redline | e616c9cb9911bcc75db23046f1b0f6a9248114c64d25c1ab5971041c0dd11798

Analysis

max time kernel
136s
max time network
150s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79f4ef61d09cc28818a90ffdd80d338f.exe
Size

700KB
MD5

79f4ef61d09cc28818a90ffdd80d338f
SHA1

f3de2ce04168a7e894dcd9a3e234819b9aba21e3
SHA256

e616c9cb9911bcc75db23046f1b0f6a9248114c64d25c1ab5971041c0dd11798
SHA512

f874382fa12f0b9dc01fd842131df40b4db77c80aaf968ff5dfa523af5a627003f2431715eea52934f1dac6ff45b38420d7f93dfc705eedb0b8b7ccf25f382ee

Score

10^/10

redline warzonerat iyke discovery infostealer persistence rat spyware stealer suricata

Malware Config

Extracted

Family

warzonerat

76.8.53.133:1198

Extracted

Family

redline

Botnet

IYKE

76.8.53.133:30308

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\build.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\build.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\build.exe	family_redline
behavioral1/memory/872-86-0x0000000000990000-0x00000000009AE000-memory.dmp	family_redline

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
suricata
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
suricata

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\new warzone file.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\new warzone file.exe	warzonerat
\Users\Admin\AppData\Local\Temp\new warzone file.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\new warzone file.exe	warzonerat

Executes dropped EXE 2 IoCs

Processes:

new warzone file.exebuild.exe

pid process

1136 new warzone file.exe
872 build.exe

pid	process
1136	new warzone file.exe
872	build.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

new warzone file.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	new warzone file.exe

Loads dropped DLL 4 IoCs

Processes:

79f4ef61d09cc28818a90ffdd80d338f.exe

pid process

980 79f4ef61d09cc28818a90ffdd80d338f.exe
980 79f4ef61d09cc28818a90ffdd80d338f.exe
980 79f4ef61d09cc28818a90ffdd80d338f.exe
1696
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
980	79f4ef61d09cc28818a90ffdd80d338f.exe
980	79f4ef61d09cc28818a90ffdd80d338f.exe
980	79f4ef61d09cc28818a90ffdd80d338f.exe
1696

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

new warzone file.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	new warzone file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	new warzone file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\dGi..Gt = "0"	new warzone file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	new warzone file.exe

Drops file in System32 directory 1 IoCs

Processes:

new warzone file.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll new warzone file.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

79f4ef61d09cc28818a90ffdd80d338f.exe

description pid process target process

PID 1412 set thread context of 980 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 79f4ef61d09cc28818a90ffdd80d338f.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	new warzone file.exe

description	pid	process	target process
PID 1412 set thread context of 980	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	79f4ef61d09cc28818a90ffdd80d338f.exe

Drops file in Program Files directory 2 IoCs

Processes:

new warzone file.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	new warzone file.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	new warzone file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1364 schtasks.exe

pid	process
1364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

79f4ef61d09cc28818a90ffdd80d338f.exepowershell.exebuild.exepowershell.exe

pid	process
1412	79f4ef61d09cc28818a90ffdd80d338f.exe
1412	79f4ef61d09cc28818a90ffdd80d338f.exe
1412	79f4ef61d09cc28818a90ffdd80d338f.exe
1412	79f4ef61d09cc28818a90ffdd80d338f.exe
1412	79f4ef61d09cc28818a90ffdd80d338f.exe
1412	79f4ef61d09cc28818a90ffdd80d338f.exe
1412	79f4ef61d09cc28818a90ffdd80d338f.exe
1412	79f4ef61d09cc28818a90ffdd80d338f.exe
1412	79f4ef61d09cc28818a90ffdd80d338f.exe
1412	79f4ef61d09cc28818a90ffdd80d338f.exe
1704	powershell.exe
872	build.exe
872	build.exe
1740	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

1696

pid	process
1696

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

79f4ef61d09cc28818a90ffdd80d338f.exepowershell.exebuild.exepowershell.exenew warzone file.exe

description	pid	process
Token: SeDebugPrivilege	1412	79f4ef61d09cc28818a90ffdd80d338f.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	872	build.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1136	new warzone file.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

new warzone file.exe

pid process

1136 new warzone file.exe

pid	process
1136	new warzone file.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

79f4ef61d09cc28818a90ffdd80d338f.exe79f4ef61d09cc28818a90ffdd80d338f.exenew warzone file.exe

description	pid	process	target process
PID 1412 wrote to memory of 1704	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	powershell.exe
PID 1412 wrote to memory of 1704	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	powershell.exe
PID 1412 wrote to memory of 1704	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	powershell.exe
PID 1412 wrote to memory of 1704	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	powershell.exe
PID 1412 wrote to memory of 1364	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	schtasks.exe
PID 1412 wrote to memory of 1364	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	schtasks.exe
PID 1412 wrote to memory of 1364	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	schtasks.exe
PID 1412 wrote to memory of 1364	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	schtasks.exe
PID 1412 wrote to memory of 980	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	79f4ef61d09cc28818a90ffdd80d338f.exe
PID 1412 wrote to memory of 980	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	79f4ef61d09cc28818a90ffdd80d338f.exe
PID 1412 wrote to memory of 980	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	79f4ef61d09cc28818a90ffdd80d338f.exe
PID 1412 wrote to memory of 980	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	79f4ef61d09cc28818a90ffdd80d338f.exe
PID 1412 wrote to memory of 980	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	79f4ef61d09cc28818a90ffdd80d338f.exe
PID 1412 wrote to memory of 980	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	79f4ef61d09cc28818a90ffdd80d338f.exe
PID 1412 wrote to memory of 980	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	79f4ef61d09cc28818a90ffdd80d338f.exe
PID 1412 wrote to memory of 980	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	79f4ef61d09cc28818a90ffdd80d338f.exe
PID 1412 wrote to memory of 980	1412	79f4ef61d09cc28818a90ffdd80d338f.exe	79f4ef61d09cc28818a90ffdd80d338f.exe
PID 980 wrote to memory of 1136	980	79f4ef61d09cc28818a90ffdd80d338f.exe	new warzone file.exe
PID 980 wrote to memory of 1136	980	79f4ef61d09cc28818a90ffdd80d338f.exe	new warzone file.exe
PID 980 wrote to memory of 1136	980	79f4ef61d09cc28818a90ffdd80d338f.exe	new warzone file.exe
PID 980 wrote to memory of 1136	980	79f4ef61d09cc28818a90ffdd80d338f.exe	new warzone file.exe
PID 980 wrote to memory of 872	980	79f4ef61d09cc28818a90ffdd80d338f.exe	build.exe
PID 980 wrote to memory of 872	980	79f4ef61d09cc28818a90ffdd80d338f.exe	build.exe
PID 980 wrote to memory of 872	980	79f4ef61d09cc28818a90ffdd80d338f.exe	build.exe
PID 980 wrote to memory of 872	980	79f4ef61d09cc28818a90ffdd80d338f.exe	build.exe
PID 1136 wrote to memory of 1740	1136	new warzone file.exe	powershell.exe
PID 1136 wrote to memory of 1740	1136	new warzone file.exe	powershell.exe
PID 1136 wrote to memory of 1740	1136	new warzone file.exe	powershell.exe
PID 1136 wrote to memory of 1740	1136	new warzone file.exe	powershell.exe
PID 1136 wrote to memory of 1560	1136	new warzone file.exe	cmd.exe
PID 1136 wrote to memory of 1560	1136	new warzone file.exe	cmd.exe
PID 1136 wrote to memory of 1560	1136	new warzone file.exe	cmd.exe
PID 1136 wrote to memory of 1560	1136	new warzone file.exe	cmd.exe
PID 1136 wrote to memory of 1560	1136	new warzone file.exe	cmd.exe
PID 1136 wrote to memory of 1560	1136	new warzone file.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\79f4ef61d09cc28818a90ffdd80d338f.exe
"C:\Users\Admin\AppData\Local\Temp\79f4ef61d09cc28818a90ffdd80d338f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IcpBSP.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IcpBSP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEED2.tmp"
2⤵
- Creates scheduled task(s)
PID:1364

C:\Users\Admin\AppData\Local\Temp\79f4ef61d09cc28818a90ffdd80d338f.exe
"C:\Users\Admin\AppData\Local\Temp\79f4ef61d09cc28818a90ffdd80d338f.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\new warzone file.exe
"C:\Users\Admin\AppData\Local\Temp\new warzone file.exe"
3⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
95KB

MD5
aeb7863b737358d6917750bf34d6bfaf

SHA1
6fb9f75797adaf6d4745415d740946301c0fefc1

SHA256
0653031df30643ea5efa30506bc0bff8ce88fc4a589f69c0260381e982e9e1d5

SHA512
c774614f96417748a766147ab03acce9e15d168fa601f84e4ed642073500f483d3d0156d17cbc8382d837b72e7042ac5ec6f2fe1e91a3105672289c299a8a2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
95KB

MD5
aeb7863b737358d6917750bf34d6bfaf

SHA1
6fb9f75797adaf6d4745415d740946301c0fefc1

SHA256
0653031df30643ea5efa30506bc0bff8ce88fc4a589f69c0260381e982e9e1d5

SHA512
c774614f96417748a766147ab03acce9e15d168fa601f84e4ed642073500f483d3d0156d17cbc8382d837b72e7042ac5ec6f2fe1e91a3105672289c299a8a2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\new warzone file.exe
Filesize
113KB

MD5
4c87cc90157de9ee0ded52059b79b402

SHA1
c9b439950937b47c3b1b3c71c09f82215089c5b2

SHA256
a27087a5e852d409af70e117cfe6beab449556581876daca7ed6169e27e8ddea

SHA512
8880bc3d8ab285481f701bb5f61a43c2933e5fe09183a1414bde07817036be4302e53b48f6ccdd360e940513fb2052014856b310504218e19aea472078d68a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\new warzone file.exe
Filesize
113KB

MD5
4c87cc90157de9ee0ded52059b79b402

SHA1
c9b439950937b47c3b1b3c71c09f82215089c5b2

SHA256
a27087a5e852d409af70e117cfe6beab449556581876daca7ed6169e27e8ddea

SHA512
8880bc3d8ab285481f701bb5f61a43c2933e5fe09183a1414bde07817036be4302e53b48f6ccdd360e940513fb2052014856b310504218e19aea472078d68a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEED2.tmp
Filesize
1KB

MD5
a57015f08c3ca425520cb91a7b3d4d8b

SHA1
7eb281c9a7fd5eb74a7821cb37c19139f05fc580

SHA256
bed1cd7e653ebfee015d1cc7525b9e1d1d6318b876eadc74e929ff663a8c5015

SHA512
1f538c745edc15fa041770508a22e86e31766bad1f24bfef2272378a20088595b460aee6f00fff70c9f227549fc86d1a0c1e3e7fa755f8608f885d1672ed840d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
2e601776e4a466ba8b4b697f096d1d00

SHA1
89e28066e04fc69a9f1063777d92a677312195a0

SHA256
1cd06ae40fc9b1bb48b3e3847e4265e13b9cb235b3feb2b47f8b70d5ec496a60

SHA512
088b25e69902badd66792a8032f0f38d5b4cad1987c2b140304e61ead098971e5470160e467e36e4f39ad1ffe7ba59a7dcb789c8a07a1a7b33b05988f45a7ebb

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll
Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
Filesize
95KB

MD5
aeb7863b737358d6917750bf34d6bfaf

SHA1
6fb9f75797adaf6d4745415d740946301c0fefc1

SHA256
0653031df30643ea5efa30506bc0bff8ce88fc4a589f69c0260381e982e9e1d5

SHA512
c774614f96417748a766147ab03acce9e15d168fa601f84e4ed642073500f483d3d0156d17cbc8382d837b72e7042ac5ec6f2fe1e91a3105672289c299a8a2ea

Download Submit
\Users\Admin\AppData\Local\Temp\new warzone file.exe
Filesize
113KB

MD5
4c87cc90157de9ee0ded52059b79b402

SHA1
c9b439950937b47c3b1b3c71c09f82215089c5b2

SHA256
a27087a5e852d409af70e117cfe6beab449556581876daca7ed6169e27e8ddea

SHA512
8880bc3d8ab285481f701bb5f61a43c2933e5fe09183a1414bde07817036be4302e53b48f6ccdd360e940513fb2052014856b310504218e19aea472078d68a79

Download Submit
\Users\Admin\AppData\Local\Temp\new warzone file.exe
Filesize
113KB

MD5
4c87cc90157de9ee0ded52059b79b402

SHA1
c9b439950937b47c3b1b3c71c09f82215089c5b2

SHA256
a27087a5e852d409af70e117cfe6beab449556581876daca7ed6169e27e8ddea

SHA512
8880bc3d8ab285481f701bb5f61a43c2933e5fe09183a1414bde07817036be4302e53b48f6ccdd360e940513fb2052014856b310504218e19aea472078d68a79

Download Submit
memory/872-86-0x0000000000990000-0x00000000009AE000-memory.dmp

Filesize
120KB

Download
memory/872-83-0x0000000000000000-mapping.dmp

Download
memory/980-64-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/980-66-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/980-68-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/980-71-0x0000000000448CDE-mapping.dmp

Download
memory/980-73-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/980-75-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/980-69-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/980-70-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1136-79-0x0000000000000000-mapping.dmp

Download
memory/1136-97-0x0000000003E50000-0x0000000003F50000-memory.dmp

Filesize
1024KB

Download
memory/1364-60-0x0000000000000000-mapping.dmp

Download
memory/1412-56-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download
memory/1412-54-0x0000000000940000-0x00000000009F6000-memory.dmp

Filesize
728KB

Download
memory/1412-63-0x0000000005010000-0x0000000005060000-memory.dmp

Filesize
320KB

Download
memory/1412-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1412-58-0x0000000009C70000-0x0000000009D0A000-memory.dmp

Filesize
616KB

Download
memory/1412-57-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/1560-96-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1560-92-0x0000000000000000-mapping.dmp

Download
memory/1704-65-0x000000006F4D0000-0x000000006FA7B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-88-0x000000006F4D0000-0x000000006FA7B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-59-0x0000000000000000-mapping.dmp

Download
memory/1740-94-0x000000006D250000-0x000000006D7FB000-memory.dmp

Filesize
5.7MB

Download
memory/1740-95-0x000000006D250000-0x000000006D7FB000-memory.dmp

Filesize
5.7MB

Download
memory/1740-90-0x0000000000000000-mapping.dmp

Download