warzonerat | 84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780

Analysis

max time kernel
83s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2023 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sekontary2.1.exe
Size

176KB
MD5

f2e4e0ba9fc3fe9d2229c31c4a5a40d0
SHA1

835ddaa41c2111632f4564f200dbceb969851f1e
SHA256

84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780
SHA512

39abfa17838eb52e393041a8f2f1f8e47a88a26fb644ceeb4322d93d3fe82ab016a023b42569a3d58e079f837b606877a42c05e0855f7b2936fe3ab4d28612a5
SSDEEP

3072:WfY/TU9fE9PEtuRbrDbPTMuOqCw5NQhDd3+4/qxvVHY0MLtTtQS0W1KHdqML:AYa6XrDbP6vw5ipvgvVHY0UTSJ9l

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

omerlan.duckdns.org:6548

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1864-143-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/1864-147-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/1864-148-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

pcspikx.exepcspikx.exe

pid process

2232 pcspikx.exe
1864 pcspikx.exe

pid	process
2232	pcspikx.exe
1864	pcspikx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pcspikx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sowsclhqavf = "C:\\Users\\Admin\\AppData\\Roaming\\vfokscxhdmvrb\\kgplueaj.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\pcspikx.exe\" C:\\Users\\Admin\\AppData\\L"	pcspikx.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

pcspikx.exe

description pid process target process

PID 2232 set thread context of 1864 2232 pcspikx.exe pcspikx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2232 set thread context of 1864	2232	pcspikx.exe	pcspikx.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings firefox.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pcspikx.exe

pid process

2232 pcspikx.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 3444 firefox.exe
Token: SeDebugPrivilege 3444 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3444 firefox.exe
3444 firefox.exe
3444 firefox.exe
3444 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3444 firefox.exe
3444 firefox.exe
3444 firefox.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

3444 firefox.exe
3444 firefox.exe
3444 firefox.exe
3444 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	firefox.exe

pid	process
2232	pcspikx.exe

description	pid	process
Token: SeDebugPrivilege	3444	firefox.exe
Token: SeDebugPrivilege	3444	firefox.exe

pid	process
3444	firefox.exe
3444	firefox.exe
3444	firefox.exe
3444	firefox.exe

pid	process
3444	firefox.exe
3444	firefox.exe
3444	firefox.exe

pid	process
3444	firefox.exe
3444	firefox.exe
3444	firefox.exe
3444	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sekontary2.1.exepcspikx.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1868 wrote to memory of 2232	1868	sekontary2.1.exe	pcspikx.exe
PID 1868 wrote to memory of 2232	1868	sekontary2.1.exe	pcspikx.exe
PID 1868 wrote to memory of 2232	1868	sekontary2.1.exe	pcspikx.exe
PID 2232 wrote to memory of 1864	2232	pcspikx.exe	pcspikx.exe
PID 2232 wrote to memory of 1864	2232	pcspikx.exe	pcspikx.exe
PID 2232 wrote to memory of 1864	2232	pcspikx.exe	pcspikx.exe
PID 2232 wrote to memory of 1864	2232	pcspikx.exe	pcspikx.exe
PID 520 wrote to memory of 3444	520	firefox.exe	firefox.exe
PID 520 wrote to memory of 3444	520	firefox.exe	firefox.exe
PID 520 wrote to memory of 3444	520	firefox.exe	firefox.exe
PID 520 wrote to memory of 3444	520	firefox.exe	firefox.exe
PID 520 wrote to memory of 3444	520	firefox.exe	firefox.exe
PID 520 wrote to memory of 3444	520	firefox.exe	firefox.exe
PID 520 wrote to memory of 3444	520	firefox.exe	firefox.exe
PID 520 wrote to memory of 3444	520	firefox.exe	firefox.exe
PID 520 wrote to memory of 3444	520	firefox.exe	firefox.exe
PID 520 wrote to memory of 3444	520	firefox.exe	firefox.exe
PID 520 wrote to memory of 3444	520	firefox.exe	firefox.exe
PID 3444 wrote to memory of 3104	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 3104	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe
PID 3444 wrote to memory of 4336	3444	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sekontary2.1.exe
"C:\Users\Admin\AppData\Local\Temp\sekontary2.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\pcspikx.exe
"C:\Users\Admin\AppData\Local\Temp\pcspikx.exe" C:\Users\Admin\AppData\Local\Temp\oiusxmgnt.njd
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\pcspikx.exe
"C:\Users\Admin\AppData\Local\Temp\pcspikx.exe"
3⤵
- Executes dropped EXE
PID:1864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3444

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3444.0.310564519\606335440" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {238aef6a-e941-4c59-a857-47d4ed5c2784} 3444 "\\.\pipe\gecko-crash-server-pipe.3444" 1936 18ef0bef558 gpu
3⤵
PID:3104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3444.1.1211899203\949733211" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d32277e9-1a10-4dca-8bb6-f23757e7c860} 3444 "\\.\pipe\gecko-crash-server-pipe.3444" 2316 18ee3c6fb58 socket
3⤵
PID:4336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3444.2.2085876980\1639515163" -childID 1 -isForBrowser -prefsHandle 3108 -prefMapHandle 3104 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fca6994c-01f9-4a81-bf6f-3a8c0ba96e0f} 3444 "\\.\pipe\gecko-crash-server-pipe.3444" 3084 18ef47f5258 tab
3⤵
PID:3320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3444.3.1868794267\2057117277" -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3624 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a183d5cb-4f76-4a31-aa74-faed3b197f9c} 3444 "\\.\pipe\gecko-crash-server-pipe.3444" 3600 18ef59ac258 tab
3⤵
PID:1924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3444.4.1201099271\1185311500" -childID 3 -isForBrowser -prefsHandle 3756 -prefMapHandle 3760 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97d5c261-5315-40c7-b6af-c9ca8d08fa77} 3444 "\\.\pipe\gecko-crash-server-pipe.3444" 3776 18ee3c5f258 tab
3⤵
PID:1536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3444.5.580941389\142082679" -childID 4 -isForBrowser -prefsHandle 2784 -prefMapHandle 4692 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {750bd5bc-5f89-412d-8abd-1ffdd1cd42eb} 3444 "\\.\pipe\gecko-crash-server-pipe.3444" 5132 18ee3c61058 tab
3⤵
PID:1320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3444.7.1804894440\1357061046" -childID 6 -isForBrowser -prefsHandle 5460 -prefMapHandle 5464 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57d55342-606b-40ad-a872-9da215c2b430} 3444 "\\.\pipe\gecko-crash-server-pipe.3444" 5452 18ef72b8d58 tab
3⤵
PID:3136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3444.6.719033619\3341236" -childID 5 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdb404ad-b0b2-4433-8850-079cfb3915c4} 3444 "\\.\pipe\gecko-crash-server-pipe.3444" 5260 18ef6f39758 tab
3⤵
PID:3960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp
Filesize
151KB

MD5
d972f37dc2bbf30daac3842962c8aad4

SHA1
41edff37db8c526dc6bb1645015ee1366091e5f8

SHA256
d6c75025b8da164bab9ade937002e7a412105302b91e3600b426ab3650594a1a

SHA512
804b395263eea3b5f13b087274e786adaf721abe6ae6b95234baac5c932b8c0e60397a4b425a648ddef46de3c090a6d36920108497aa4cd5484a764d8545d926

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiusxmgnt.njd
Filesize
8KB

MD5
26278b38925678153585aac1eec3e0aa

SHA1
7a302d829d850afaefd2ad89b647450f590dcef6

SHA256
d1595b7e593d44cb831badbafceceeec19e51917b7388d7ffeac2e5ea40f9745

SHA512
20d198ab0d39689d27020cbfea6be0ad892c5dee5011a27a161fd107131a30501d8134f39e6657cb77068c604ef213fa2fbd313a236f9af8a35f6e60c53cfb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcspikx.exe
Filesize
5KB

MD5
f2ff3f9e75d7598ccf2e5033f27e6cec

SHA1
25180713e0c191de163f0279f0b49c6b4d7b9d31

SHA256
00f6c3c5970760b8f93b56119286d30b483a2ec5c0011c0716d4811398371594

SHA512
5471363503ac2e80da00eac5ced73a9e480209c601d638492c20f9947746d130df87a194526a24f5eef5030fcf46ac3ccaf19d8d2c9dded48cd3028f82c3b23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcspikx.exe
Filesize
5KB

MD5
f2ff3f9e75d7598ccf2e5033f27e6cec

SHA1
25180713e0c191de163f0279f0b49c6b4d7b9d31

SHA256
00f6c3c5970760b8f93b56119286d30b483a2ec5c0011c0716d4811398371594

SHA512
5471363503ac2e80da00eac5ced73a9e480209c601d638492c20f9947746d130df87a194526a24f5eef5030fcf46ac3ccaf19d8d2c9dded48cd3028f82c3b23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcspikx.exe
Filesize
5KB

MD5
f2ff3f9e75d7598ccf2e5033f27e6cec

SHA1
25180713e0c191de163f0279f0b49c6b4d7b9d31

SHA256
00f6c3c5970760b8f93b56119286d30b483a2ec5c0011c0716d4811398371594

SHA512
5471363503ac2e80da00eac5ced73a9e480209c601d638492c20f9947746d130df87a194526a24f5eef5030fcf46ac3ccaf19d8d2c9dded48cd3028f82c3b23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rylhmvfqh.s
Filesize
118KB

MD5
a7504e8404f8dad99b77d99cf5adf7b8

SHA1
bb8cf3ccaed5dc577eff22bbc1131183ab0af1fe

SHA256
704fcac5f6867f62af282555fd8186c822107fbdbc40db2d60f4f808e8aa55d9

SHA512
0cc001ee2f1d70c61403896a2f50510212079abe5be7378af6eb603e3cc51c5ece265a0587641a5741c3aa66071e72dc1cd2b0ab64c91e67aba10db45f23c53a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
Filesize
6KB

MD5
eabf7bf57bcfbeb06a1a017cacbd24cc

SHA1
76d3a7f9df1ffd5a83677f3d17c1ae6d7bc4d834

SHA256
fc249da8f6531467575737cc06657678a503ebf1d2f771ec300552fc4a6dbc0b

SHA512
c96e91d85c5d3778d32d5e5e5679352cc9098208043cf730319423bcbdda55058248c577e49ece19ce8a6c84dbc5c767c44de7ceae637d6b48ba9ad0d22a0e78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
Filesize
6KB

MD5
1e2ced950557d352cc98f8bbffdcc2c4

SHA1
51063a6fe235f8805f3125b32e67b7ff97f66686

SHA256
2ebad6f87e9f4fa909f7a0531145cac8d83e67a2b8140fa188bf83eb82af7fa3

SHA512
4dc8b6d8a69070e671c0ebadd2f60b1f3cd571a28223e44214f8ce7f34c92571e7b03ca29f3049b464f4abb9f9b8d0c439704fb7de00731e2965f820151d6b98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js
Filesize
6KB

MD5
f73e52d124620d05267ba934f3b312d3

SHA1
34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

SHA256
fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

SHA512
4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

Download Submit
memory/1864-143-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1864-147-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1864-148-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download