warzonerat | 4d82a03f042d156e6f3111365ddf51b7be23d588eccea9141ea71250e690674f

Analysis

max time kernel
111s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1601595cb4aa5628f9240a619e089a90N.exe
Size

1.4MB
MD5

1601595cb4aa5628f9240a619e089a90
SHA1

edc671282f3601507cdeeb12ef271adb38877003
SHA256

4d82a03f042d156e6f3111365ddf51b7be23d588eccea9141ea71250e690674f
SHA512

fd8be2d2c90ddd9c3d1b9c583298819d38a66b22bd53edfe414a5b4d9b53bb5840d1a350cc949086b9e3340bc388725e4cf3ad6d8960a18593b7f24416c8d1de
SSDEEP

24576:71x4M5x8m5m8A2godHOnD8KWUoykDsJAT5/A9zBOeu9bcYz4CJZKhvTcPiJ:7Pj5m8PynD8KWUmYJAGpB3+IY4CXCvTW

Score

10^/10

warzonerat discovery execution infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 11 IoCs

rat

resource	yara_rule
behavioral2/memory/4228-12-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral2/memory/4228-13-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral2/memory/4228-15-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral2/memory/4228-16-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral2/files/0x000c0000000233b6-27.dat	warzonerat
behavioral2/memory/4228-134-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral2/memory/2196-165-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral2/memory/2196-277-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral2/memory/2196-278-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral2/memory/2196-290-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat
behavioral2/memory/2196-310-0x0000000000400000-0x00000000004E3000-memory.dmp	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4260	powershell.exe
2376	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1601595cb4aa5628f9240a619e089a90N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1601595cb4aa5628f9240a619e089a90N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
1108	._cache_1601595cb4aa5628f9240a619e089a90N.exe
4944	Synaptics.exe
452	Synaptics.exe
2196	Synaptics.exe
2272	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	1601595cb4aa5628f9240a619e089a90N.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 4228	1776	1601595cb4aa5628f9240a619e089a90N.exe	93
PID 4944 set thread context of 2196	4944	Synaptics.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_1601595cb4aa5628f9240a619e089a90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1601595cb4aa5628f9240a619e089a90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1601595cb4aa5628f9240a619e089a90N.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1601595cb4aa5628f9240a619e089a90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2372	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4260	powershell.exe
4260	powershell.exe
4944	Synaptics.exe
4944	Synaptics.exe
2376	powershell.exe
2376	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	4944	Synaptics.exe
Token: SeDebugPrivilege	2376	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2372	EXCEL.EXE
2372	EXCEL.EXE
2372	EXCEL.EXE
2372	EXCEL.EXE
2372	EXCEL.EXE
2372	EXCEL.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 4260	1776	1601595cb4aa5628f9240a619e089a90N.exe	91
PID 1776 wrote to memory of 4260	1776	1601595cb4aa5628f9240a619e089a90N.exe	91
PID 1776 wrote to memory of 4260	1776	1601595cb4aa5628f9240a619e089a90N.exe	91
PID 1776 wrote to memory of 4228	1776	1601595cb4aa5628f9240a619e089a90N.exe	93
PID 1776 wrote to memory of 4228	1776	1601595cb4aa5628f9240a619e089a90N.exe	93
PID 1776 wrote to memory of 4228	1776	1601595cb4aa5628f9240a619e089a90N.exe	93
PID 1776 wrote to memory of 4228	1776	1601595cb4aa5628f9240a619e089a90N.exe	93
PID 1776 wrote to memory of 4228	1776	1601595cb4aa5628f9240a619e089a90N.exe	93
PID 1776 wrote to memory of 4228	1776	1601595cb4aa5628f9240a619e089a90N.exe	93
PID 1776 wrote to memory of 4228	1776	1601595cb4aa5628f9240a619e089a90N.exe	93
PID 1776 wrote to memory of 4228	1776	1601595cb4aa5628f9240a619e089a90N.exe	93
PID 1776 wrote to memory of 4228	1776	1601595cb4aa5628f9240a619e089a90N.exe	93
PID 1776 wrote to memory of 4228	1776	1601595cb4aa5628f9240a619e089a90N.exe	93
PID 1776 wrote to memory of 4228	1776	1601595cb4aa5628f9240a619e089a90N.exe	93
PID 4228 wrote to memory of 1108	4228	1601595cb4aa5628f9240a619e089a90N.exe	95
PID 4228 wrote to memory of 1108	4228	1601595cb4aa5628f9240a619e089a90N.exe	95
PID 4228 wrote to memory of 1108	4228	1601595cb4aa5628f9240a619e089a90N.exe	95
PID 4228 wrote to memory of 4944	4228	1601595cb4aa5628f9240a619e089a90N.exe	96
PID 4228 wrote to memory of 4944	4228	1601595cb4aa5628f9240a619e089a90N.exe	96
PID 4228 wrote to memory of 4944	4228	1601595cb4aa5628f9240a619e089a90N.exe	96
PID 4944 wrote to memory of 2376	4944	Synaptics.exe	99
PID 4944 wrote to memory of 2376	4944	Synaptics.exe	99
PID 4944 wrote to memory of 2376	4944	Synaptics.exe	99
PID 4944 wrote to memory of 452	4944	Synaptics.exe	101
PID 4944 wrote to memory of 452	4944	Synaptics.exe	101
PID 4944 wrote to memory of 452	4944	Synaptics.exe	101
PID 4944 wrote to memory of 2196	4944	Synaptics.exe	102
PID 4944 wrote to memory of 2196	4944	Synaptics.exe	102
PID 4944 wrote to memory of 2196	4944	Synaptics.exe	102
PID 4944 wrote to memory of 2196	4944	Synaptics.exe	102
PID 4944 wrote to memory of 2196	4944	Synaptics.exe	102
PID 4944 wrote to memory of 2196	4944	Synaptics.exe	102
PID 4944 wrote to memory of 2196	4944	Synaptics.exe	102
PID 4944 wrote to memory of 2196	4944	Synaptics.exe	102
PID 4944 wrote to memory of 2196	4944	Synaptics.exe	102
PID 4944 wrote to memory of 2196	4944	Synaptics.exe	102
PID 4944 wrote to memory of 2196	4944	Synaptics.exe	102
PID 2196 wrote to memory of 2272	2196	Synaptics.exe	103
PID 2196 wrote to memory of 2272	2196	Synaptics.exe	103
PID 2196 wrote to memory of 2272	2196	Synaptics.exe	103

C:\Users\Admin\AppData\Local\Temp\1601595cb4aa5628f9240a619e089a90N.exe
"C:\Users\Admin\AppData\Local\Temp\1601595cb4aa5628f9240a619e089a90N.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1601595cb4aa5628f9240a619e089a90N.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Users\Admin\AppData\Local\Temp\1601595cb4aa5628f9240a619e089a90N.exe
  "C:\Users\Admin\AppData\Local\Temp\1601595cb4aa5628f9240a619e089a90N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Users\Admin\AppData\Local\Temp\._cache_1601595cb4aa5628f9240a619e089a90N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_1601595cb4aa5628f9240a619e089a90N.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1108
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2376
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:452
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.4MB

MD5
1601595cb4aa5628f9240a619e089a90

SHA1
edc671282f3601507cdeeb12ef271adb38877003

SHA256
4d82a03f042d156e6f3111365ddf51b7be23d588eccea9141ea71250e690674f

SHA512
fd8be2d2c90ddd9c3d1b9c583298819d38a66b22bd53edfe414a5b4d9b53bb5840d1a350cc949086b9e3340bc388725e4cf3ad6d8960a18593b7f24416c8d1de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5c79fc3bfe553050d6a82a2717c5eb43

SHA1
6beb2444c01a72b7f03673614c36f6fb5dd9b479

SHA256
55507708f1a69ffa48cd786c4866b4a3dbf03b5419f0a69fef99c4e91b34ae42

SHA512
86892b0c50f7a3a9a6af84b0dea7c5c2a98d3d31f41d630f55063453c3ab573fe97be3e304bccb2009136d6133dd9dc653617e5ba2025818f496f75e9310b2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_1601595cb4aa5628f9240a619e089a90N.exe

Filesize
132KB

MD5
b7d1a9faf64911bc6429be983d82668f

SHA1
09b5f838d19a2e82b86ec751bfe726e3d89b1017

SHA256
a1364f6fcb74ff76b1038e6c8871b23c1d5e2e28324bc365af512c04d791003c

SHA512
e5965d492bcf7da9a456ac4dc087a7164842d9d6ca6e359f67455341f979731e176db67f8e2734da4d4c141c36e78d26080a6b1cfb99b06b2b6a5f46182c86b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE75E00

Filesize
24KB

MD5
fc4b7711e0599389ba2f962f24033099

SHA1
37bce5f8befa835c3bfd89a8fdbb33973ff6985e

SHA256
f05a73c2a80ca6336fb33a85631bb42e94fdc804e1c14991af1588714f587106

SHA512
af831fe9b758602c5a4e307f77b0910f881c47b2e9bccfa0d8e237d8d52b42bbf0e90662e6adefc0c36a3fb673cd2e8d54f6425490b532ab3c2da6009bf4f7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GdbCVlyT.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1thmg5et.dma.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1776-0-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/1776-2-0x00000000055C0000-0x0000000005B64000-memory.dmp

Filesize
5.6MB

Download
memory/1776-9-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1776-10-0x00000000055A0000-0x00000000055B6000-memory.dmp

Filesize
88KB

Download
memory/1776-11-0x000000000A0E0000-0x000000000A206000-memory.dmp

Filesize
1.1MB

Download
memory/1776-8-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/1776-7-0x0000000005570000-0x000000000558E000-memory.dmp

Filesize
120KB

Download
memory/1776-6-0x0000000005220000-0x00000000052BC000-memory.dmp

Filesize
624KB

Download
memory/1776-17-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1776-5-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1776-4-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

Filesize
40KB

Download
memory/1776-3-0x0000000004F30000-0x0000000004FC2000-memory.dmp

Filesize
584KB

Download
memory/1776-1-0x00000000003F0000-0x0000000000558000-memory.dmp

Filesize
1.4MB

Download
memory/2196-165-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2196-290-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2196-310-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2196-277-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2196-278-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2372-228-0x00007FF7FC540000-0x00007FF7FC550000-memory.dmp

Filesize
64KB

Download
memory/2372-214-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/2372-287-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/2372-288-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/2372-289-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/2372-212-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/2372-286-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/2372-215-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/2372-227-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/2372-213-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/2372-229-0x00007FF7FC540000-0x00007FF7FC550000-memory.dmp

Filesize
64KB

Download
memory/2376-230-0x0000000007230000-0x0000000007241000-memory.dmp

Filesize
68KB

Download
memory/2376-231-0x0000000007270000-0x0000000007284000-memory.dmp

Filesize
80KB

Download
memory/2376-226-0x0000000006F70000-0x0000000007013000-memory.dmp

Filesize
652KB

Download
memory/2376-204-0x0000000005D60000-0x0000000005DAC000-memory.dmp

Filesize
304KB

Download
memory/2376-216-0x0000000072500000-0x000000007254C000-memory.dmp

Filesize
304KB

Download
memory/2376-170-0x0000000005670000-0x00000000059C4000-memory.dmp

Filesize
3.3MB

Download
memory/4228-134-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4228-15-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4228-16-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4228-13-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4228-18-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/4228-12-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4260-19-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/4260-146-0x0000000006F80000-0x0000000006F9E000-memory.dmp

Filesize
120KB

Download
memory/4260-159-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4260-156-0x0000000007640000-0x0000000007648000-memory.dmp

Filesize
32KB

Download
memory/4260-155-0x0000000007660000-0x000000000767A000-memory.dmp

Filesize
104KB

Download
memory/4260-154-0x0000000007560000-0x0000000007574000-memory.dmp

Filesize
80KB

Download
memory/4260-153-0x0000000007550000-0x000000000755E000-memory.dmp

Filesize
56KB

Download
memory/4260-152-0x0000000007520000-0x0000000007531000-memory.dmp

Filesize
68KB

Download
memory/4260-151-0x00000000075A0000-0x0000000007636000-memory.dmp

Filesize
600KB

Download
memory/4260-150-0x0000000007390000-0x000000000739A000-memory.dmp

Filesize
40KB

Download
memory/4260-149-0x0000000007320000-0x000000000733A000-memory.dmp

Filesize
104KB

Download
memory/4260-148-0x0000000007960000-0x0000000007FDA000-memory.dmp

Filesize
6.5MB

Download
memory/4260-147-0x0000000007000000-0x00000000070A3000-memory.dmp

Filesize
652KB

Download
memory/4260-20-0x0000000004A50000-0x0000000004A86000-memory.dmp

Filesize
216KB

Download
memory/4260-136-0x000000006FA70000-0x000000006FABC000-memory.dmp

Filesize
304KB

Download
memory/4260-135-0x0000000006FC0000-0x0000000006FF2000-memory.dmp

Filesize
200KB

Download
memory/4260-63-0x0000000005C20000-0x0000000005C6C000-memory.dmp

Filesize
304KB

Download
memory/4260-62-0x0000000005B90000-0x0000000005BAE000-memory.dmp

Filesize
120KB

Download
memory/4260-61-0x0000000005E20000-0x0000000006174000-memory.dmp

Filesize
3.3MB

Download
memory/4260-49-0x0000000005760000-0x0000000005782000-memory.dmp

Filesize
136KB

Download
memory/4260-51-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/4260-50-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/4260-24-0x00000000050C0000-0x00000000056E8000-memory.dmp

Filesize
6.2MB

Download
memory/4260-23-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4944-160-0x0000000005550000-0x0000000005566000-memory.dmp

Filesize
88KB

Download