warzonerat | 78473f3a3e461bc15c18f82ae52ad130b0f0dff4109e21b2e47f2dde90acbf46

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 23:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe
Size

8.2MB
MD5

e8aaade776c2a9e279825189b23f6eed
SHA1

b42a39d4c5888efb186480430544060f758fb8dc
SHA256

78473f3a3e461bc15c18f82ae52ad130b0f0dff4109e21b2e47f2dde90acbf46
SHA512

367e58fe5d78e84c6d33f027aaeb05fa527d70a50d2e67ff300b948363cc558317d6b715fe5cae37caf19ffc5aa587c81f2b327daf61bf295bc9a4bc841be12a
SSDEEP

49152:7C0bNechC0bNechC0bNeccC0bNechC0bNechC0bNecO:V8e8e878e8e89

Score

10^/10

warzonerat aspackv2 evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000015c9b-39.dat	warzonerat
behavioral1/files/0x0033000000015c54-74.dat	warzonerat
behavioral1/files/0x0008000000015cc8-91.dat	warzonerat
behavioral1/files/0x0007000000016c14-225.dat	warzonerat
behavioral1/memory/2196-234-0x0000000002CB0000-0x0000000002DC4000-memory.dmp	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000015c9b-39.dat	aspack_v212_v242
behavioral1/files/0x0033000000015c54-74.dat	aspack_v212_v242
behavioral1/files/0x0008000000015cc8-91.dat	aspack_v212_v242
behavioral1/files/0x0007000000016c14-225.dat	aspack_v212_v242

Executes dropped EXE 10 IoCs

pid	Process
1456	explorer.exe
1804	explorer.exe
2440	spoolsv.exe
2096	spoolsv.exe
2916	spoolsv.exe
1188	spoolsv.exe
3004	spoolsv.exe
2216	spoolsv.exe
2196	spoolsv.exe
2644	svchost.exe

Loads dropped DLL 52 IoCs

pid	Process
2572	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe
2572	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
1804	explorer.exe
1804	explorer.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
1804	explorer.exe
1804	explorer.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1804	explorer.exe
1804	explorer.exe
2376	WerFault.exe
2376	WerFault.exe
2376	WerFault.exe
2376	WerFault.exe
2376	WerFault.exe
2376	WerFault.exe
2376	WerFault.exe
1804	explorer.exe
1804	explorer.exe
2088	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe
2440	spoolsv.exe
2088	WerFault.exe
2196	spoolsv.exe
2196	spoolsv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1772 set thread context of 2572	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	30
PID 1772 set thread context of 2476	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	31
PID 1456 set thread context of 1804	1456	explorer.exe	33
PID 1456 set thread context of 1400	1456	explorer.exe	34
PID 2440 set thread context of 2196	2440	spoolsv.exe	46
PID 2440 set thread context of 2588	2440	spoolsv.exe	47

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2864	2096	WerFault.exe	36
396	2916	WerFault.exe	38
1200	1188	WerFault.exe	40
2376	3004	WerFault.exe	42
2088	2216	WerFault.exe	44

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2572	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2572	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe
2572	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
2196	spoolsv.exe
2196	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2572	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2572	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2572	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2572	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2572	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2572	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2572	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2572	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2572	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2476	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	31
PID 1772 wrote to memory of 2476	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	31
PID 1772 wrote to memory of 2476	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	31
PID 1772 wrote to memory of 2476	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	31
PID 1772 wrote to memory of 2476	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	31
PID 1772 wrote to memory of 2476	1772	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	31
PID 2572 wrote to memory of 1456	2572	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	32
PID 2572 wrote to memory of 1456	2572	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	32
PID 2572 wrote to memory of 1456	2572	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	32
PID 2572 wrote to memory of 1456	2572	e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe	32
PID 1456 wrote to memory of 1804	1456	explorer.exe	33
PID 1456 wrote to memory of 1804	1456	explorer.exe	33
PID 1456 wrote to memory of 1804	1456	explorer.exe	33
PID 1456 wrote to memory of 1804	1456	explorer.exe	33
PID 1456 wrote to memory of 1804	1456	explorer.exe	33
PID 1456 wrote to memory of 1804	1456	explorer.exe	33
PID 1456 wrote to memory of 1804	1456	explorer.exe	33
PID 1456 wrote to memory of 1804	1456	explorer.exe	33
PID 1456 wrote to memory of 1804	1456	explorer.exe	33
PID 1456 wrote to memory of 1400	1456	explorer.exe	34
PID 1456 wrote to memory of 1400	1456	explorer.exe	34
PID 1456 wrote to memory of 1400	1456	explorer.exe	34
PID 1456 wrote to memory of 1400	1456	explorer.exe	34
PID 1456 wrote to memory of 1400	1456	explorer.exe	34
PID 1456 wrote to memory of 1400	1456	explorer.exe	34
PID 1804 wrote to memory of 2440	1804	explorer.exe	35
PID 1804 wrote to memory of 2440	1804	explorer.exe	35
PID 1804 wrote to memory of 2440	1804	explorer.exe	35
PID 1804 wrote to memory of 2440	1804	explorer.exe	35
PID 1804 wrote to memory of 2096	1804	explorer.exe	36
PID 1804 wrote to memory of 2096	1804	explorer.exe	36
PID 1804 wrote to memory of 2096	1804	explorer.exe	36
PID 1804 wrote to memory of 2096	1804	explorer.exe	36
PID 2096 wrote to memory of 2864	2096	spoolsv.exe	37
PID 2096 wrote to memory of 2864	2096	spoolsv.exe	37
PID 2096 wrote to memory of 2864	2096	spoolsv.exe	37
PID 2096 wrote to memory of 2864	2096	spoolsv.exe	37
PID 1804 wrote to memory of 2916	1804	explorer.exe	38
PID 1804 wrote to memory of 2916	1804	explorer.exe	38
PID 1804 wrote to memory of 2916	1804	explorer.exe	38
PID 1804 wrote to memory of 2916	1804	explorer.exe	38
PID 2916 wrote to memory of 396	2916	spoolsv.exe	39
PID 2916 wrote to memory of 396	2916	spoolsv.exe	39
PID 2916 wrote to memory of 396	2916	spoolsv.exe	39
PID 2916 wrote to memory of 396	2916	spoolsv.exe	39
PID 1804 wrote to memory of 1188	1804	explorer.exe	40
PID 1804 wrote to memory of 1188	1804	explorer.exe	40
PID 1804 wrote to memory of 1188	1804	explorer.exe	40
PID 1804 wrote to memory of 1188	1804	explorer.exe	40
PID 1188 wrote to memory of 1200	1188	spoolsv.exe	41
PID 1188 wrote to memory of 1200	1188	spoolsv.exe	41
PID 1188 wrote to memory of 1200	1188	spoolsv.exe	41
PID 1188 wrote to memory of 1200	1188	spoolsv.exe	41
PID 1804 wrote to memory of 3004	1804	explorer.exe	42
PID 1804 wrote to memory of 3004	1804	explorer.exe	42

C:\Users\Admin\AppData\Local\Temp\e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e8aaade776c2a9e279825189b23f6eed_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2572
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2440
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Executes dropped EXE
        
        PID:2644
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1188
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2088
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1400
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
e8aaade776c2a9e279825189b23f6eed

SHA1
b42a39d4c5888efb186480430544060f758fb8dc

SHA256
78473f3a3e461bc15c18f82ae52ad130b0f0dff4109e21b2e47f2dde90acbf46

SHA512
367e58fe5d78e84c6d33f027aaeb05fa527d70a50d2e67ff300b948363cc558317d6b715fe5cae37caf19ffc5aa587c81f2b327daf61bf295bc9a4bc841be12a

Download Submit
C:\Windows\system\explorer.exe

Filesize
8.2MB

MD5
de621bd3a2ead9fc140519c8cfab2681

SHA1
ad66f57cf27d79a6904e176203acbb6456aaf085

SHA256
03c5cb18820dadce1ec08b59270c530f0fd53bd082f3edc442ac545bad55ce61

SHA512
7fdf70f8d6e26d77cc45d720c01734c0a9135af72f3aff0c0306c3734a4cfb8e05e98b5e16c9a3025c4ca4b05372de04b4c0c1e1af5dad5c1e677245f69279b5

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.2MB

MD5
2159a0a12fa39960745b74e08c104973

SHA1
c6f34181817cf738c04b989dac86e862c8d3e7f4

SHA256
26a91bd38bf96251f1a1380cde30b6d15ec698d579cda371c8370870f2dd3eaa

SHA512
f2ad41f8b3ce3007cbdab5933dc303b21e728ada80b3fc2a042ae1e4d7fc1a411bd230ac3981009942023507feadfb727a1597eb31ecb2fad7b4c18ca33a3f8e

Download Submit
\Windows\system\svchost.exe

Filesize
8.2MB

MD5
75baaf02c37b384a9d330c0c3624a7c1

SHA1
7fb7c066a62bf2d96d5151735bafb41e81c98581

SHA256
1a93323b50d7a21b0de7c0dbd43efd9d9e1109969807af18bb79eaf7f650261c

SHA512
60049a3517483a4169dab671907ac614cae62bc491f43de6dbc42cb7a53d5e2178500f10a5ed7c2590223a37e20520193d748df3363bdd8ac3536d5cf21e725a

Download Submit
memory/1400-87-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1456-54-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1456-82-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1456-52-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1456-51-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1456-50-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1456-48-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1772-6-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1772-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1772-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1772-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1772-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1772-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1772-35-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1804-132-0x0000000002F40000-0x0000000003054000-memory.dmp

Filesize
1.1MB

Download
memory/1804-93-0x0000000002F40000-0x0000000003054000-memory.dmp

Filesize
1.1MB

Download
memory/1804-183-0x0000000002F40000-0x0000000003054000-memory.dmp

Filesize
1.1MB

Download
memory/1804-152-0x0000000002F40000-0x0000000003054000-memory.dmp

Filesize
1.1MB

Download
memory/1804-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1804-123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1804-113-0x0000000002F40000-0x0000000003054000-memory.dmp

Filesize
1.1MB

Download
memory/1804-98-0x0000000002F40000-0x0000000003054000-memory.dmp

Filesize
1.1MB

Download
memory/2096-115-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2196-238-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2196-234-0x0000000002CB0000-0x0000000002DC4000-memory.dmp

Filesize
1.1MB

Download
memory/2196-230-0x0000000002CB0000-0x0000000002DC4000-memory.dmp

Filesize
1.1MB

Download
memory/2440-103-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2440-101-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2440-102-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2440-224-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2440-124-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2440-139-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2476-37-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2476-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2476-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2476-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2476-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2572-46-0x0000000003010000-0x0000000003124000-memory.dmp

Filesize
1.1MB

Download
memory/2572-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-49-0x0000000003010000-0x0000000003124000-memory.dmp

Filesize
1.1MB

Download
memory/2572-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2588-220-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2644-232-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2644-235-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2916-134-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download