amadey | bf554462c091219488a1a53fff22213df8d9530fa6ff0f59033b0c9ee9173555

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

046ebd7e0f619f33de609ea3f126b0d3.exe
Size

1.3MB
MD5

046ebd7e0f619f33de609ea3f126b0d3
SHA1

37a0b634955eb29f9bc7d3d434838cd729bb7e17
SHA256

bf554462c091219488a1a53fff22213df8d9530fa6ff0f59033b0c9ee9173555
SHA512

39afa534b862f9faebb4aa1ff4144a7d53f62adfd389531f75bdf10865fe8d846e79b3138ec90f2e9d4eb92a72e7a856f0c7be857a892a54eb2f2503f3030d10
SSDEEP

24576:39O/bmU++vQu1TL9yJ5d2m8y7i1HlcoGpJ042jJpUeBk2h:3k/X+75dAyMGDP2dpUYXh

Score

10^/10

amadey 1176f2 discovery trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

http://185.215.113.19

Attributes

install_dir
417fd29867
install_file
ednfoki.exe
strings_key
183201dc3defc4394182b4bff63c4065
url_paths
/CoreOPT/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 432 created 3488	432	Shipment.pif	56
PID 432 created 3488	432	Shipment.pif	56

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	046ebd7e0f619f33de609ea3f126b0d3.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
432	Shipment.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
60	tasklist.exe
2416	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ProjectionAcademy	046ebd7e0f619f33de609ea3f126b0d3.exe
File opened for modification	C:\Windows\ChipSeems	046ebd7e0f619f33de609ea3f126b0d3.exe
File opened for modification	C:\Windows\LaboratoriesFriend	046ebd7e0f619f33de609ea3f126b0d3.exe
File opened for modification	C:\Windows\ConditionSuperintendent	046ebd7e0f619f33de609ea3f126b0d3.exe
File opened for modification	C:\Windows\AyePercent	046ebd7e0f619f33de609ea3f126b0d3.exe
File opened for modification	C:\Windows\CuDefense	046ebd7e0f619f33de609ea3f126b0d3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	046ebd7e0f619f33de609ea3f126b0d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipment.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	tasklist.exe
Token: SeDebugPrivilege	2416	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
432	Shipment.pif
432	Shipment.pif
432	Shipment.pif

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 4076	3212	046ebd7e0f619f33de609ea3f126b0d3.exe	87
PID 3212 wrote to memory of 4076	3212	046ebd7e0f619f33de609ea3f126b0d3.exe	87
PID 3212 wrote to memory of 4076	3212	046ebd7e0f619f33de609ea3f126b0d3.exe	87
PID 4076 wrote to memory of 60	4076	cmd.exe	89
PID 4076 wrote to memory of 60	4076	cmd.exe	89
PID 4076 wrote to memory of 60	4076	cmd.exe	89
PID 4076 wrote to memory of 2224	4076	cmd.exe	90
PID 4076 wrote to memory of 2224	4076	cmd.exe	90
PID 4076 wrote to memory of 2224	4076	cmd.exe	90
PID 4076 wrote to memory of 2416	4076	cmd.exe	92
PID 4076 wrote to memory of 2416	4076	cmd.exe	92
PID 4076 wrote to memory of 2416	4076	cmd.exe	92
PID 4076 wrote to memory of 2488	4076	cmd.exe	93
PID 4076 wrote to memory of 2488	4076	cmd.exe	93
PID 4076 wrote to memory of 2488	4076	cmd.exe	93
PID 4076 wrote to memory of 3972	4076	cmd.exe	94
PID 4076 wrote to memory of 3972	4076	cmd.exe	94
PID 4076 wrote to memory of 3972	4076	cmd.exe	94
PID 4076 wrote to memory of 3816	4076	cmd.exe	95
PID 4076 wrote to memory of 3816	4076	cmd.exe	95
PID 4076 wrote to memory of 3816	4076	cmd.exe	95
PID 4076 wrote to memory of 4796	4076	cmd.exe	96
PID 4076 wrote to memory of 4796	4076	cmd.exe	96
PID 4076 wrote to memory of 4796	4076	cmd.exe	96
PID 4076 wrote to memory of 432	4076	cmd.exe	97
PID 4076 wrote to memory of 432	4076	cmd.exe	97
PID 4076 wrote to memory of 432	4076	cmd.exe	97
PID 4076 wrote to memory of 1256	4076	cmd.exe	98
PID 4076 wrote to memory of 1256	4076	cmd.exe	98
PID 4076 wrote to memory of 1256	4076	cmd.exe	98
PID 432 wrote to memory of 4536	432	Shipment.pif	99
PID 432 wrote to memory of 4536	432	Shipment.pif	99
PID 432 wrote to memory of 4536	432	Shipment.pif	99
PID 432 wrote to memory of 1076	432	Shipment.pif	101
PID 432 wrote to memory of 1076	432	Shipment.pif	101
PID 432 wrote to memory of 1076	432	Shipment.pif	101
PID 4536 wrote to memory of 1424	4536	cmd.exe	103
PID 4536 wrote to memory of 1424	4536	cmd.exe	103
PID 4536 wrote to memory of 1424	4536	cmd.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\046ebd7e0f619f33de609ea3f126b0d3.exe
  "C:\Users\Admin\AppData\Local\Temp\046ebd7e0f619f33de609ea3f126b0d3.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:60
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2224
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2416
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 591950
      4⤵
      System Location Discovery: System Language Discovery
      PID:3972
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "BachelorRayPotentialBeats" Itsa
      4⤵
      System Location Discovery: System Language Discovery
      PID:3816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E
      4⤵
      System Location Discovery: System Language Discovery
      PID:4796
  - - C:\Users\Admin\AppData\Local\Temp\591950\Shipment.pif
      Shipment.pif E
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:432
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1424
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & echo URL="C:\Users\Admin\AppData\Local\TrackGuard Technologies\GuardTrack.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\550978852402

Filesize
86KB

MD5
8f3804fbaf25c8598da4d9ae10422447

SHA1
9f19fd8d6e7b001120329d681330cba544295b82

SHA256
f05e6d952d53560776d16f1c345a7981db5f305b23158457f7a8b9f95a81293f

SHA512
383ec0d4f60023574e6bf14057402aefd76514c9b9a1e64f2f78f8f042cc6479cfd576b21fe143b7903bf3ee0a97d1e6ebfb936934c7109cd869ae25e453ffb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\591950\E

Filesize
773KB

MD5
6a22704ae494645ca19955de0cb879bc

SHA1
acc40b89422c32563656441519df5d2199772398

SHA256
f4e8beb419142c0b8152cd8028b95a877b938a1f400c610dee9e4139484385d6

SHA512
3852d5e7d29be2b89008c9a970d4770a5d4599d6f75b4927fb56ca12fdc7ba5db0d2a6425786ec71a57a86342fcfc669e6cfb724683922feb5175dd369a5d687

Download Submit
C:\Users\Admin\AppData\Local\Temp\591950\Shipment.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Competent

Filesize
85KB

MD5
d79ddda7e49b51bb69f59808170a5e63

SHA1
b791857ae7b920d50f2fc97f0895f289c6a9e8bd

SHA256
609b33673ba3698de21d56bce0a871d9d96269c7d86bc087419610452675a90e

SHA512
4f977ba99b3f88d60380f81efc0b74bbe4ae29573e0e8caf0f5899e83f29be895391ff374a0e557b5be4eecd241829a442c92fa72f5dddcb440a45cc4356a157

Download Submit
C:\Users\Admin\AppData\Local\Temp\Corporate

Filesize
65KB

MD5
57b8ab1323416077ed8bb346dd2daa09

SHA1
43116dae9716caf4e7f43943a89e357204c842f8

SHA256
1a8d43ecf42d62c9f4dfdad24c25136a028760a19cf4fd27336bfbb0962426b9

SHA512
1899d8ce43c0e18ff3d7ea833680921a717d098fd2c4f8f5ded7007aa31f9946d6895f65364b17ba7da2f77afa5ef3782eefce562314776bc7fc8b5cb45b1f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Entrepreneurs

Filesize
92KB

MD5
1c78ead3742c95a2c4df31c8d71e0f1b

SHA1
a075cca4d9d8fa5fe3ddbf1f2d6e120208cb5b17

SHA256
b25e0f67c38257dbc0ab9a7d6af8870c878211abd4e51b8db52d9c3e2272652d

SHA512
09a234d52b31b38a4071078abdc9a976aa58716a7ba9f1832b84966f039b621044eaaa641fdb2c919fe5334902e4dbaa8e3fd19a638583120f881cde218b9112

Download Submit
C:\Users\Admin\AppData\Local\Temp\Greatest

Filesize
98KB

MD5
043e35e2330184d548101dfdb638be96

SHA1
f73e6f2af1052b4810820c68f9693e90f6a07d6d

SHA256
2d081c4a75403c808336cd690598e765d1277cea32e3cea2cb7bc0e62ad35c77

SHA512
d764704f01b91644df122c4eff4dba404a46bc436c45f5406509e509213306a0cded57cbbeca20a6b474c656c294a91e2ea16025b267af34f4760fc02a8d69c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Honda

Filesize
12KB

MD5
cef464062b7e5b404539d0c443917907

SHA1
01802c968d8917fab13d71bfe4ed62e36e965745

SHA256
5c1046ea8e740faaaf01e2818ebf5cea15d398594a26b8bb76e8b3da6dbd1bba

SHA512
a5e335a7be3bc40b5dd30e40813bae8cd51761c2bfb8d4e2b6ad067cf8dd429aec85ad70534780de6d8fa8e996f310fb3d73334c83eb6ec92816c497c303e6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Itsa

Filesize
868B

MD5
20ca365e882b4c4a95b110e62f8a4c08

SHA1
662e9b589d89de106713f361d8b2536740554785

SHA256
2739a9b72a38c08a6385701c6bafeb7fdd7fae8b33ace80732ec934ec8518c6c

SHA512
9682a8935932673b2c1c5fda831c5b1e53219dbd74dbf96e483cdec68db6b31a69d714f6257c62a708bf0b6a2773f5f01efc86cb54fcc084341a862ed6e4d6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Provides

Filesize
80KB

MD5
72dcad57e5699dc20cb41f6ae4acd115

SHA1
cb7e6842f24319262605ea2c1bf3a7eae60358af

SHA256
945d570376b997851fd74131bcf117aad625341fcb7b756409e7cb711632cb0c

SHA512
5f251f25514d5d138d20b308c2c162daf9520dde28f25379d09acaf1f2fc67bcf9a3bfa62a42d83c19febfd28809e82561aa2b19614735037930964d1aa18afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reveal

Filesize
74KB

MD5
d6a091e43db1334c92a9163fb999aa13

SHA1
380674ed8d23c1ec2f9a5f5b0167970b296772a7

SHA256
2299a0df735b5c6a171ddd6a1b009756c19ec3bb1383bef34bca8fa7f4a6cf09

SHA512
4142fc9995b083bc2d3d9b5c2789ea564117ed0ede14a1aa510e9b32b8fdcd149350ce8069ec168141e720d4ffaa246bc7a4585fdff4466343ca3f4d206719f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scottish

Filesize
871KB

MD5
ea1cfad1b98da498addad255609d0e5f

SHA1
14fa7e96806624330a8899b215550122aeb94c91

SHA256
da224ea0c81fd05189621037f4f0b856f47dd1fb0841d4142395f638da7eb802

SHA512
ede7fa0fc6922366dd7319bdc0a00af36b39d506ee246a18d66641374a04727318abdc8832944995c4374487515b38017a081ffbfa17f566b1c83fac59e39442

Download Submit
C:\Users\Admin\AppData\Local\Temp\Screw

Filesize
68KB

MD5
5fc7641883018edbf0ead49af5ec3cbc

SHA1
b021e03764aa36d5b5176ab9dbd825001d9797c8

SHA256
419e973c6e735bba8b60704a962e0b79d285e7a09cb317aefab1ed001a1bf344

SHA512
698c1ee8137077116160e8958daabed29da1bfc2c9ce9795a5242fbd8a61fd2d425aa5722542d60f8df15c2af19a3ecb4a7d3628c9fdbf40f46a37769647eade

Download Submit
C:\Users\Admin\AppData\Local\Temp\Still

Filesize
82KB

MD5
5737221e4786a16db1d00b526a889913

SHA1
b44ef92d0f12e91e236f96359fa3667c773703ab

SHA256
743304691772b7f4b1254b7ec4defe408abd5380c260906ff5d51018cc51c7f4

SHA512
0b3219ff89bd5f80aa83682c6193c8f540058262231f343ab11ebccb7849cf45b1b2850494150522479735304cd255e4bc25c1bd76a42f7482e43a3f60d000ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Whom

Filesize
66KB

MD5
cf18a7ed11645523addbd2fbb31b014d

SHA1
09caf4ed6b6822e838d3512ce5a75e4125192c5f

SHA256
27dbf0e6f006ae0f7fa94cd33287e7f3ab85e1fa637636eff8e94eb649e45990

SHA512
f1cfc3fbaccfcd199b99ac647a2a0f76a05a7db1b655fa2e9de44def1630bebbfdbbd814225664f2d7d7015ff73b87c02242bec5105460459694f03e836f0d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wireless

Filesize
63KB

MD5
df9a85af5771ea736a104b6e3eb86f0b

SHA1
319cb80eed888d089ab5b6944adbcbe89c3195eb

SHA256
cee5172f67cacbc90062c13713a08561b6984cb6c3c98663b7e541445b2fd492

SHA512
8e7aedbe38bedf9a0c167f778eb7678b6ad73f56e1f1196eaf771c01b8d6cd2a99ff015190efcf3f7e340979e501172d2d606e3e3b9ae53873ab9244aaf10eb9

Download Submit
memory/432-39-0x00000000046D0000-0x0000000004741000-memory.dmp

Filesize
452KB

Download
memory/432-40-0x00000000046D0000-0x0000000004741000-memory.dmp

Filesize
452KB

Download
memory/432-41-0x00000000046D0000-0x0000000004741000-memory.dmp

Filesize
452KB

Download
memory/432-42-0x00000000046D0000-0x0000000004741000-memory.dmp

Filesize
452KB

Download
memory/432-43-0x00000000046D0000-0x0000000004741000-memory.dmp

Filesize
452KB

Download
memory/432-44-0x00000000046D0000-0x0000000004741000-memory.dmp

Filesize
452KB

Download
memory/432-45-0x00000000046D0000-0x0000000004741000-memory.dmp

Filesize
452KB

Download