warzonerat | ceda1c6ee001d408498455bd2e13cbee14e99aef2923e76984dcd736e8672b8b

Resubmissions

11-07-2023 02:57

230711-dfn76sfc8y 3

26-05-2023 15:53

230526-tby5ksgc28 10

26-05-2023 11:47

230526-nx3r1afc63 3

Analysis

max time kernel
299s
max time network
296s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-05-2023 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Demanda Civil.exe
Size

822KB
MD5

d79cb033111b69e98e6b8bf804a44d39
SHA1

d4727955b8768755f5797358095aeb051ad76191
SHA256

ceda1c6ee001d408498455bd2e13cbee14e99aef2923e76984dcd736e8672b8b
SHA512

1fc2b2e13f359834dbfaeeeffcfee8275d5746ef3d210edd76ebbeffe0e23212ba0df08c6345d1b0a24ef598074fb696b29ab0d5aacc2bcd6b629434edfd560f
SSDEEP

12288:7RWNcr8oxnFEAmDAmSuW+3ULMPIxtVatCmbUdN0gCtrQBtsteCG5B4wYQexvVnVj:cNBIFR3+nPIxz9WUEr+tEy4wYLvVnocF

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 4 IoCs

Processes:

DemandaCivil.exeDemandaCivil.exeDocumentos.exeDocumentos.exe

pid process

1372 DemandaCivil.exe
528 DemandaCivil.exe
2016 Documentos.exe
772 Documentos.exe

pid	process
1372	DemandaCivil.exe
528	DemandaCivil.exe
2016	Documentos.exe
772	Documentos.exe

Loads dropped DLL 9 IoCs

Processes:

Demanda Civil.exeDemandaCivil.exeDemandaCivil.exeDocumentos.exe

pid	process
1996	Demanda Civil.exe
1996	Demanda Civil.exe
1996	Demanda Civil.exe
1996	Demanda Civil.exe
1996	Demanda Civil.exe
1372	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
2016	Documentos.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

DemandaCivil.exeDocumentos.exe

pid process

528 DemandaCivil.exe
528 DemandaCivil.exe
772 Documentos.exe
772 Documentos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

DemandaCivil.exeDocumentos.exe

description	pid	process	target process
PID 1372 set thread context of 528	1372	DemandaCivil.exe	DemandaCivil.exe
PID 2016 set thread context of 772	2016	Documentos.exe	Documentos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DemandaCivil.exeDocumentos.exe

pid	process
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
528	DemandaCivil.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe
772	Documentos.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

DemandaCivil.exeDocumentos.exe

pid process

1372 DemandaCivil.exe
2016 Documentos.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

DemandaCivil.exeAcroRd32.exeDocumentos.exe

pid process

1372 DemandaCivil.exe
1916 AcroRd32.exe
1916 AcroRd32.exe
1916 AcroRd32.exe
2016 Documentos.exe

pid	process
1372	DemandaCivil.exe
2016	Documentos.exe

pid	process
1372	DemandaCivil.exe
1916	AcroRd32.exe
1916	AcroRd32.exe
1916	AcroRd32.exe
2016	Documentos.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

Demanda Civil.exeDemandaCivil.exeDemandaCivil.execmd.exeDocumentos.exeDocumentos.exe

description	pid	process	target process
PID 1996 wrote to memory of 1372	1996	Demanda Civil.exe	DemandaCivil.exe
PID 1996 wrote to memory of 1372	1996	Demanda Civil.exe	DemandaCivil.exe
PID 1996 wrote to memory of 1372	1996	Demanda Civil.exe	DemandaCivil.exe
PID 1996 wrote to memory of 1372	1996	Demanda Civil.exe	DemandaCivil.exe
PID 1996 wrote to memory of 1372	1996	Demanda Civil.exe	DemandaCivil.exe
PID 1996 wrote to memory of 1372	1996	Demanda Civil.exe	DemandaCivil.exe
PID 1996 wrote to memory of 1372	1996	Demanda Civil.exe	DemandaCivil.exe
PID 1996 wrote to memory of 1916	1996	Demanda Civil.exe	AcroRd32.exe
PID 1996 wrote to memory of 1916	1996	Demanda Civil.exe	AcroRd32.exe
PID 1996 wrote to memory of 1916	1996	Demanda Civil.exe	AcroRd32.exe
PID 1996 wrote to memory of 1916	1996	Demanda Civil.exe	AcroRd32.exe
PID 1996 wrote to memory of 1916	1996	Demanda Civil.exe	AcroRd32.exe
PID 1996 wrote to memory of 1916	1996	Demanda Civil.exe	AcroRd32.exe
PID 1996 wrote to memory of 1916	1996	Demanda Civil.exe	AcroRd32.exe
PID 1372 wrote to memory of 528	1372	DemandaCivil.exe	DemandaCivil.exe
PID 1372 wrote to memory of 528	1372	DemandaCivil.exe	DemandaCivil.exe
PID 1372 wrote to memory of 528	1372	DemandaCivil.exe	DemandaCivil.exe
PID 1372 wrote to memory of 528	1372	DemandaCivil.exe	DemandaCivil.exe
PID 1372 wrote to memory of 528	1372	DemandaCivil.exe	DemandaCivil.exe
PID 1372 wrote to memory of 528	1372	DemandaCivil.exe	DemandaCivil.exe
PID 1372 wrote to memory of 528	1372	DemandaCivil.exe	DemandaCivil.exe
PID 1372 wrote to memory of 528	1372	DemandaCivil.exe	DemandaCivil.exe
PID 528 wrote to memory of 1936	528	DemandaCivil.exe	cmd.exe
PID 528 wrote to memory of 1936	528	DemandaCivil.exe	cmd.exe
PID 528 wrote to memory of 1936	528	DemandaCivil.exe	cmd.exe
PID 528 wrote to memory of 1936	528	DemandaCivil.exe	cmd.exe
PID 528 wrote to memory of 1936	528	DemandaCivil.exe	cmd.exe
PID 528 wrote to memory of 1936	528	DemandaCivil.exe	cmd.exe
PID 528 wrote to memory of 1936	528	DemandaCivil.exe	cmd.exe
PID 528 wrote to memory of 2016	528	DemandaCivil.exe	Documentos.exe
PID 528 wrote to memory of 2016	528	DemandaCivil.exe	Documentos.exe
PID 528 wrote to memory of 2016	528	DemandaCivil.exe	Documentos.exe
PID 528 wrote to memory of 2016	528	DemandaCivil.exe	Documentos.exe
PID 528 wrote to memory of 2016	528	DemandaCivil.exe	Documentos.exe
PID 528 wrote to memory of 2016	528	DemandaCivil.exe	Documentos.exe
PID 528 wrote to memory of 2016	528	DemandaCivil.exe	Documentos.exe
PID 1936 wrote to memory of 1060	1936	cmd.exe	reg.exe
PID 1936 wrote to memory of 1060	1936	cmd.exe	reg.exe
PID 1936 wrote to memory of 1060	1936	cmd.exe	reg.exe
PID 1936 wrote to memory of 1060	1936	cmd.exe	reg.exe
PID 1936 wrote to memory of 1060	1936	cmd.exe	reg.exe
PID 1936 wrote to memory of 1060	1936	cmd.exe	reg.exe
PID 1936 wrote to memory of 1060	1936	cmd.exe	reg.exe
PID 2016 wrote to memory of 772	2016	Documentos.exe	Documentos.exe
PID 2016 wrote to memory of 772	2016	Documentos.exe	Documentos.exe
PID 2016 wrote to memory of 772	2016	Documentos.exe	Documentos.exe
PID 2016 wrote to memory of 772	2016	Documentos.exe	Documentos.exe
PID 2016 wrote to memory of 772	2016	Documentos.exe	Documentos.exe
PID 2016 wrote to memory of 772	2016	Documentos.exe	Documentos.exe
PID 2016 wrote to memory of 772	2016	Documentos.exe	Documentos.exe
PID 2016 wrote to memory of 772	2016	Documentos.exe	Documentos.exe
PID 772 wrote to memory of 1728	772	Documentos.exe	cmd.exe
PID 772 wrote to memory of 1728	772	Documentos.exe	cmd.exe
PID 772 wrote to memory of 1728	772	Documentos.exe	cmd.exe
PID 772 wrote to memory of 1728	772	Documentos.exe	cmd.exe
PID 772 wrote to memory of 1728	772	Documentos.exe	cmd.exe
PID 772 wrote to memory of 1728	772	Documentos.exe	cmd.exe
PID 772 wrote to memory of 1728	772	Documentos.exe	cmd.exe
PID 772 wrote to memory of 1728	772	Documentos.exe	cmd.exe
PID 772 wrote to memory of 1728	772	Documentos.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Demanda Civil.exe
"C:\Users\Admin\AppData\Local\Temp\Demanda Civil.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\DemandaCivil.exe
"C:\Users\Admin\AppData\Local\Temp\DemandaCivil.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\DemandaCivil.exe
"C:\Users\Admin\AppData\Local\Temp\DemandaCivil.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\Admin\Documents\Documentos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\Admin\Documents\Documentos.exe"
5⤵
PID:1060

C:\Users\Admin\Documents\Documentos.exe
"C:\Users\Admin\Documents\Documentos.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\Documents\Documentos.exe
"C:\Users\Admin\Documents\Documentos.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
6⤵
PID:1728

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Demanda civil.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Demanda civil.pdf
Filesize
884B

MD5
d5088a8ca6aa7f61a7a13c7002a60787

SHA1
022815c93f290a09d6696f0518986b2e5500020a

SHA256
d27af449c0aced5f18841107f4b4a9475441ae57f3050400f8eed2bf2fcefd42

SHA512
06802bd6912775096e0d015f2e5116ba2668c28d6d240c327ccf750039143eb499d6ae4cb96c741c0cdb757d35e367c45d2d8d1043f939b80bb383d944f51a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\DemandaCivil.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\DemandaCivil.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\DemandaCivil.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\DemandaCivil.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
C:\Users\Admin\Documents\Documentos.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
C:\Users\Admin\Documents\Documentos.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
C:\Users\Admin\Documents\Documentos.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
\Users\Admin\AppData\Local\Temp\DemandaCivil.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
\Users\Admin\AppData\Local\Temp\DemandaCivil.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
\Users\Admin\AppData\Local\Temp\DemandaCivil.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
\Users\Admin\AppData\Local\Temp\DemandaCivil.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
\Users\Admin\AppData\Local\Temp\DemandaCivil.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
\Users\Admin\AppData\Local\Temp\DemandaCivil.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
\Users\Admin\Documents\Documentos.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
\Users\Admin\Documents\Documentos.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
\Users\Admin\Documents\Documentos.exe
Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
memory/528-86-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/528-87-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/528-88-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/528-89-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/528-84-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/528-104-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/528-106-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/528-80-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/772-117-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/772-115-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/772-118-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/772-119-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/772-120-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/772-124-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/772-129-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1372-77-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1372-83-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/1728-126-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1728-125-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2016-109-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download