Users\Admin\AppData\Local\Temp\510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2340

C:\Windows\system32\taskeng.exe
taskeng.exe {4411FC20-4784-4244-81BD-4BADFB08360F} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Roaming\tvabccu
  C:\Users\Admin\AppData\Roaming\tvabccu
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  2⤵
  - Executes dropped EXE
  PID:1132

C:\Users\Admin\AppData\Local\Temp\D652.exe
C:\Users\Admin\AppData\Local\Temp\D652.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2384
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:484
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 484 -s 308
        5⤵
        Loads dropped DLL
        
        PID:2600
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2356 -s 308
        5⤵
        Loads dropped DLL
        
        PID:448
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1228 -s 308
        5⤵
        Loads dropped DLL
        
        PID:1064
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:2952
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1696
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\627615824406

Filesize
61KB

MD5
e5185f1a5d9d2ebc20ae8236fc1c5c85

SHA1
364650af56eafd41a6b99a239244646103dc9a2b

SHA256
d597be4cc6fc7537bded7451f3ec6bb4326a856af59ef2d36a44307c7f405738

SHA512
44f58b0e68b31344781806c493207455c93f75d0252bfe9f595eef88dc3d9d4f5741ec908a150a3e2671337f86f44077eb70d3ba663acb52d58f3ff934b04437

Download Submit
C:\Users\Admin\AppData\Local\Temp\D652.exe

Filesize
395KB

MD5
65d2ab4c9fa5eeb0d5a00d65b14af87a

SHA1
ed0bc9a93a97eb765fdd2fbedddf80a7a7b54d23

SHA256
39ff80a6e14a12caf282fe0deead25f79488d6fbbdc399780865afead9597d32

SHA512
36b22c1ff875c937e5fbb41f2d042f277f3b3a830550956595160ee06346f71685200eb00a397a25cbeaf689ab3c9aacf057ebf1d356c8fa5902021bb1aba318

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\tvabccu

Filesize
217KB

MD5
b0929538ca1c6518ce2280c62daf4383

SHA1
5cae6b0c7254659c66ca14e7d6e1b5bfc481acf4

SHA256
510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13

SHA512
c22881eb36ea57b2594c452c5fd5011f0a03952f7cb33173ba25f4a2a94aa1cada626ac2b37e994438459e5bbbbe0db1cd5fcf4a910316dbfd0b679a6e442e65

Download Submit
memory/1132-111-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/1132-134-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/1132-113-0x0000000002D30000-0x0000000002E30000-memory.dmp

Filesize
1024KB

Download
memory/1356-4-0x0000000002990000-0x00000000029A6000-memory.dmp

Filesize
88KB

Download
memory/1356-16-0x00000000029B0000-0x00000000029C6000-memory.dmp

Filesize
88KB

Download
memory/2340-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2340-5-0x0000000000400000-0x0000000002BE4000-memory.dmp

Filesize
39.9MB

Download
memory/2340-3-0x0000000000400000-0x0000000002BE4000-memory.dmp

Filesize
39.9MB

Download
memory/2340-1-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/2376-45-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

Filesize
1024KB

Download
memory/2376-42-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2376-40-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2376-27-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

Filesize
1024KB

Download
memory/2376-44-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/2376-28-0x0000000000310000-0x000000000037F000-memory.dmp

Filesize
444KB

Download
memory/2512-87-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

Filesize
1024KB

Download
memory/2512-54-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2512-86-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2512-48-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

Filesize
1024KB

Download
memory/2512-98-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2512-112-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2512-47-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2512-128-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2512-133-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2512-139-0x0000000000400000-0x0000000002C10000-memory.dmp

Filesize
40.1MB

Download
memory/2620-17-0x0000000000400000-0x0000000002BE4000-memory.dmp

Filesize
39.9MB

Download
memory/2620-15-0x0000000000400000-0x0000000002BE4000-memory.dmp

Filesize
39.9MB

Download
memory/2620-14-0x0000000002D10000-0x0000000002E10000-memory.dmp

Filesize
1024KB

Download