warzonerat | a28d456ec326f62b15dc6257859619c1a2dc6817f332adb9c87fbb146676dc00

Analysis

max time kernel
154s
max time network
151s
platform
windows7_x64
resource
win7v20210408
submitted
08-10-2021 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
Size

557KB
MD5

513d95f880ef4b0522a50c4374e40f1f
SHA1

b89d35ab5f89a5c984ea7d4a46ced8e1603a866b
SHA256

a28d456ec326f62b15dc6257859619c1a2dc6817f332adb9c87fbb146676dc00
SHA512

922d8d138fdf2dfb77770697c57def5973d07a4d64fe5d7effeee30987330dd2611b97cb9df8da78d0cb42a35673800224fd49b6fe44f4c4f0e38dd00a6eb750

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

176.126.86.243:2021

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 10 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe	warzonerat
\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe	warzonerat
\ProgramData\microsoftupdate.exe	warzonerat
C:\ProgramData\microsoftupdate.exe	warzonerat
C:\ProgramData\microsoftupdate.exe	warzonerat
\ProgramData\microsoftupdate.exe	warzonerat
\ProgramData\microsoftupdate.exe	warzonerat
\ProgramData\microsoftupdate.exe	warzonerat

Executes dropped EXE 3 IoCs

Processes:

for 176.126.86.243.exeBTC STEALER.exemicrosoftupdate.exe

pid process

556 for 176.126.86.243.exe
1128 BTC STEALER.exe
1340 microsoftupdate.exe
Drops startup file 1 IoCs

Processes:

BTC STEALER.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk BTC STEALER.exe

pid	process
556	for 176.126.86.243.exe
1128	BTC STEALER.exe
1340	microsoftupdate.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk	BTC STEALER.exe

Loads dropped DLL 7 IoCs

Processes:

SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exefor 176.126.86.243.exemicrosoftupdate.exe

pid	process
1600	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
1600	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
1600	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
556	for 176.126.86.243.exe
1340	microsoftupdate.exe
1340	microsoftupdate.exe
1340	microsoftupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

for 176.126.86.243.exeBTC STEALER.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsdefender = "C:\\ProgramData\\microsoftupdate.exe"	for 176.126.86.243.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\BTC STEALER.exe\" .."	BTC STEALER.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

description	pid	process	target process
PID 1628 set thread context of 1600	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1616 schtasks.exe

pid	process
1616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

pid	process
1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

description pid process

Token: SeDebugPrivilege 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

description	pid	process
Token: SeDebugPrivilege	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exeSECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exefor 176.126.86.243.exemicrosoftupdate.exe

description	pid	process	target process
PID 1628 wrote to memory of 1616	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	schtasks.exe
PID 1628 wrote to memory of 1616	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	schtasks.exe
PID 1628 wrote to memory of 1616	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	schtasks.exe
PID 1628 wrote to memory of 1616	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	schtasks.exe
PID 1628 wrote to memory of 1504	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1628 wrote to memory of 1504	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1628 wrote to memory of 1504	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1628 wrote to memory of 1504	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1628 wrote to memory of 1600	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1628 wrote to memory of 1600	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1628 wrote to memory of 1600	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1628 wrote to memory of 1600	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1628 wrote to memory of 1600	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1628 wrote to memory of 1600	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1628 wrote to memory of 1600	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1628 wrote to memory of 1600	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1628 wrote to memory of 1600	1628	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1600 wrote to memory of 556	1600	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	for 176.126.86.243.exe
PID 1600 wrote to memory of 556	1600	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	for 176.126.86.243.exe
PID 1600 wrote to memory of 556	1600	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	for 176.126.86.243.exe
PID 1600 wrote to memory of 556	1600	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	for 176.126.86.243.exe
PID 1600 wrote to memory of 1128	1600	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	BTC STEALER.exe
PID 1600 wrote to memory of 1128	1600	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	BTC STEALER.exe
PID 1600 wrote to memory of 1128	1600	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	BTC STEALER.exe
PID 1600 wrote to memory of 1128	1600	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	BTC STEALER.exe
PID 556 wrote to memory of 1340	556	for 176.126.86.243.exe	microsoftupdate.exe
PID 556 wrote to memory of 1340	556	for 176.126.86.243.exe	microsoftupdate.exe
PID 556 wrote to memory of 1340	556	for 176.126.86.243.exe	microsoftupdate.exe
PID 556 wrote to memory of 1340	556	for 176.126.86.243.exe	microsoftupdate.exe
PID 556 wrote to memory of 1340	556	for 176.126.86.243.exe	microsoftupdate.exe
PID 556 wrote to memory of 1340	556	for 176.126.86.243.exe	microsoftupdate.exe
PID 556 wrote to memory of 1340	556	for 176.126.86.243.exe	microsoftupdate.exe
PID 1340 wrote to memory of 1660	1340	microsoftupdate.exe	cmd.exe
PID 1340 wrote to memory of 1660	1340	microsoftupdate.exe	cmd.exe
PID 1340 wrote to memory of 1660	1340	microsoftupdate.exe	cmd.exe
PID 1340 wrote to memory of 1660	1340	microsoftupdate.exe	cmd.exe
PID 1340 wrote to memory of 1660	1340	microsoftupdate.exe	cmd.exe
PID 1340 wrote to memory of 1660	1340	microsoftupdate.exe	cmd.exe
PID 1340 wrote to memory of 1660	1340	microsoftupdate.exe	cmd.exe
PID 1340 wrote to memory of 1660	1340	microsoftupdate.exe	cmd.exe
PID 1340 wrote to memory of 1660	1340	microsoftupdate.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
"C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHBYWHQISskoYw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A14.tmp"
2⤵
- Creates scheduled task(s)
PID:1616

C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
"C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe"
2⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
"C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe
"C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:556

C:\ProgramData\microsoftupdate.exe
"C:\ProgramData\microsoftupdate.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\BTC STEALER.exe
"C:\Users\Admin\AppData\Local\Temp\BTC STEALER.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\microsoftupdate.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
C:\ProgramData\microsoftupdate.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BTC STEALER.exe
MD5
2c97c34c375bd1fe92a6ff4c272c2096

SHA1
af1b4c20af78ce0247d69a8bddaa6234a02692ef

SHA256
321c0146561f0448a08d290535bdcc7e8fb606648ab6b5be5330e7fdc2866427

SHA512
99b9599a27b151a5c8cf960feb9c1696312a8b3c4f1397744c6d6891af773fc5708acac9ddad8a968ef0badb7f5905eddd2a3c75d3d5170ad33bbf5012904235

Download Submit
C:\Users\Admin\AppData\Local\Temp\BTC STEALER.exe
MD5
2c97c34c375bd1fe92a6ff4c272c2096

SHA1
af1b4c20af78ce0247d69a8bddaa6234a02692ef

SHA256
321c0146561f0448a08d290535bdcc7e8fb606648ab6b5be5330e7fdc2866427

SHA512
99b9599a27b151a5c8cf960feb9c1696312a8b3c4f1397744c6d6891af773fc5708acac9ddad8a968ef0badb7f5905eddd2a3c75d3d5170ad33bbf5012904235

Download Submit
C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
\ProgramData\microsoftupdate.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
\ProgramData\microsoftupdate.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
\ProgramData\microsoftupdate.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
\ProgramData\microsoftupdate.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
\Users\Admin\AppData\Local\Temp\BTC STEALER.exe
MD5
2c97c34c375bd1fe92a6ff4c272c2096

SHA1
af1b4c20af78ce0247d69a8bddaa6234a02692ef

SHA256
321c0146561f0448a08d290535bdcc7e8fb606648ab6b5be5330e7fdc2866427

SHA512
99b9599a27b151a5c8cf960feb9c1696312a8b3c4f1397744c6d6891af773fc5708acac9ddad8a968ef0badb7f5905eddd2a3c75d3d5170ad33bbf5012904235

Download Submit
\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
memory/556-77-0x0000000000000000-mapping.dmp

Download
memory/1128-85-0x0000000001ED0000-0x0000000001ED2000-memory.dmp

Filesize
8KB

Download
memory/1128-98-0x0000000001ED6000-0x0000000001EF5000-memory.dmp

Filesize
124KB

Download
memory/1128-81-0x0000000000000000-mapping.dmp

Download
memory/1128-86-0x000007FEF2910000-0x000007FEF39A6000-memory.dmp

Filesize
16.6MB

Download
memory/1340-89-0x0000000000000000-mapping.dmp

Download
memory/1600-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-84-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1600-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-72-0x000000000042E77E-mapping.dmp

Download
memory/1600-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-66-0x0000000000000000-mapping.dmp

Download
memory/1628-65-0x0000000004F50000-0x0000000004FA3000-memory.dmp

Filesize
332KB

Download
memory/1628-64-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/1628-63-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1628-62-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1628-60-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1660-96-0x0000000000000000-mapping.dmp

Download
memory/1660-99-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1660-100-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1660-102-0x00000000001D0000-0x000000000021C000-memory.dmp

Filesize
304KB

Download