warzonerat | abf24499470a3d16f45c1b747820a07784a1f98a5e29b2eb8414adcefe83012b

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
01-07-2021 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bank Slip_SC -038-20210303-B.scr
Size

1.1MB
MD5

0de04896312059da5e706416636ce15d
SHA1

d4b032118b54ef9772898e3db50c7524fbab9714
SHA256

abf24499470a3d16f45c1b747820a07784a1f98a5e29b2eb8414adcefe83012b
SHA512

5334242bc77d921b5ffb0b2883ece61abd47b90eb3c038e922b4b89542a4d8dba147273c173281a80b9b4476e1c5e84cd942b0dc618d911e33badeb962358823

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

79.134.225.119:9584

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3188-137-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3188-138-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/3188-159-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2276-209-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/2276-214-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

2868 images.exe
2276 images.exe

pid	process
2868	images.exe
2276	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bank Slip_SC -038-20210303-B.scr

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	Bank Slip_SC -038-20210303-B.scr

Suspicious use of SetThreadContext 2 IoCs

Processes:

Bank Slip_SC -038-20210303-B.scrimages.exe

description	pid	process	target process
PID 1756 set thread context of 3188	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 2868 set thread context of 2276	2868	images.exe	images.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1324 schtasks.exe
1468 schtasks.exe

pid	process
1324	schtasks.exe
1468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

Bank Slip_SC -038-20210303-B.scrpowershell.exepowershell.exepowershell.exeimages.exepowershell.exepowershell.exe

pid	process
1756	Bank Slip_SC -038-20210303-B.scr
1756	Bank Slip_SC -038-20210303-B.scr
2748	powershell.exe
1756	Bank Slip_SC -038-20210303-B.scr
2404	powershell.exe
2748	powershell.exe
3764	powershell.exe
2404	powershell.exe
3764	powershell.exe
2748	powershell.exe
2404	powershell.exe
3764	powershell.exe
2868	images.exe
4040	powershell.exe
4040	powershell.exe
1296	powershell.exe
1296	powershell.exe
4040	powershell.exe
1296	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Bank Slip_SC -038-20210303-B.scrpowershell.exepowershell.exepowershell.exeimages.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1756	Bank Slip_SC -038-20210303-B.scr
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	2868	images.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

Bank Slip_SC -038-20210303-B.scrBank Slip_SC -038-20210303-B.scrimages.exeimages.exe

description	pid	process	target process
PID 1756 wrote to memory of 2748	1756	Bank Slip_SC -038-20210303-B.scr	powershell.exe
PID 1756 wrote to memory of 2748	1756	Bank Slip_SC -038-20210303-B.scr	powershell.exe
PID 1756 wrote to memory of 2748	1756	Bank Slip_SC -038-20210303-B.scr	powershell.exe
PID 1756 wrote to memory of 2404	1756	Bank Slip_SC -038-20210303-B.scr	powershell.exe
PID 1756 wrote to memory of 2404	1756	Bank Slip_SC -038-20210303-B.scr	powershell.exe
PID 1756 wrote to memory of 2404	1756	Bank Slip_SC -038-20210303-B.scr	powershell.exe
PID 1756 wrote to memory of 1324	1756	Bank Slip_SC -038-20210303-B.scr	schtasks.exe
PID 1756 wrote to memory of 1324	1756	Bank Slip_SC -038-20210303-B.scr	schtasks.exe
PID 1756 wrote to memory of 1324	1756	Bank Slip_SC -038-20210303-B.scr	schtasks.exe
PID 1756 wrote to memory of 3764	1756	Bank Slip_SC -038-20210303-B.scr	powershell.exe
PID 1756 wrote to memory of 3764	1756	Bank Slip_SC -038-20210303-B.scr	powershell.exe
PID 1756 wrote to memory of 3764	1756	Bank Slip_SC -038-20210303-B.scr	powershell.exe
PID 1756 wrote to memory of 3832	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3832	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3832	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3188	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3188	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3188	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3188	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3188	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3188	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3188	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3188	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3188	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3188	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 1756 wrote to memory of 3188	1756	Bank Slip_SC -038-20210303-B.scr	Bank Slip_SC -038-20210303-B.scr
PID 3188 wrote to memory of 2868	3188	Bank Slip_SC -038-20210303-B.scr	images.exe
PID 3188 wrote to memory of 2868	3188	Bank Slip_SC -038-20210303-B.scr	images.exe
PID 3188 wrote to memory of 2868	3188	Bank Slip_SC -038-20210303-B.scr	images.exe
PID 2868 wrote to memory of 4040	2868	images.exe	powershell.exe
PID 2868 wrote to memory of 4040	2868	images.exe	powershell.exe
PID 2868 wrote to memory of 4040	2868	images.exe	powershell.exe
PID 2868 wrote to memory of 1468	2868	images.exe	schtasks.exe
PID 2868 wrote to memory of 1468	2868	images.exe	schtasks.exe
PID 2868 wrote to memory of 1468	2868	images.exe	schtasks.exe
PID 2868 wrote to memory of 1296	2868	images.exe	powershell.exe
PID 2868 wrote to memory of 1296	2868	images.exe	powershell.exe
PID 2868 wrote to memory of 1296	2868	images.exe	powershell.exe
PID 2868 wrote to memory of 2276	2868	images.exe	images.exe
PID 2868 wrote to memory of 2276	2868	images.exe	images.exe
PID 2868 wrote to memory of 2276	2868	images.exe	images.exe
PID 2868 wrote to memory of 2276	2868	images.exe	images.exe
PID 2868 wrote to memory of 2276	2868	images.exe	images.exe
PID 2868 wrote to memory of 2276	2868	images.exe	images.exe
PID 2868 wrote to memory of 2276	2868	images.exe	images.exe
PID 2868 wrote to memory of 2276	2868	images.exe	images.exe
PID 2868 wrote to memory of 2276	2868	images.exe	images.exe
PID 2868 wrote to memory of 2276	2868	images.exe	images.exe
PID 2868 wrote to memory of 2276	2868	images.exe	images.exe
PID 2276 wrote to memory of 1324	2276	images.exe	cmd.exe
PID 2276 wrote to memory of 1324	2276	images.exe	cmd.exe
PID 2276 wrote to memory of 1324	2276	images.exe	cmd.exe
PID 2276 wrote to memory of 1324	2276	images.exe	cmd.exe
PID 2276 wrote to memory of 1324	2276	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Bank Slip_SC -038-20210303-B.scr
"C:\Users\Admin\AppData\Local\Temp\Bank Slip_SC -038-20210303-B.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Bank Slip_SC -038-20210303-B.scr"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KKYEacgdaYYO.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KKYEacgdaYYO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp224.tmp"
2⤵
- Creates scheduled task(s)
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KKYEacgdaYYO.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Users\Admin\AppData\Local\Temp\Bank Slip_SC -038-20210303-B.scr
"C:\Users\Admin\AppData\Local\Temp\Bank Slip_SC -038-20210303-B.scr"
2⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\Bank Slip_SC -038-20210303-B.scr
"C:\Users\Admin\AppData\Local\Temp\Bank Slip_SC -038-20210303-B.scr"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3188

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\images.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KKYEacgdaYYO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB43D.tmp"
4⤵
- Creates scheduled task(s)
PID:1468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KKYEacgdaYYO.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

MD5
0de04896312059da5e706416636ce15d

SHA1
d4b032118b54ef9772898e3db50c7524fbab9714

SHA256
abf24499470a3d16f45c1b747820a07784a1f98a5e29b2eb8414adcefe83012b

SHA512
5334242bc77d921b5ffb0b2883ece61abd47b90eb3c038e922b4b89542a4d8dba147273c173281a80b9b4476e1c5e84cd942b0dc618d911e33badeb962358823

Download Submit
C:\ProgramData\images.exe

MD5
0de04896312059da5e706416636ce15d

SHA1
d4b032118b54ef9772898e3db50c7524fbab9714

SHA256
abf24499470a3d16f45c1b747820a07784a1f98a5e29b2eb8414adcefe83012b

SHA512
5334242bc77d921b5ffb0b2883ece61abd47b90eb3c038e922b4b89542a4d8dba147273c173281a80b9b4476e1c5e84cd942b0dc618d911e33badeb962358823

Download Submit
C:\ProgramData\images.exe

MD5
0de04896312059da5e706416636ce15d

SHA1
d4b032118b54ef9772898e3db50c7524fbab9714

SHA256
abf24499470a3d16f45c1b747820a07784a1f98a5e29b2eb8414adcefe83012b

SHA512
5334242bc77d921b5ffb0b2883ece61abd47b90eb3c038e922b4b89542a4d8dba147273c173281a80b9b4476e1c5e84cd942b0dc618d911e33badeb962358823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7c04fd4169404a7736a403516e293481

SHA1
55ad92cd2810b73946a828c58bc34e6084be6d7d

SHA256
862559b79813728488c4b6f0f783419d5847051b1aa007ffae4b284a149cef47

SHA512
d386bfa458b08317ed7551495fbf316ec1ab112300d7d22ffda6b0e81b116013ee81403e7c3fea1dd686097c0cebde5a478949b6d2a8d68912ced782b41f4506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7c04fd4169404a7736a403516e293481

SHA1
55ad92cd2810b73946a828c58bc34e6084be6d7d

SHA256
862559b79813728488c4b6f0f783419d5847051b1aa007ffae4b284a149cef47

SHA512
d386bfa458b08317ed7551495fbf316ec1ab112300d7d22ffda6b0e81b116013ee81403e7c3fea1dd686097c0cebde5a478949b6d2a8d68912ced782b41f4506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9eb5cc605f361c2ce1f6576506ab1e79

SHA1
8cf7b2167ad2ddde61b06b0fef74263a164dee9d

SHA256
fb7abfa785113d5d5291ff560241917cbfe7c08885d1efe125e5eee6547a4bcc

SHA512
390fba1138677de4d63f3841c69983690ebddfa11e97ff9671be0fadc91c6ac4c2ddbf87abba35e53caa78beae176fdbd5be7895e62c6439f35d0ee040b296ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp224.tmp

MD5
385ae24b4c19fbcbc9d55f04862d52a5

SHA1
25f8f34862a944b92c91ff83851c4aef45aa30f9

SHA256
42786e44161d99809af4a20cdb3294fb3996375df1fd9fbd9a7b78b42b90ce9b

SHA512
e623a33d24be9db5422868055214657decd1afb227edf1359bca6dd8c4c22b1a8527fb50c456a8d56204fc17b3f1c7031e64ceccf321bb421415d7eb50f8a987

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB43D.tmp

MD5
385ae24b4c19fbcbc9d55f04862d52a5

SHA1
25f8f34862a944b92c91ff83851c4aef45aa30f9

SHA256
42786e44161d99809af4a20cdb3294fb3996375df1fd9fbd9a7b78b42b90ce9b

SHA512
e623a33d24be9db5422868055214657decd1afb227edf1359bca6dd8c4c22b1a8527fb50c456a8d56204fc17b3f1c7031e64ceccf321bb421415d7eb50f8a987

Download Submit
memory/1296-215-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1296-208-0x0000000000000000-mapping.dmp

Download
memory/1296-216-0x0000000004932000-0x0000000004933000-memory.dmp

Filesize
4KB

Download
memory/1296-220-0x000000007DF30000-0x000000007DF31000-memory.dmp

Filesize
4KB

Download
memory/1296-221-0x0000000004933000-0x0000000004934000-memory.dmp

Filesize
4KB

Download
memory/1324-126-0x0000000000000000-mapping.dmp

Download
memory/1324-219-0x0000000000000000-mapping.dmp

Download
memory/1468-206-0x0000000000000000-mapping.dmp

Download
memory/1756-121-0x0000000005250000-0x000000000574E000-memory.dmp

Filesize
5.0MB

Download
memory/1756-119-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/1756-116-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/1756-117-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/1756-123-0x0000000005610000-0x000000000563D000-memory.dmp

Filesize
180KB

Download
memory/1756-120-0x00000000097C0000-0x000000000B7BF000-memory.dmp

Filesize
32.0MB

Download
memory/1756-122-0x000000000B8B0000-0x000000000B917000-memory.dmp

Filesize
412KB

Download
memory/1756-114-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1756-118-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/2276-214-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2276-209-0x0000000000405CE2-mapping.dmp

Download
memory/2404-143-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/2404-156-0x0000000004A12000-0x0000000004A13000-memory.dmp

Filesize
4KB

Download
memory/2404-154-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/2404-125-0x0000000000000000-mapping.dmp

Download
memory/2404-145-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/2404-197-0x000000007F3B0000-0x000000007F3B1000-memory.dmp

Filesize
4KB

Download
memory/2404-198-0x0000000004A13000-0x0000000004A14000-memory.dmp

Filesize
4KB

Download
memory/2748-131-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2748-141-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/2748-124-0x0000000000000000-mapping.dmp

Download
memory/2748-199-0x0000000007613000-0x0000000007614000-memory.dmp

Filesize
4KB

Download
memory/2748-133-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/2748-166-0x0000000008B90000-0x0000000008B91000-memory.dmp

Filesize
4KB

Download
memory/2748-162-0x0000000008B40000-0x0000000008B41000-memory.dmp

Filesize
4KB

Download
memory/2748-158-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/2748-153-0x0000000007612000-0x0000000007613000-memory.dmp

Filesize
4KB

Download
memory/2748-152-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/2748-196-0x000000007F010000-0x000000007F011000-memory.dmp

Filesize
4KB

Download
memory/2748-139-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/2868-170-0x0000000000000000-mapping.dmp

Download
memory/2868-184-0x0000000004940000-0x0000000004E3E000-memory.dmp

Filesize
5.0MB

Download
memory/3188-137-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3188-159-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3188-138-0x0000000000405CE2-mapping.dmp

Download
memory/3764-201-0x0000000004293000-0x0000000004294000-memory.dmp

Filesize
4KB

Download
memory/3764-200-0x000000007EEA0000-0x000000007EEA1000-memory.dmp

Filesize
4KB

Download
memory/3764-163-0x0000000004292000-0x0000000004293000-memory.dmp

Filesize
4KB

Download
memory/3764-161-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/3764-136-0x0000000000000000-mapping.dmp

Download
memory/4040-205-0x0000000000000000-mapping.dmp

Download
memory/4040-212-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/4040-213-0x00000000042D2000-0x00000000042D3000-memory.dmp

Filesize
4KB

Download
memory/4040-217-0x000000007F900000-0x000000007F901000-memory.dmp

Filesize
4KB

Download
memory/4040-218-0x00000000042D3000-0x00000000042D4000-memory.dmp

Filesize
4KB

Download