warzonerat | 992b56b79a843169ba34ca3a99d974b8bb647f2bf0d6231cf2c1d86badb1b29c

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-10-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCUMENT 4428839 pdf.exe
Size

440KB
MD5

5e87783b71d535bcaf402e2278c91048
SHA1

7e7faec34ecbe87ec3d18a402ff2e71fe3dcb533
SHA256

7c226fda60b190a13b95e0e5e992506ec7214ef9789e2117b4ee11981dad3158
SHA512

f1851e0d8fdcaeb22c3405b2bd23d9397e92fa367bc6576b8f0f200458b33c1356cdb57b1dac3a5ec5eb157a9eec5c933a2b0b2035f4033393db8badac60f4d9
SSDEEP

6144:TE9eMLIjdWdvwXXuqmDxIA3wkAyxHZUYCjUrpcrFiLDcUfqxwz74Gk96kAD:TpaJZMeqmDXXA6CjUrqiLOxwz7Y

Score

10^/10

warzonerat discovery infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Drops startup file 2 IoCs

Processes:

DOCUMENT 4428839 pdf.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	DOCUMENT 4428839 pdf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	DOCUMENT 4428839 pdf.exe

Executes dropped EXE 2 IoCs

Processes:

win32.exewin32.exe

pid	Process
11868	win32.exe
11720	win32.exe

Loads dropped DLL 2 IoCs

Processes:

DOCUMENT 4428839 pdf.exewin32.exe

pid	Process
11744	DOCUMENT 4428839 pdf.exe
11868	win32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

DOCUMENT 4428839 pdf.exewin32.exe

description	pid	Process	procid_target
PID 2700 set thread context of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 11868 set thread context of 11720	11868	win32.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exereg.exeDOCUMENT 4428839 pdf.exewin32.execmd.exepowershell.exepowershell.exewin32.exeDOCUMENT 4428839 pdf.exepowershell.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCUMENT 4428839 pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCUMENT 4428839 pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NTFS ADS 1 IoCs

Processes:

DOCUMENT 4428839 pdf.exe

description	ioc	Process
File created	C:\ProgramData:ApplicationData	DOCUMENT 4428839 pdf.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exeDOCUMENT 4428839 pdf.exepowershell.exepowershell.exewin32.exe

pid	Process
2820	powershell.exe
2624	powershell.exe
2700	DOCUMENT 4428839 pdf.exe
2700	DOCUMENT 4428839 pdf.exe
11964	powershell.exe
12104	powershell.exe
11868	win32.exe
11868	win32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeDOCUMENT 4428839 pdf.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeIncreaseQuotaPrivilege	2820	powershell.exe
Token: SeSecurityPrivilege	2820	powershell.exe
Token: SeTakeOwnershipPrivilege	2820	powershell.exe
Token: SeLoadDriverPrivilege	2820	powershell.exe
Token: SeSystemProfilePrivilege	2820	powershell.exe
Token: SeSystemtimePrivilege	2820	powershell.exe
Token: SeProfSingleProcessPrivilege	2820	powershell.exe
Token: SeIncBasePriorityPrivilege	2820	powershell.exe
Token: SeCreatePagefilePrivilege	2820	powershell.exe
Token: SeBackupPrivilege	2820	powershell.exe
Token: SeRestorePrivilege	2820	powershell.exe
Token: SeShutdownPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeSystemEnvironmentPrivilege	2820	powershell.exe
Token: SeRemoteShutdownPrivilege	2820	powershell.exe
Token: SeUndockPrivilege	2820	powershell.exe
Token: SeManageVolumePrivilege	2820	powershell.exe
Token: 33	2820	powershell.exe
Token: 34	2820	powershell.exe
Token: 35	2820	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeIncreaseQuotaPrivilege	2624	powershell.exe
Token: SeSecurityPrivilege	2624	powershell.exe
Token: SeTakeOwnershipPrivilege	2624	powershell.exe
Token: SeLoadDriverPrivilege	2624	powershell.exe
Token: SeSystemProfilePrivilege	2624	powershell.exe
Token: SeSystemtimePrivilege	2624	powershell.exe
Token: SeProfSingleProcessPrivilege	2624	powershell.exe
Token: SeIncBasePriorityPrivilege	2624	powershell.exe
Token: SeCreatePagefilePrivilege	2624	powershell.exe
Token: SeBackupPrivilege	2624	powershell.exe
Token: SeRestorePrivilege	2624	powershell.exe
Token: SeShutdownPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeSystemEnvironmentPrivilege	2624	powershell.exe
Token: SeRemoteShutdownPrivilege	2624	powershell.exe
Token: SeUndockPrivilege	2624	powershell.exe
Token: SeManageVolumePrivilege	2624	powershell.exe
Token: 33	2624	powershell.exe
Token: 34	2624	powershell.exe
Token: 35	2624	powershell.exe
Token: SeDebugPrivilege	2700	DOCUMENT 4428839 pdf.exe
Token: SeDebugPrivilege	11964	powershell.exe
Token: SeIncreaseQuotaPrivilege	11964	powershell.exe
Token: SeSecurityPrivilege	11964	powershell.exe
Token: SeTakeOwnershipPrivilege	11964	powershell.exe
Token: SeLoadDriverPrivilege	11964	powershell.exe
Token: SeSystemProfilePrivilege	11964	powershell.exe
Token: SeSystemtimePrivilege	11964	powershell.exe
Token: SeProfSingleProcessPrivilege	11964	powershell.exe
Token: SeIncBasePriorityPrivilege	11964	powershell.exe
Token: SeCreatePagefilePrivilege	11964	powershell.exe
Token: SeBackupPrivilege	11964	powershell.exe
Token: SeRestorePrivilege	11964	powershell.exe
Token: SeShutdownPrivilege	11964	powershell.exe
Token: SeDebugPrivilege	11964	powershell.exe
Token: SeSystemEnvironmentPrivilege	11964	powershell.exe
Token: SeRemoteShutdownPrivilege	11964	powershell.exe
Token: SeUndockPrivilege	11964	powershell.exe
Token: SeManageVolumePrivilege	11964	powershell.exe
Token: 33	11964	powershell.exe
Token: 34	11964	powershell.exe
Token: 35	11964	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DOCUMENT 4428839 pdf.exeDOCUMENT 4428839 pdf.execmd.exewin32.exewin32.exe

description	pid	Process	procid_target
PID 2700 wrote to memory of 2820	2700	DOCUMENT 4428839 pdf.exe	30
PID 2700 wrote to memory of 2820	2700	DOCUMENT 4428839 pdf.exe	30
PID 2700 wrote to memory of 2820	2700	DOCUMENT 4428839 pdf.exe	30
PID 2700 wrote to memory of 2820	2700	DOCUMENT 4428839 pdf.exe	30
PID 2700 wrote to memory of 2624	2700	DOCUMENT 4428839 pdf.exe	33
PID 2700 wrote to memory of 2624	2700	DOCUMENT 4428839 pdf.exe	33
PID 2700 wrote to memory of 2624	2700	DOCUMENT 4428839 pdf.exe	33
PID 2700 wrote to memory of 2624	2700	DOCUMENT 4428839 pdf.exe	33
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 2700 wrote to memory of 11744	2700	DOCUMENT 4428839 pdf.exe	36
PID 11744 wrote to memory of 11852	11744	DOCUMENT 4428839 pdf.exe	37
PID 11744 wrote to memory of 11852	11744	DOCUMENT 4428839 pdf.exe	37
PID 11744 wrote to memory of 11852	11744	DOCUMENT 4428839 pdf.exe	37
PID 11744 wrote to memory of 11852	11744	DOCUMENT 4428839 pdf.exe	37
PID 11744 wrote to memory of 11868	11744	DOCUMENT 4428839 pdf.exe	39
PID 11744 wrote to memory of 11868	11744	DOCUMENT 4428839 pdf.exe	39
PID 11744 wrote to memory of 11868	11744	DOCUMENT 4428839 pdf.exe	39
PID 11744 wrote to memory of 11868	11744	DOCUMENT 4428839 pdf.exe	39
PID 11744 wrote to memory of 11868	11744	DOCUMENT 4428839 pdf.exe	39
PID 11744 wrote to memory of 11868	11744	DOCUMENT 4428839 pdf.exe	39
PID 11744 wrote to memory of 11868	11744	DOCUMENT 4428839 pdf.exe	39
PID 11852 wrote to memory of 11944	11852	cmd.exe	40
PID 11852 wrote to memory of 11944	11852	cmd.exe	40
PID 11852 wrote to memory of 11944	11852	cmd.exe	40
PID 11852 wrote to memory of 11944	11852	cmd.exe	40
PID 11868 wrote to memory of 11964	11868	win32.exe	41
PID 11868 wrote to memory of 11964	11868	win32.exe	41
PID 11868 wrote to memory of 11964	11868	win32.exe	41
PID 11868 wrote to memory of 11964	11868	win32.exe	41
PID 11868 wrote to memory of 12104	11868	win32.exe	43
PID 11868 wrote to memory of 12104	11868	win32.exe	43
PID 11868 wrote to memory of 12104	11868	win32.exe	43
PID 11868 wrote to memory of 12104	11868	win32.exe	43
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11868 wrote to memory of 11720	11868	win32.exe	45
PID 11720 wrote to memory of 2780	11720	win32.exe	46
PID 11720 wrote to memory of 2780	11720	win32.exe	46
PID 11720 wrote to memory of 2780	11720	win32.exe	46
PID 11720 wrote to memory of 2780	11720	win32.exe	46
PID 11720 wrote to memory of 2780	11720	win32.exe	46

C:\Users\Admin\AppData\Local\Temp\DOCUMENT 4428839 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DOCUMENT 4428839 pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\DOCUMENT 4428839 pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\DOCUMENT 4428839 pdf.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:11744
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\win32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:11852
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\win32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:11944
- - C:\ProgramData\win32.exe
    "C:\ProgramData\win32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:11868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:11964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:12104
  - - C:\Users\Admin\AppData\Local\Temp\win32.exe
      C:\Users\Admin\AppData\Local\Temp\win32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:11720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
770f746bcd42343817876e18d41f2f67

SHA1
ba88c0883124a67c3cdcb8394712f25a615c5f08

SHA256
88b9747ea04594eb199542f02da46b3a595d07f2dfe58ac88485ed1232526fa7

SHA512
1e92bb08e9f48f133c3c408f8fc4f20a58f8c2f0068c63a4a631d5a8ff1f012d6fa8312145b62ab2c6ffff012a446276aa8d71451fe4f54a216b465e8bbabb06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7132e0a17658d1fdd937bcb2cb2c814e

SHA1
2069cc8085dd39c47180673eefcebe4968c33d47

SHA256
65df18ada19c7fe4efc42bacb690ce6f4245007575af1d45aaa5fc7bc3c3026d

SHA512
991b1e8a8cf8c0cd735fe66ce9abce18b28ae8e5ba4bb182fae63390fc27ba61f36299e4a97c230393d9187fe4b59672135f480e8c3aea936eb30a2830242632

Download Submit
\ProgramData\win32.exe

Filesize
440KB

MD5
5e87783b71d535bcaf402e2278c91048

SHA1
7e7faec34ecbe87ec3d18a402ff2e71fe3dcb533

SHA256
7c226fda60b190a13b95e0e5e992506ec7214ef9789e2117b4ee11981dad3158

SHA512
f1851e0d8fdcaeb22c3405b2bd23d9397e92fa367bc6576b8f0f200458b33c1356cdb57b1dac3a5ec5eb157a9eec5c933a2b0b2035f4033393db8badac60f4d9

Download Submit
memory/2700-49-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-13-0x0000000004720000-0x000000000477C000-memory.dmp

Filesize
368KB

Download
memory/2700-6-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/2700-78-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-14-0x0000000005250000-0x00000000052D0000-memory.dmp

Filesize
512KB

Download
memory/2700-36-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-34-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-32-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-30-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-28-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-26-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-24-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-22-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-20-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-18-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-76-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-15-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-64-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/2700-40-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-1-0x0000000000A70000-0x0000000000AE4000-memory.dmp

Filesize
464KB

Download
memory/2700-7-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2700-16-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-74-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-72-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-70-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-68-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-66-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-62-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-60-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-58-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-56-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-54-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-52-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-50-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-46-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-44-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-42-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-2508-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2700-38-0x0000000005250000-0x00000000052CA000-memory.dmp

Filesize
488KB

Download
memory/2700-2-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-5-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/11868-2522-0x0000000000E50000-0x0000000000EC4000-memory.dmp

Filesize
464KB

Download