amadey | 8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d.exe
Size

812KB
MD5

732e8b08f55b84327bc9756784510ce7
SHA1

3f8319e7098f2d99025c21c4cf7faa3e67b31957
SHA256

1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d
SHA512

afe862b4f008d5b18d0aeca1a3e6ecac28c8724f301df381e591cc170dcc39dfc0bb6aa96814c668c5f424e03736f9b448acc8c104e6107d3d66afe28da11ab5
SSDEEP

24576:1y07ft7pdSgS37uybqnoffSrKMf48ABP:QAfTdS8ybqIEAB

Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

g4522034.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g4522034.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g4522034.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g4522034.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	g4522034.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g4522034.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g4522034.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4218739.exe	family_redline
behavioral1/memory/3736-75-0x00000000001D0000-0x0000000000200000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

h4431890.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	h4431890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 10 IoCs

Processes:

x7902882.exex7653899.exex9569919.exeg4522034.exeh4431890.exesaves.exei4218739.exesaves.exesaves.exesaves.exe

pid	process
2604	x7902882.exe
2972	x7653899.exe
1148	x9569919.exe
1292	g4522034.exe
5752	h4431890.exe
3540	saves.exe
3736	i4218739.exe
3340	saves.exe
2908	saves.exe
1444	saves.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

g4522034.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	g4522034.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	g4522034.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d.exex7902882.exex7653899.exex9569919.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7902882.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7653899.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9569919.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4216 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

g4522034.exe

pid process

1292 g4522034.exe
1292 g4522034.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

g4522034.exe

description pid process

Token: SeDebugPrivilege 1292 g4522034.exe

pid	process
4216	schtasks.exe

pid	process
1292	g4522034.exe
1292	g4522034.exe

description	pid	process
Token: SeDebugPrivilege	1292	g4522034.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d.exex7902882.exex7653899.exex9569919.exeh4431890.exesaves.execmd.exe

description	pid	process	target process
PID 3496 wrote to memory of 2604	3496	1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d.exe	x7902882.exe
PID 3496 wrote to memory of 2604	3496	1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d.exe	x7902882.exe
PID 3496 wrote to memory of 2604	3496	1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d.exe	x7902882.exe
PID 2604 wrote to memory of 2972	2604	x7902882.exe	x7653899.exe
PID 2604 wrote to memory of 2972	2604	x7902882.exe	x7653899.exe
PID 2604 wrote to memory of 2972	2604	x7902882.exe	x7653899.exe
PID 2972 wrote to memory of 1148	2972	x7653899.exe	x9569919.exe
PID 2972 wrote to memory of 1148	2972	x7653899.exe	x9569919.exe
PID 2972 wrote to memory of 1148	2972	x7653899.exe	x9569919.exe
PID 1148 wrote to memory of 1292	1148	x9569919.exe	g4522034.exe
PID 1148 wrote to memory of 1292	1148	x9569919.exe	g4522034.exe
PID 1148 wrote to memory of 1292	1148	x9569919.exe	g4522034.exe
PID 1148 wrote to memory of 5752	1148	x9569919.exe	h4431890.exe
PID 1148 wrote to memory of 5752	1148	x9569919.exe	h4431890.exe
PID 1148 wrote to memory of 5752	1148	x9569919.exe	h4431890.exe
PID 5752 wrote to memory of 3540	5752	h4431890.exe	saves.exe
PID 5752 wrote to memory of 3540	5752	h4431890.exe	saves.exe
PID 5752 wrote to memory of 3540	5752	h4431890.exe	saves.exe
PID 2972 wrote to memory of 3736	2972	x7653899.exe	i4218739.exe
PID 2972 wrote to memory of 3736	2972	x7653899.exe	i4218739.exe
PID 2972 wrote to memory of 3736	2972	x7653899.exe	i4218739.exe
PID 3540 wrote to memory of 4216	3540	saves.exe	schtasks.exe
PID 3540 wrote to memory of 4216	3540	saves.exe	schtasks.exe
PID 3540 wrote to memory of 4216	3540	saves.exe	schtasks.exe
PID 3540 wrote to memory of 4032	3540	saves.exe	cmd.exe
PID 3540 wrote to memory of 4032	3540	saves.exe	cmd.exe
PID 3540 wrote to memory of 4032	3540	saves.exe	cmd.exe
PID 4032 wrote to memory of 2444	4032	cmd.exe	cmd.exe
PID 4032 wrote to memory of 2444	4032	cmd.exe	cmd.exe
PID 4032 wrote to memory of 2444	4032	cmd.exe	cmd.exe
PID 4032 wrote to memory of 644	4032	cmd.exe	cacls.exe
PID 4032 wrote to memory of 644	4032	cmd.exe	cacls.exe
PID 4032 wrote to memory of 644	4032	cmd.exe	cacls.exe
PID 4032 wrote to memory of 1480	4032	cmd.exe	cacls.exe
PID 4032 wrote to memory of 1480	4032	cmd.exe	cacls.exe
PID 4032 wrote to memory of 1480	4032	cmd.exe	cacls.exe
PID 4032 wrote to memory of 3316	4032	cmd.exe	cmd.exe
PID 4032 wrote to memory of 3316	4032	cmd.exe	cmd.exe
PID 4032 wrote to memory of 3316	4032	cmd.exe	cmd.exe
PID 4032 wrote to memory of 3064	4032	cmd.exe	cacls.exe
PID 4032 wrote to memory of 3064	4032	cmd.exe	cacls.exe
PID 4032 wrote to memory of 3064	4032	cmd.exe	cacls.exe
PID 4032 wrote to memory of 5628	4032	cmd.exe	cacls.exe
PID 4032 wrote to memory of 5628	4032	cmd.exe	cacls.exe
PID 4032 wrote to memory of 5628	4032	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d.exe
"C:\Users\Admin\AppData\Local\Temp\1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7902882.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7902882.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7653899.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7653899.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9569919.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9569919.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4522034.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4522034.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4431890.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4431890.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5752
      - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        8⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        8⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        8⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        8⤵
        
        PID:5628
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4218739.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4218739.exe
      4⤵
      Executes dropped EXE
      PID:3736

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:3340

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2908

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7902882.exe

Filesize
706KB

MD5
2c65beaa0034e1c9faf92b7551d8b022

SHA1
b824e888f2cdde0446053a471b8ad5a038c5d84d

SHA256
c66fa1c34c80724cbb32dc5d57c0c64ffb037110fefe5daa8d6ac85eb4501066

SHA512
1425ad56986c2a879731862f1f46b2e57fe01a5536ba7ca6f52d7c7e65b2f5b4a35889ae563faed7f0dd402237d8dd3ab8ccbc2006d63637be241ca47f176b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7653899.exe

Filesize
540KB

MD5
1b99a47366f793314f8fbabc61f22c20

SHA1
a902fe5e971f8cb37b83f8ead93e76c28376b99a

SHA256
3ceceab1b967b8aa759dad3089cdb09aaeba2578e8bc70576c2680df19c892b7

SHA512
79760a43ea3b28cea15f53f9d9b8be971f8fce59fabc5e2943ece7a34bd477241bd6d934f8436c373e00304fb11ad16a49870ecfcfc4eddd839e82ad4c94baab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4218739.exe

Filesize
173KB

MD5
2790d4897a207f1f0c91996f5ea026cb

SHA1
e65df1f385c36226405cfc74b51a858a642244fb

SHA256
c7d9f00471b0b735502684437e1596d7177a026726bbace4f800c05db65b1e43

SHA512
ee92e7a6981ee393343b29080b9258ce9b5199270043e111bfbbaee12d0ee0f4421def026849f08d6e87821e480d79bc53ac7ad51dfb444a6e37f892b2266a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9569919.exe

Filesize
384KB

MD5
88fd436a63bb8b305a69ae43171d6cd0

SHA1
23fa361d0b196800ce188ef1e0a07cc5c42e7ba9

SHA256
5be107116f8d98ca0470e6e7fa77323817137c0370cd0fc0a37120ff6c9acd02

SHA512
fa26a6dcebfc0d96c8aa116992b1ad017f62045a052850edfff3c194e997f94884f95238d08cc7af2f7349f4c9de4202598ae10dd3bc6559b9ffc0a6bca8461d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4522034.exe

Filesize
185KB

MD5
37ef078be2b7ad25c82c683344481421

SHA1
8e5646630f573185d019cf017d9204a5dbd57728

SHA256
7bbfe441a3a34d88fb5f0dc4a6e9d27b300bf945b8e64f91d25704b5cb320fe7

SHA512
456928068ebf2f9420fa33d69854a7a5117207e2fcda15b251725266581ec1d931ff989d68a2bb28f802f4b7808029a14effe8d0e68653634680dd66366ea5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4431890.exe

Filesize
336KB

MD5
3fa5620646ab64a5b929893be1fc5215

SHA1
ffc6db6d0096101c65e3d0f575d05daa4ae63cbf

SHA256
a1e0512f57b2dc3c51e6b6d98549ef99ae5d6d9417487062e5a7672610d8ccff

SHA512
7473e4635b2a2a823d6ef0ff1df2f3492b8755c5a7cc4025252d50faa36872b65f4a117221ec55c0228d96f01c5433ac10cd849ab92fc5ef7215f4fce3d23335

Download Submit
memory/1292-44-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-34-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-58-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-56-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-52-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-50-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-48-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-46-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-30-0x0000000002570000-0x000000000258C000-memory.dmp

Filesize
112KB

Download
memory/1292-42-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-40-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-39-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-36-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-54-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-32-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-31-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1292-29-0x0000000004BC0000-0x0000000005164000-memory.dmp

Filesize
5.6MB

Download
memory/1292-28-0x0000000002390000-0x00000000023AE000-memory.dmp

Filesize
120KB

Download
memory/3736-75-0x00000000001D0000-0x0000000000200000-memory.dmp

Filesize
192KB

Download
memory/3736-76-0x0000000002360000-0x0000000002366000-memory.dmp

Filesize
24KB

Download
memory/3736-77-0x00000000052B0000-0x00000000058C8000-memory.dmp

Filesize
6.1MB

Download
memory/3736-79-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3736-78-0x0000000004DA0000-0x0000000004EAA000-memory.dmp

Filesize
1.0MB

Download
memory/3736-80-0x0000000004CF0000-0x0000000004D2C000-memory.dmp

Filesize
240KB

Download
memory/3736-81-0x0000000004D40000-0x0000000004D8C000-memory.dmp

Filesize
304KB

Download