de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3

Resubmissions

29-04-2024 19:30

240429-x7vc2sah46 10

29-04-2024 19:28

240429-x65gmaah25 1

29-04-2024 19:25

240429-x49zbsag74 10

29-04-2024 04:45

240429-fdebasaf52 10

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-04-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe
Size

718KB
MD5

1bf24ce8b5e34930932432d626fac06d
SHA1

32276318f55c1118980f98377968de0f78c9227e
SHA256

de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3
SHA512

d3885e43fe5189eb37cdf4518f05c9096685974db4eefd96260e2db8b17cda13b67861cef2247aeb12baed7ca59c892c82f855c5179e54213f861d2c352ce4fa
SSDEEP

12288:tfLmWONlyXjI/kkJzHSomfaeITAl5aqzTuCTTcARinC/4Tf0Yk4FfRUEy2Hzo5:tfLmNlz/XUyZTAl8jOiiifDzo5

Score

10^/10

discovery spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

Mentor.pif

description pid process target process

PID 2388 created 1192 2388 Mentor.pif Explorer.EXE
PID 2388 created 1192 2388 Mentor.pif Explorer.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Mentor.pifMentor.pifMentor.pif

pid process

2388 Mentor.pif
628 Mentor.pif
880 Mentor.pif
Loads dropped DLL 4 IoCs

Processes:

cmd.exeMentor.pif

pid process

2716 cmd.exe
880 Mentor.pif
880 Mentor.pif
880 Mentor.pif
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Mentor.pif

description pid process target process

PID 2388 set thread context of 880 2388 Mentor.pif Mentor.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2616 tasklist.exe
2728 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2436 PING.EXE

description	pid	process	target process
PID 2388 created 1192	2388	Mentor.pif	Explorer.EXE
PID 2388 created 1192	2388	Mentor.pif	Explorer.EXE

pid	process
2716	cmd.exe
880	Mentor.pif
880	Mentor.pif
880	Mentor.pif

description	pid	process	target process
PID 2388 set thread context of 880	2388	Mentor.pif	Mentor.pif

pid	process
2616	tasklist.exe
2728	tasklist.exe

pid	process
2436	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Mentor.pifMentor.pif

pid	process
2388	Mentor.pif
2388	Mentor.pif
2388	Mentor.pif
2388	Mentor.pif
2388	Mentor.pif
880	Mentor.pif
880	Mentor.pif
880	Mentor.pif
880	Mentor.pif
880	Mentor.pif
880	Mentor.pif
880	Mentor.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2616 tasklist.exe
Token: SeDebugPrivilege 2728 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Mentor.pif

pid process

2388 Mentor.pif
2388 Mentor.pif
2388 Mentor.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Mentor.pif

pid process

2388 Mentor.pif
2388 Mentor.pif
2388 Mentor.pif

description	pid	process
Token: SeDebugPrivilege	2616	tasklist.exe
Token: SeDebugPrivilege	2728	tasklist.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.execmd.exeMentor.pif

description	pid	process	target process
PID 1908 wrote to memory of 2716	1908	de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe	cmd.exe
PID 1908 wrote to memory of 2716	1908	de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe	cmd.exe
PID 1908 wrote to memory of 2716	1908	de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe	cmd.exe
PID 1908 wrote to memory of 2716	1908	de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe	cmd.exe
PID 2716 wrote to memory of 2616	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 2616	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 2616	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 2616	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 2620	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 2620	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 2620	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 2620	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 2728	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 2728	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 2728	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 2728	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 2556	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 2556	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 2556	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 2556	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 2684	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2684	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2684	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2684	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2708	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 2708	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 2708	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 2708	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 2644	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2644	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2644	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2644	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2508	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2508	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2508	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2508	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2388	2716	cmd.exe	Mentor.pif
PID 2716 wrote to memory of 2388	2716	cmd.exe	Mentor.pif
PID 2716 wrote to memory of 2388	2716	cmd.exe	Mentor.pif
PID 2716 wrote to memory of 2388	2716	cmd.exe	Mentor.pif
PID 2716 wrote to memory of 2436	2716	cmd.exe	PING.EXE
PID 2716 wrote to memory of 2436	2716	cmd.exe	PING.EXE
PID 2716 wrote to memory of 2436	2716	cmd.exe	PING.EXE
PID 2716 wrote to memory of 2436	2716	cmd.exe	PING.EXE
PID 2388 wrote to memory of 628	2388	Mentor.pif	Mentor.pif
PID 2388 wrote to memory of 628	2388	Mentor.pif	Mentor.pif
PID 2388 wrote to memory of 628	2388	Mentor.pif	Mentor.pif
PID 2388 wrote to memory of 628	2388	Mentor.pif	Mentor.pif
PID 2388 wrote to memory of 880	2388	Mentor.pif	Mentor.pif
PID 2388 wrote to memory of 880	2388	Mentor.pif	Mentor.pif
PID 2388 wrote to memory of 880	2388	Mentor.pif	Mentor.pif
PID 2388 wrote to memory of 880	2388	Mentor.pif	Mentor.pif
PID 2388 wrote to memory of 880	2388	Mentor.pif	Mentor.pif
PID 2388 wrote to memory of 880	2388	Mentor.pif	Mentor.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe
"C:\Users\Admin\AppData\Local\Temp\de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Evaluation Evaluation.bat && Evaluation.bat
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:2620

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c md 34173
4⤵
PID:2684

C:\Windows\SysWOW64\findstr.exe
findstr /V "BabesSalvationCarriesBabes" Drawings
4⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 34173\Mentor.pif + Adjacent + Captured + Sacred + Vagina + Lafayette + Surveys 34173\Mentor.pif
4⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Counting + Francisco + Honda 34173\o
4⤵
PID:2508

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\34173\Mentor.pif
34173\Mentor.pif 34173\o
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:2436

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\34173\Mentor.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\34173\Mentor.pif"
2⤵
- Executes dropped EXE
PID:628

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\34173\Mentor.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\34173\Mentor.pif"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\4eZCys7H2gyp
Filesize
92KB

MD5
2157696941ae13875f8dfe8630ea4029

SHA1
b5ff62b7900cdfc630edd94d737309042de58251

SHA256
90e438a9d6706c8a1e809bfb5babe83508cac27d3c9f3f9b8bd1cd4f3aa3e033

SHA512
61b998e42f5d0121f75e04a46177c1c3a7122dc2014b7bed1d584c9ea53146e87d7a6b9e94bde066d92580c6c2b2316dd860980e5cd8f75984286dc90e43fb6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\34173\Mentor.pif
Filesize
14B

MD5
31e58e7820d68b99cbe79fafaa648de8

SHA1
910fe879c305978c20b93b8ac8c25d829233d9bc

SHA256
aa28297aaf8306156db4f96c282b83b4cd80543e680aad6d424de88b22f8ec57

SHA512
2f5c696266f0f5f6a734bc55a23d775b15343ce66d2bcf6503008d406762ad1eb659d914293cb7095deb579366ee3bf05d84e6a038736cf925bf3094f3e45de1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\34173\o
Filesize
526KB

MD5
dd2acdef84b287794876c92c2a735aec

SHA1
1ff96f7a71f808ddaa2fc197b6299532a8fcd0fb

SHA256
3a149e1f3ec43f37fb419affaf175870725b78b8fd5e42019fe6a988823d7282

SHA512
664ad38efc6be0fe5a16d3670c564064d19fc27bc56397da8f798f7bb9bfcccb92e6f4b05d2f399a838dce1bff860b4e678f112b6eb90db9d3e97996f01e1524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Adjacent
Filesize
64KB

MD5
7474db7b5f39b27e7fbce6e370b4bf66

SHA1
d4d7c4d41bded1c9d8959017cfa7846e435d93bd

SHA256
0efd0625b7921c18935c66adb4b3a653a913ecd90ab3b8b1983ff4101479605f

SHA512
3247a749ddde2e80cc2d1b5f9c47d5ce4af2389da59de3360d8cbc60445bd593c5fc3270fb1eb156a344d69cc00b88e02feb6600998f4e7323f4ae3219aa273a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Captured
Filesize
131KB

MD5
88edf7bb55387e597f59684273f66bb3

SHA1
99786b34a5db73c85a43cd4c18a8c085fed5ab89

SHA256
f61189f0f701466dcc3e2f6a8e411e7878cbf9ba6bba49917d612c19b1cc6a23

SHA512
84689a3c6d933710dffc4d80c0b41820a8e5a6309ba6979d07e22a638aa4db143f00ad80388871e444c3edf5332f471ec0db227ea97a3f0df2c9e2cdc5f3dd42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Counting
Filesize
281KB

MD5
a262219e61af791c944a87d07bac0075

SHA1
d74aeaa010271d13e1edc54bc73601e57f020c49

SHA256
0177bcf1e6862c139fae08a9c6027f68989b4f68a239b64fab7449d1c421ddc0

SHA512
116ce3a1349a17f8b14a5c2a35af9008d8ffbdeae5e3b2a22f9cedbb18f2af564cc8b7762b30c643265eb16907df02a5c75fb3d141db0646f46bf777b855febb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Drawings
Filesize
42B

MD5
477a08320d6c6e2f4512d40eb08713b1

SHA1
7be0348f77ae584c1ef6b8de1321473da3f9aa3c

SHA256
027643fd5055f08abd161719191a2ac764cdf555d452da6cb84ecfd557144529

SHA512
1bebae844d70507826ca40d135d12172aba7c23c5ed6cd7f2a3d229dc8e137e641a527b63e1474a4f0e4849568aa6ce6fd3d1276772d75b7f597d6b0a51d01c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Evaluation
Filesize
21KB

MD5
b647cde3038a87c2498edec310305673

SHA1
6fcc09d2c62d284b66926d3605aff5510e7e9453

SHA256
5c67bac057822f53f941200e27d24c5277ac742b78b3c3f5958a74a33c49b38d

SHA512
db701f47fee7344c4331664ce7a0187e6b9e9d47bab386665d64a61ca3a21de24af193dd1b485fdea8a003e4cb859bee73b2ddb7e3304719df1ab3446a367482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Francisco
Filesize
210KB

MD5
1bd18404bd951a8deb7845f75a6399f9

SHA1
748f9977c0e7d628bad8d3d8e827100b6590cb4d

SHA256
16f684e24d64d7102f8ca4feddbbc6764fc405cc3688353baa3c086f98fda1cb

SHA512
b00b38068cbc363e7fd5ff4038610f56828ffe13fb7ab78b6103baf6efeb05d4e9024e7383b8b6c73a010bce87f978e163685df6f3801aaa34f5da940aac6bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Honda
Filesize
35KB

MD5
59c2b53fe828fde64bd2a39a5de07ee9

SHA1
2ed2c83a393b5e30131acaf57893dd46c1084b52

SHA256
6a258a819e64d26e05f34edadd0ef7e11f58cf4d68f60aba82a71f5236e9f9eb

SHA512
28f667142fb539194d66503ecbfe9ee8fdb35dbd9324b4fb27ee0b6d2b76150f0a2751d825cc11314ae42f4d30b8e2c6a941c72a3cf72126391c48a4e3437998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lafayette
Filesize
200KB

MD5
4db90c416a38e4572abf3261e5dacf6a

SHA1
3d721f9c266090469bc46f9f3616d47611492038

SHA256
3ed0263be62819660e0fd37e95ab71b30ab8409348ac4f7ed11bcba0235d570d

SHA512
bd97959b027988a888010553e7fa424a8c38a7cccfd951e1b9222e5e16ce745e2a657b4dbc9238e5e8c84f66f1c238e999eba45e639f00cc928d2e5e5d66c25a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sacred
Filesize
125KB

MD5
c68b90b18096cedb29d5dd73790b6b05

SHA1
00f7a79c3bb847352a8b9ef73a24bcb039890e07

SHA256
f68e29a0f0c076fb5a3539f51168a73692c118cb861f3b814339a1eac86ce923

SHA512
d4df00de092bebe44e13b06587052465b73e67abd5502cac1e50019d7f008e57b74352b0263d986aa95fd7a1d57bb19778661feae5305544e6a33605dd764415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Surveys
Filesize
131KB

MD5
5bf3a39ef1e55247138748c2975a6873

SHA1
60d6c0a87fad62c31824f31c6def118541749698

SHA256
10609820e62098fd90b9344a9ece578451f913433fc8b53dbab9007db210fdb7

SHA512
2d9740527edfb51702f8b7c6c4123f530f559dada973455533f493dee2c5ebdcd1de47d9d47e4b35a2bf850d5c244c9fe59a497ad27f24648a848ca52221129b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Vagina
Filesize
270KB

MD5
75e4a838cff0be8ef793640d1011129c

SHA1
9788327d28e5c5fb43d03856f395a863f7ecf9a0

SHA256
3bbf6b504ffec824edc168cb1a11121a5b360361ee192f5923aa11e9afe985e0

SHA512
19f1a02ded1f1b79823eb6c6a5e4790412dab2a5395ac83e6ec6e5639fce642f45bb7403b995152dee31c2454063ac7da389676b3605fb57d2950440f7bb4a2e

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\34173\Mentor.pif
Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/880-70-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download