hiverat | 0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-07-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
Size

1.8MB
MD5

4e7eb50a75f8bf74751576cdd5381809
SHA1

7e0dfbdd505b9451513b828e4d392e164fe566e9
SHA256

0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c
SHA512

05b9ae0aef714798034ac0c271f5a1ef44221e9b56480f6de3e07d9e94e438bd0ba11ef44c6ff48267d0d9a94ec18355641c67d744d51326c8c7569048b660f3
SSDEEP

49152:d4FrOycrk+0UpzJtKQFHJSm4DO9qSk/kK:scrv0YTKQFHJSmeAHK

Score

10^/10

hiverat warzonerat discovery infostealer rat stealer

Malware Config

Extracted

Family

warzonerat

hive01.duckdns.org:8584

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

HiveRAT payload 15 IoCs

resource	yara_rule
behavioral1/memory/2904-91-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2056-145-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2056-144-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-92-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-82-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2056-142-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-98-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-96-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-94-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2056-139-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2056-137-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2056-135-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-89-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-86-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-84-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1724-65-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1724-76-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1724-69-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1724-74-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1724-71-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1724-67-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe	2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe	2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe	1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe	1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	3.exe

Executes dropped EXE 8 IoCs

pid	Process
1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
2896	1.exe
2876	2.exe
2828	3.exe
1724	1.exe
2680	2.exe
2904	2.exe
2056	3.exe

Loads dropped DLL 9 IoCs

pid	Process
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 1868	900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	31
PID 2896 set thread context of 1724	2896	1.exe	35
PID 2876 set thread context of 2904	2876	2.exe	37
PID 2828 set thread context of 2056	2828	3.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
748	2056	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
2896	1.exe
2896	1.exe
2896	1.exe
2876	2.exe
2876	2.exe
2876	2.exe
2828	3.exe
2828	3.exe
2828	3.exe
2896	1.exe
2876	2.exe
2896	1.exe
2876	2.exe
2896	1.exe
2876	2.exe
2896	1.exe
2876	2.exe
2896	1.exe
2876	2.exe
2896	1.exe
2876	2.exe
2896	1.exe
2876	2.exe
2896	1.exe
2876	2.exe
2828	3.exe
2876	2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	2.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
Token: SeDebugPrivilege	2876	2.exe
Token: SeDebugPrivilege	2896	1.exe
Token: SeDebugPrivilege	2828	3.exe
Token: SeDebugPrivilege	2904	2.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1868	900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	31
PID 900 wrote to memory of 1868	900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	31
PID 900 wrote to memory of 1868	900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	31
PID 900 wrote to memory of 1868	900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	31
PID 900 wrote to memory of 1868	900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	31
PID 900 wrote to memory of 1868	900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	31
PID 900 wrote to memory of 1868	900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	31
PID 900 wrote to memory of 1868	900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	31
PID 900 wrote to memory of 1868	900	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	31
PID 1868 wrote to memory of 2896	1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	32
PID 1868 wrote to memory of 2896	1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	32
PID 1868 wrote to memory of 2896	1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	32
PID 1868 wrote to memory of 2896	1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	32
PID 1868 wrote to memory of 2876	1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	33
PID 1868 wrote to memory of 2876	1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	33
PID 1868 wrote to memory of 2876	1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	33
PID 1868 wrote to memory of 2876	1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	33
PID 1868 wrote to memory of 2828	1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	34
PID 1868 wrote to memory of 2828	1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	34
PID 1868 wrote to memory of 2828	1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	34
PID 1868 wrote to memory of 2828	1868	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	34
PID 2896 wrote to memory of 1724	2896	1.exe	35
PID 2896 wrote to memory of 1724	2896	1.exe	35
PID 2896 wrote to memory of 1724	2896	1.exe	35
PID 2896 wrote to memory of 1724	2896	1.exe	35
PID 2896 wrote to memory of 1724	2896	1.exe	35
PID 2896 wrote to memory of 1724	2896	1.exe	35
PID 2896 wrote to memory of 1724	2896	1.exe	35
PID 2896 wrote to memory of 1724	2896	1.exe	35
PID 2896 wrote to memory of 1724	2896	1.exe	35
PID 2896 wrote to memory of 1724	2896	1.exe	35
PID 2896 wrote to memory of 1724	2896	1.exe	35
PID 2896 wrote to memory of 1724	2896	1.exe	35
PID 2876 wrote to memory of 2680	2876	2.exe	36
PID 2876 wrote to memory of 2680	2876	2.exe	36
PID 2876 wrote to memory of 2680	2876	2.exe	36
PID 2876 wrote to memory of 2680	2876	2.exe	36
PID 2876 wrote to memory of 2904	2876	2.exe	37
PID 2876 wrote to memory of 2904	2876	2.exe	37
PID 2876 wrote to memory of 2904	2876	2.exe	37
PID 2876 wrote to memory of 2904	2876	2.exe	37
PID 2876 wrote to memory of 2904	2876	2.exe	37
PID 2876 wrote to memory of 2904	2876	2.exe	37
PID 2876 wrote to memory of 2904	2876	2.exe	37
PID 2876 wrote to memory of 2904	2876	2.exe	37
PID 2876 wrote to memory of 2904	2876	2.exe	37
PID 2876 wrote to memory of 2904	2876	2.exe	37
PID 2828 wrote to memory of 2056	2828	3.exe	38
PID 2828 wrote to memory of 2056	2828	3.exe	38
PID 2828 wrote to memory of 2056	2828	3.exe	38
PID 2828 wrote to memory of 2056	2828	3.exe	38
PID 2828 wrote to memory of 2056	2828	3.exe	38
PID 2828 wrote to memory of 2056	2828	3.exe	38
PID 2828 wrote to memory of 2056	2828	3.exe	38
PID 2828 wrote to memory of 2056	2828	3.exe	38
PID 2828 wrote to memory of 2056	2828	3.exe	38
PID 2828 wrote to memory of 2056	2828	3.exe	38
PID 2056 wrote to memory of 748	2056	3.exe	39
PID 2056 wrote to memory of 748	2056	3.exe	39
PID 2056 wrote to memory of 748	2056	3.exe	39
PID 2056 wrote to memory of 748	2056	3.exe	39

C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Roaming\1.exe
    "C:\Users\Admin\AppData\Roaming\1.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Roaming\1.exe
      "C:\Users\Admin\AppData\Roaming\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1724
- - C:\Users\Admin\AppData\Roaming\2.exe
    "C:\Users\Admin\AppData\Roaming\2.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Roaming\2.exe
      "C:\Users\Admin\AppData\Roaming\2.exe"
      4⤵
      Executes dropped EXE
      PID:2680
  - - C:\Users\Admin\AppData\Roaming\2.exe
      "C:\Users\Admin\AppData\Roaming\2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2904
- - C:\Users\Admin\AppData\Roaming\3.exe
    "C:\Users\Admin\AppData\Roaming\3.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Roaming\3.exe
      "C:\Users\Admin\AppData\Roaming\3.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 528
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe

Filesize
1.8MB

MD5
4e7eb50a75f8bf74751576cdd5381809

SHA1
7e0dfbdd505b9451513b828e4d392e164fe566e9

SHA256
0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c

SHA512
05b9ae0aef714798034ac0c271f5a1ef44221e9b56480f6de3e07d9e94e438bd0ba11ef44c6ff48267d0d9a94ec18355641c67d744d51326c8c7569048b660f3

Download Submit
\Users\Admin\AppData\Roaming\1.exe

Filesize
393KB

MD5
ea33ef88c0e9cf45dcd70dc971c46e02

SHA1
68bad4331a4f108a7ced1dfe0e87a63fc5ded774

SHA256
6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709

SHA512
37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998

Download Submit
\Users\Admin\AppData\Roaming\2.exe

Filesize
585KB

MD5
bf400de7c5e0fb5fe483cb09c0ccb745

SHA1
46199385eb5aeccd6638d77a980c780344ac8ace

SHA256
fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc

SHA512
255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d

Download Submit
\Users\Admin\AppData\Roaming\3.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
memory/900-1-0x0000000000940000-0x0000000000B16000-memory.dmp

Filesize
1.8MB

Download
memory/900-2-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/900-3-0x0000000004D10000-0x0000000004EE0000-memory.dmp

Filesize
1.8MB

Download
memory/900-5-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/900-0-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/900-24-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1724-69-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1724-74-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1724-61-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1724-63-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1724-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1724-59-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1724-76-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1724-71-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1724-65-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1724-67-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1868-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1868-23-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1868-8-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1868-12-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1868-22-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1868-21-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1868-52-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1868-18-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1868-10-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1868-11-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1868-15-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2056-141-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2056-137-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2056-133-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2056-135-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2056-139-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2056-142-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2056-144-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2056-145-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2828-51-0x0000000004270000-0x0000000004302000-memory.dmp

Filesize
584KB

Download
memory/2828-50-0x0000000000B10000-0x0000000000BA8000-memory.dmp

Filesize
608KB

Download
memory/2876-44-0x00000000011A0000-0x0000000001232000-memory.dmp

Filesize
584KB

Download
memory/2876-42-0x00000000013D0000-0x0000000001468000-memory.dmp

Filesize
608KB

Download
memory/2896-40-0x0000000000DA0000-0x0000000000E08000-memory.dmp

Filesize
416KB

Download
memory/2896-43-0x0000000000B10000-0x0000000000B72000-memory.dmp

Filesize
392KB

Download
memory/2904-82-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-96-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-94-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-98-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-80-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-92-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-91-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-78-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-89-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-88-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2904-86-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-84-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download