warzonerat | 1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c

Analysis

max time kernel
151s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
Size

733KB
MD5

479d23477f4dbed3eed8e22566eb4196
SHA1

44ba4888a333bb611db621e1f55837f403c84536
SHA256

1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c
SHA512

6ed4f2d3a1bd103a043aa8f1c43daa98e22a1721eb9fb8828bed54b2a9c9f5c9a507fcca86e74f79d4b83b818fe4a2c47a63b32c1e876deab75d8c612557f632
SSDEEP

12288:Vctnxl9AW8CJn8QwOBasVz/Huj+s6tZ6t1kg586aWHff:udX94CJ8uDr4+ne1B5O8f

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4604-142-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/4604-145-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/4604-149-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/4604-154-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/2784-178-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/2784-179-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/2784-181-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat

Executes dropped EXE 4 IoCs

Processes:

internetexploer.exeinternetexploer.exeinternetexploer.exeinternetexploer.exe

pid process

2204 internetexploer.exe
1824 internetexploer.exe
3560 internetexploer.exe
2784 internetexploer.exe

pid	process
2204	internetexploer.exe
1824	internetexploer.exe
3560	internetexploer.exe
2784	internetexploer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

internetexploer.exe1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	internetexploer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\internetexploer.exe = "C:\\Users\\Admin\\Documents\\internetexploer.exe"	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exeinternetexploer.exe

description	pid	process	target process
PID 4928 set thread context of 4604	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
PID 2204 set thread context of 2784	2204	internetexploer.exe	internetexploer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4284 schtasks.exe
4648 schtasks.exe

pid	process
4284	schtasks.exe
4648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exeinternetexploer.exe

pid	process
1984	powershell.exe
1984	powershell.exe
3756	powershell.exe
2204	internetexploer.exe
2204	internetexploer.exe
2204	internetexploer.exe
2204	internetexploer.exe
3756	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeinternetexploer.exe

description	pid	process
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	2204	internetexploer.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exeinternetexploer.exe

description	pid	process	target process
PID 4928 wrote to memory of 1984	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	powershell.exe
PID 4928 wrote to memory of 1984	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	powershell.exe
PID 4928 wrote to memory of 1984	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	powershell.exe
PID 4928 wrote to memory of 4284	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	schtasks.exe
PID 4928 wrote to memory of 4284	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	schtasks.exe
PID 4928 wrote to memory of 4284	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	schtasks.exe
PID 4928 wrote to memory of 4604	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
PID 4928 wrote to memory of 4604	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
PID 4928 wrote to memory of 4604	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
PID 4928 wrote to memory of 4604	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
PID 4928 wrote to memory of 4604	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
PID 4928 wrote to memory of 4604	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
PID 4928 wrote to memory of 4604	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
PID 4928 wrote to memory of 4604	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
PID 4928 wrote to memory of 4604	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
PID 4928 wrote to memory of 4604	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
PID 4928 wrote to memory of 4604	4928	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
PID 4604 wrote to memory of 2204	4604	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	internetexploer.exe
PID 4604 wrote to memory of 2204	4604	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	internetexploer.exe
PID 4604 wrote to memory of 2204	4604	1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe	internetexploer.exe
PID 2204 wrote to memory of 3756	2204	internetexploer.exe	powershell.exe
PID 2204 wrote to memory of 3756	2204	internetexploer.exe	powershell.exe
PID 2204 wrote to memory of 3756	2204	internetexploer.exe	powershell.exe
PID 2204 wrote to memory of 4648	2204	internetexploer.exe	schtasks.exe
PID 2204 wrote to memory of 4648	2204	internetexploer.exe	schtasks.exe
PID 2204 wrote to memory of 4648	2204	internetexploer.exe	schtasks.exe
PID 2204 wrote to memory of 1824	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 1824	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 1824	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 3560	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 3560	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 3560	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 2784	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 2784	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 2784	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 2784	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 2784	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 2784	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 2784	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 2784	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 2784	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 2784	2204	internetexploer.exe	internetexploer.exe
PID 2204 wrote to memory of 2784	2204	internetexploer.exe	internetexploer.exe

C:\Users\Admin\AppData\Local\Temp\1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
"C:\Users\Admin\AppData\Local\Temp\1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZUDRzA.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZUDRzA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67B3.tmp"
2⤵
- Creates scheduled task(s)
PID:4284

C:\Users\Admin\AppData\Local\Temp\1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe
"C:\Users\Admin\AppData\Local\Temp\1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\Documents\internetexploer.exe
"C:\Users\Admin\Documents\internetexploer.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZUDRzA.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZUDRzA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB75.tmp"
4⤵
- Creates scheduled task(s)
PID:4648

C:\Users\Admin\Documents\internetexploer.exe
"C:\Users\Admin\Documents\internetexploer.exe"
4⤵
- Executes dropped EXE
PID:1824

C:\Users\Admin\Documents\internetexploer.exe
"C:\Users\Admin\Documents\internetexploer.exe"
4⤵
- Executes dropped EXE
PID:3560

C:\Users\Admin\Documents\internetexploer.exe
"C:\Users\Admin\Documents\internetexploer.exe"
4⤵
- Executes dropped EXE
PID:2784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
11ea9e0d4e9b016071e34926b3b9b7be

SHA1
c5505e145917f860e2561552c54bbe4f7273dcda

SHA256
543725cf6b181f21c34b1f45604121257b98838df9ce1c955daabbed7bc67bff

SHA512
34036cd55bb5a7ca6fd4da3e51c68f8aa0cb7631b3ececf6c43be0cd40980d08d249c75d96c688eceed78bd4f8e87bbd266a77edde58a48bfbb44eabcf75cf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp67B3.tmp
Filesize
1KB

MD5
c994c14406f405e5d2a36bc066138680

SHA1
73098abafa545525eb8ac4dba13ede9352f21b01

SHA256
a8f719caeab584826fd5e17de1dc8f40ed21effef661bdaeb65b37f250719cd4

SHA512
484f94482fa10d2c1893d59f28e459e9a22f49d1bf37843e13e87f93c7c2c3f33377e9e3bd0a51dcc8fefed587d9fc4c395dbe26b2c4c3f31659104740a5e832

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB75.tmp
Filesize
1KB

MD5
c994c14406f405e5d2a36bc066138680

SHA1
73098abafa545525eb8ac4dba13ede9352f21b01

SHA256
a8f719caeab584826fd5e17de1dc8f40ed21effef661bdaeb65b37f250719cd4

SHA512
484f94482fa10d2c1893d59f28e459e9a22f49d1bf37843e13e87f93c7c2c3f33377e9e3bd0a51dcc8fefed587d9fc4c395dbe26b2c4c3f31659104740a5e832

Download Submit
C:\Users\Admin\Documents\internetexploer.exe
Filesize
733KB

MD5
479d23477f4dbed3eed8e22566eb4196

SHA1
44ba4888a333bb611db621e1f55837f403c84536

SHA256
1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c

SHA512
6ed4f2d3a1bd103a043aa8f1c43daa98e22a1721eb9fb8828bed54b2a9c9f5c9a507fcca86e74f79d4b83b818fe4a2c47a63b32c1e876deab75d8c612557f632

Download Submit
C:\Users\Admin\Documents\internetexploer.exe
Filesize
733KB

MD5
479d23477f4dbed3eed8e22566eb4196

SHA1
44ba4888a333bb611db621e1f55837f403c84536

SHA256
1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c

SHA512
6ed4f2d3a1bd103a043aa8f1c43daa98e22a1721eb9fb8828bed54b2a9c9f5c9a507fcca86e74f79d4b83b818fe4a2c47a63b32c1e876deab75d8c612557f632

Download Submit
C:\Users\Admin\Documents\internetexploer.exe
Filesize
733KB

MD5
479d23477f4dbed3eed8e22566eb4196

SHA1
44ba4888a333bb611db621e1f55837f403c84536

SHA256
1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c

SHA512
6ed4f2d3a1bd103a043aa8f1c43daa98e22a1721eb9fb8828bed54b2a9c9f5c9a507fcca86e74f79d4b83b818fe4a2c47a63b32c1e876deab75d8c612557f632

Download Submit
C:\Users\Admin\Documents\internetexploer.exe
Filesize
733KB

MD5
479d23477f4dbed3eed8e22566eb4196

SHA1
44ba4888a333bb611db621e1f55837f403c84536

SHA256
1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c

SHA512
6ed4f2d3a1bd103a043aa8f1c43daa98e22a1721eb9fb8828bed54b2a9c9f5c9a507fcca86e74f79d4b83b818fe4a2c47a63b32c1e876deab75d8c612557f632

Download Submit
C:\Users\Admin\Documents\internetexploer.exe
Filesize
733KB

MD5
479d23477f4dbed3eed8e22566eb4196

SHA1
44ba4888a333bb611db621e1f55837f403c84536

SHA256
1bff37b3f897e8f9bdb33018eb927784167c172defed492759583d61fff39e4c

SHA512
6ed4f2d3a1bd103a043aa8f1c43daa98e22a1721eb9fb8828bed54b2a9c9f5c9a507fcca86e74f79d4b83b818fe4a2c47a63b32c1e876deab75d8c612557f632

Download Submit
memory/1824-169-0x0000000000000000-mapping.dmp

Download
memory/1984-155-0x0000000006830000-0x0000000006862000-memory.dmp

Filesize
200KB

Download
memory/1984-159-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/1984-164-0x0000000007890000-0x0000000007898000-memory.dmp

Filesize
32KB

Download
memory/1984-146-0x00000000052A0000-0x00000000052C2000-memory.dmp

Filesize
136KB

Download
memory/1984-147-0x0000000005340000-0x00000000053A6000-memory.dmp

Filesize
408KB

Download
memory/1984-148-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/1984-163-0x00000000078B0000-0x00000000078CA000-memory.dmp

Filesize
104KB

Download
memory/1984-150-0x0000000006270000-0x000000000628E000-memory.dmp

Filesize
120KB

Download
memory/1984-162-0x00000000077A0000-0x00000000077AE000-memory.dmp

Filesize
56KB

Download
memory/1984-161-0x00000000077F0000-0x0000000007886000-memory.dmp

Filesize
600KB

Download
memory/1984-160-0x00000000075E0000-0x00000000075EA000-memory.dmp

Filesize
40KB

Download
memory/1984-143-0x0000000005560000-0x0000000005B88000-memory.dmp

Filesize
6.2MB

Download
memory/1984-137-0x0000000000000000-mapping.dmp

Download
memory/1984-156-0x0000000070F30000-0x0000000070F7C000-memory.dmp

Filesize
304KB

Download
memory/1984-157-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/1984-158-0x0000000007BC0000-0x000000000823A000-memory.dmp

Filesize
6.5MB

Download
memory/1984-139-0x0000000002920000-0x0000000002956000-memory.dmp

Filesize
216KB

Download
memory/2204-151-0x0000000000000000-mapping.dmp

Download
memory/2784-173-0x0000000000000000-mapping.dmp

Download
memory/2784-178-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2784-179-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2784-181-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3560-171-0x0000000000000000-mapping.dmp

Download
memory/3756-165-0x0000000000000000-mapping.dmp

Download
memory/3756-180-0x0000000071660000-0x00000000716AC000-memory.dmp

Filesize
304KB

Download
memory/4284-138-0x0000000000000000-mapping.dmp

Download
memory/4604-142-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/4604-145-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/4604-154-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/4604-141-0x0000000000000000-mapping.dmp

Download
memory/4604-149-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/4648-166-0x0000000000000000-mapping.dmp

Download
memory/4928-132-0x0000000000910000-0x00000000009CE000-memory.dmp

Filesize
760KB

Download
memory/4928-133-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/4928-134-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/4928-135-0x0000000005400000-0x000000000540A000-memory.dmp

Filesize
40KB

Download
memory/4928-136-0x0000000009270000-0x000000000930C000-memory.dmp

Filesize
624KB

Download