Overview

overview

10

Static

static

3

17f29ebe12...fa.exe

windows7-x64

10

17f29ebe12...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe

  • Size

    1.8MB

  • MD5

    4cf346373d331ff441b71ae12c4420ff

  • SHA1

    e4d53520a0b925b9122cba1f9f7cac6661ac014c

  • SHA256

    17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa

  • SHA512

    d82d681438a1df724b3b698d12049f0b4b11c829ec94de15bbf7c68a1b456675b4a5e2fa0f25a67d8daf6da28310df508f88b3cc0906fe02eb43a0c36dcb7a09

  • SSDEEP

    49152:9fRIz2Mkd2gce9Umg7kce1AmWp6/9V/eIxe2Lj4zVUw5xJS:1R6vkd2synNbm4k9V/eMeIwP5xJ

Score
10/10
amadeystealcfed3aastokdiscoveryevasionpersistencestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 14 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3396
      • C:\Users\Admin\AppData\Local\Temp\17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
        "C:\Users\Admin\AppData\Local\Temp\17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
          "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4056
          • C:\Users\Admin\AppData\Local\Temp\1006092001\Ixpla.exe
            "C:\Users\Admin\AppData\Local\Temp\1006092001\Ixpla.exe"
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Drops startup file
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3640
          • C:\Users\Admin\AppData\Local\Temp\1006141001\networkmanager.exe
            "C:\Users\Admin\AppData\Local\Temp\1006141001\networkmanager.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            PID:512
          • C:\Users\Admin\AppData\Local\Temp\1006182001\9e4feb4c2a.exe
            "C:\Users\Admin\AppData\Local\Temp\1006182001\9e4feb4c2a.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3688
          • C:\Users\Admin\AppData\Local\Temp\1006183001\6b9e4cc150.exe
            "C:\Users\Admin\AppData\Local\Temp\1006183001\6b9e4cc150.exe"
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Windows security modification
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4736
      • C:\Users\Admin\AppData\Local\Temp\1006092001\Ixpla.exe
        "C:\Users\Admin\AppData\Local\Temp\1006092001\Ixpla.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4720
        • C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
          "C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3488
      • C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
        "C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\10000470111\123719821238.dll, Main
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2488
      • C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
        "C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
        2⤵
        • Executes dropped EXE
        PID:4816
      • C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
        "C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
        2⤵
        • Executes dropped EXE
        PID:3584
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4728
    • C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
      C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2108
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2032
    • C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
      C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\10000470111\123719821238.dll
      Filesize

      13KB

      MD5

      44163d81bb5710839fb9ba265de2c942

      SHA1

      a7497d6085ed8ce25e9728a0af7e989e026eaf04

      SHA256

      de4e3ff7f7da5d5561e384585a9d0cb66f2c51ea324c184848d125d8792bf666

      SHA512

      97ef4974f41affd04eb960fa873cd9754f31007c3d7239a7fb5b17cc152c01f2050c3b25d107e36ab5c65010610624e773f726de7d39255bb2c0ad5d8b9929a4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1006092001\Ixpla.exe
      Filesize

      1.4MB

      MD5

      6e7ffd057086e44e4fcc01846cd2b152

      SHA1

      05712e7e7b8429b2dd201ea504dc32fefe5795da

      SHA256

      fbc587e990949e428e8ce7a2c74dbf85cd63ffa07370756ad854595fea0033d7

      SHA512

      8cab1824b32c54273658d28738109c8a1ef3170c1fbe02deeee40d40990acb6d45431bfb65a3facebee9a919bd972734012b1e8de035b9c1329f1bd0e709ecd2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1006141001\networkmanager.exe
      Filesize

      2.1MB

      MD5

      f8d528a37993ed91d2496bab9fc734d3

      SHA1

      4b66b225298f776e21f566b758f3897d20b23cad

      SHA256

      bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02

      SHA512

      75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1006182001\9e4feb4c2a.exe
      Filesize

      1.8MB

      MD5

      d21609e703999b87040f7a9b6237f5e8

      SHA1

      1fe2bd28aa876fa28fa9cd33f51f00fc82b8b3d5

      SHA256

      e9b37653e9dc29f692778fbbb88e970afbeaad574855255ca278eda13d79e001

      SHA512

      07ce349bfd56a57c5e5524781d34f2df0ec0d65f88934114100f8094d3f0fa47b029dac14c55f2864207fbd7923cdbda3fda5df7bcaf9c41c9b1417ec1d08b3c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1006183001\6b9e4cc150.exe
      Filesize

      2.7MB

      MD5

      011c92ee809e050ffe9560fdc3c16706

      SHA1

      8fb19f1559cf61126212675a11c154de4a9bc98a

      SHA256

      a0ee8cb0819ee13fbacd3bdc3621c0f9b930bc7085b22118b93eb7e2d8500b8d

      SHA512

      9a99e9d5c3006dc58ce0e732ed7eac7a21247335c8bd99c3c00af28ca19457780a8e6b30dca3caa651558172c810d9065a92854c5e47534f60366f4970a6895c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      Filesize

      1.8MB

      MD5

      4cf346373d331ff441b71ae12c4420ff

      SHA1

      e4d53520a0b925b9122cba1f9f7cac6661ac014c

      SHA256

      17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa

      SHA512

      d82d681438a1df724b3b698d12049f0b4b11c829ec94de15bbf7c68a1b456675b4a5e2fa0f25a67d8daf6da28310df508f88b3cc0906fe02eb43a0c36dcb7a09

      Download Submit

    • memory/512-1241-0x0000000000B10000-0x000000000128B000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/512-1283-0x0000000000B10000-0x000000000128B000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2032-3718-0x0000000000660000-0x0000000000B34000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2032-3720-0x0000000000660000-0x0000000000B34000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2116-0-0x00000000000E0000-0x00000000005B4000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2116-17-0x00000000000E0000-0x00000000005B4000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2116-4-0x00000000000E0000-0x00000000005B4000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2116-3-0x00000000000E0000-0x00000000005B4000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2116-2-0x00000000000E1000-0x000000000010F000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2116-1-0x0000000077D14000-0x0000000077D16000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3640-67-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-95-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-44-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-79-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-89-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-87-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-85-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-83-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-81-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-78-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-75-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-73-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-71-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-69-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-65-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-63-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-61-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-59-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-57-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-55-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-53-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-51-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-49-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-47-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-99-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-105-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-103-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-101-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-97-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-45-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-93-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-91-0x00000000055D0000-0x00000000056E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-1293-0x00000000057F0000-0x0000000005844000-memory.dmp

      Filesize

      336KB

      Download

    • memory/3640-1292-0x0000000006090000-0x0000000006634000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3640-1223-0x00000000056F0000-0x000000000577A000-memory.dmp

      Filesize

      552KB

      Download

    • memory/3640-1224-0x0000000005520000-0x000000000556C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3640-43-0x00000000055D0000-0x00000000056E8000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3640-1260-0x000000007392E000-0x000000007392F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3640-42-0x00000000009B0000-0x0000000000B1A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3640-41-0x000000007392E000-0x000000007392F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3688-1259-0x0000000000D60000-0x000000000141E000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/3688-1257-0x0000000000D60000-0x000000000141E000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4056-1239-0x0000000000660000-0x0000000000B34000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4056-22-0x0000000000660000-0x0000000000B34000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4056-18-0x0000000000660000-0x0000000000B34000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4056-19-0x0000000000661000-0x000000000068F000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4056-21-0x0000000000660000-0x0000000000B34000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4056-20-0x0000000000660000-0x0000000000B34000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4056-1222-0x0000000000660000-0x0000000000B34000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4056-592-0x0000000000660000-0x0000000000B34000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4728-2500-0x0000000000660000-0x0000000000B34000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4728-2502-0x0000000000660000-0x0000000000B34000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4736-1279-0x0000000000290000-0x0000000000542000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4736-1289-0x0000000000290000-0x0000000000542000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4736-1286-0x0000000000290000-0x0000000000542000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4736-1281-0x0000000000290000-0x0000000000542000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4736-1280-0x0000000000290000-0x0000000000542000-memory.dmp

      Filesize

      2.7MB

      Download