lokibot | 9932116b510401de52801ebac79b9e4dac52e3389415c02fb8d861ec39a8156d

Analysis

max time kernel
127s
max time network
136s
platform
windows7_x64
resource
win7v20201028
submitted
14-01-2021 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT Copy.doc
Size

957KB
MD5

0d1f1658ad83475a2a3ba248f22b511d
SHA1

47f8a624486c5b3e689de2613ff2f25fedba8060
SHA256

9932116b510401de52801ebac79b9e4dac52e3389415c02fb8d861ec39a8156d
SHA512

f7c91978949e16cd7ce4d922917d0e8bf69004e77f913d2d8c8f60e5709dbf5b3fb6c88d43c370642e60831ef8f3f9ad2104940ec74d87179f7b78ef1e920b20

Score

10^/10

lokibot netwire botnet persistence rat spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://51.195.53.221/p.php/cfOoZYb0LXPms

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1648-28-0x0000000000400000-0x0000000000447000-memory.dmp	netwire
behavioral1/memory/1648-29-0x0000000000401190-mapping.dmp	netwire
behavioral1/memory/1648-31-0x0000000000400000-0x0000000000447000-memory.dmp	netwire
\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe	netwire
C:\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe	netwire
\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Blocklisted process makes network request 2 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1776 EQNEDT32.EXE
7 1776 EQNEDT32.EXE
Executes dropped EXE 5 IoCs

Processes:

69577.exefileu.exeAddInProcess32.exeFB_83B1.tmp.exeFB_847C.tmp.exe

pid process

1324 69577.exe
592 fileu.exe
1648 AddInProcess32.exe
1780 FB_83B1.tmp.exe
316 FB_847C.tmp.exe
Loads dropped DLL 7 IoCs

Processes:

EQNEDT32.EXE69577.exefileu.exeAddInProcess32.exe

pid process

1776 EQNEDT32.EXE
1324 69577.exe
592 fileu.exe
1648 AddInProcess32.exe
1648 AddInProcess32.exe
1648 AddInProcess32.exe
1648 AddInProcess32.exe

flow	pid	process
6	1776	EQNEDT32.EXE
7	1776	EQNEDT32.EXE

pid	process
1324	69577.exe
592	fileu.exe
1648	AddInProcess32.exe
1780	FB_83B1.tmp.exe
316	FB_847C.tmp.exe

pid	process
1776	EQNEDT32.EXE
1324	69577.exe
592	fileu.exe
1648	AddInProcess32.exe
1648	AddInProcess32.exe
1648	AddInProcess32.exe
1648	AddInProcess32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\fine = "C:\\Users\\Admin\\fileu.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fileu.exe

description pid process target process

PID 592 set thread context of 1648 592 fileu.exe AddInProcess32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1776 EQNEDT32.EXE

description	pid	process	target process
PID 592 set thread context of 1648	592	fileu.exe	AddInProcess32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1776	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

848 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

69577.exefileu.exe

pid process

1324 69577.exe
1324 69577.exe
1324 69577.exe
1324 69577.exe
1324 69577.exe
592 fileu.exe
592 fileu.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

69577.exefileu.exeFB_83B1.tmp.exe

description pid process

Token: SeDebugPrivilege 1324 69577.exe
Token: SeDebugPrivilege 592 fileu.exe
Token: SeDebugPrivilege 1780 FB_83B1.tmp.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

848 WINWORD.EXE
848 WINWORD.EXE

pid	process
848	WINWORD.EXE

pid	process
1324	69577.exe
1324	69577.exe
1324	69577.exe
1324	69577.exe
1324	69577.exe
592	fileu.exe
592	fileu.exe

description	pid	process
Token: SeDebugPrivilege	1324	69577.exe
Token: SeDebugPrivilege	592	fileu.exe
Token: SeDebugPrivilege	1780	FB_83B1.tmp.exe

pid	process
848	WINWORD.EXE
848	WINWORD.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXE69577.execmd.exefileu.exeAddInProcess32.exe

description	pid	process	target process
PID 848 wrote to memory of 1972	848	WINWORD.EXE	splwow64.exe
PID 848 wrote to memory of 1972	848	WINWORD.EXE	splwow64.exe
PID 848 wrote to memory of 1972	848	WINWORD.EXE	splwow64.exe
PID 848 wrote to memory of 1972	848	WINWORD.EXE	splwow64.exe
PID 1776 wrote to memory of 1324	1776	EQNEDT32.EXE	69577.exe
PID 1776 wrote to memory of 1324	1776	EQNEDT32.EXE	69577.exe
PID 1776 wrote to memory of 1324	1776	EQNEDT32.EXE	69577.exe
PID 1776 wrote to memory of 1324	1776	EQNEDT32.EXE	69577.exe
PID 1324 wrote to memory of 1232	1324	69577.exe	cmd.exe
PID 1324 wrote to memory of 1232	1324	69577.exe	cmd.exe
PID 1324 wrote to memory of 1232	1324	69577.exe	cmd.exe
PID 1324 wrote to memory of 1232	1324	69577.exe	cmd.exe
PID 1232 wrote to memory of 1772	1232	cmd.exe	reg.exe
PID 1232 wrote to memory of 1772	1232	cmd.exe	reg.exe
PID 1232 wrote to memory of 1772	1232	cmd.exe	reg.exe
PID 1232 wrote to memory of 1772	1232	cmd.exe	reg.exe
PID 1324 wrote to memory of 592	1324	69577.exe	fileu.exe
PID 1324 wrote to memory of 592	1324	69577.exe	fileu.exe
PID 1324 wrote to memory of 592	1324	69577.exe	fileu.exe
PID 1324 wrote to memory of 592	1324	69577.exe	fileu.exe
PID 592 wrote to memory of 1648	592	fileu.exe	AddInProcess32.exe
PID 592 wrote to memory of 1648	592	fileu.exe	AddInProcess32.exe
PID 592 wrote to memory of 1648	592	fileu.exe	AddInProcess32.exe
PID 592 wrote to memory of 1648	592	fileu.exe	AddInProcess32.exe
PID 592 wrote to memory of 1648	592	fileu.exe	AddInProcess32.exe
PID 592 wrote to memory of 1648	592	fileu.exe	AddInProcess32.exe
PID 592 wrote to memory of 1648	592	fileu.exe	AddInProcess32.exe
PID 592 wrote to memory of 1648	592	fileu.exe	AddInProcess32.exe
PID 592 wrote to memory of 1648	592	fileu.exe	AddInProcess32.exe
PID 592 wrote to memory of 1648	592	fileu.exe	AddInProcess32.exe
PID 1648 wrote to memory of 1780	1648	AddInProcess32.exe	FB_83B1.tmp.exe
PID 1648 wrote to memory of 1780	1648	AddInProcess32.exe	FB_83B1.tmp.exe
PID 1648 wrote to memory of 1780	1648	AddInProcess32.exe	FB_83B1.tmp.exe
PID 1648 wrote to memory of 1780	1648	AddInProcess32.exe	FB_83B1.tmp.exe
PID 1648 wrote to memory of 316	1648	AddInProcess32.exe	FB_847C.tmp.exe
PID 1648 wrote to memory of 316	1648	AddInProcess32.exe	FB_847C.tmp.exe
PID 1648 wrote to memory of 316	1648	AddInProcess32.exe	FB_847C.tmp.exe
PID 1648 wrote to memory of 316	1648	AddInProcess32.exe	FB_847C.tmp.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TT Copy.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1972

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Public\69577.exe
"C:\Users\Public\69577.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "fine" /t REG_SZ /d "C:\Users\Admin\fileu.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "fine" /t REG_SZ /d "C:\Users\Admin\fileu.exe"
4⤵
- Adds Run key to start application
PID:1772

C:\Users\Admin\fileu.exe
"C:\Users\Admin\fileu.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\FB_83B1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_83B1.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe"
5⤵
- Executes dropped EXE
PID:316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_83B1.tmp.exe
MD5
0144accd439cb4d05d547bc226306a90

SHA1
be9ccb630380f6a45b07a85bdc28700e01f9a599

SHA256
1bf2641e0004d676d699746eaf1b488a3573e06abcd4cd7fa81c67a2154ca7ed

SHA512
9edb13afab8300e771067bc93141dcb08a52268d7f408e712e5be84de7913174510d2f2b81e1db2dad4ccb7acd876e242c9969653824e46fa07fa942bd9bef97

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe
MD5
669c3ae5b4730a47e198541a91d6d0ac

SHA1
b682abe4a0bc4f6d0869e4f14cf36bff6a6c1768

SHA256
239f0d532fcd06fea5ca5c838fde41a30971c8ca3e0f5db0c2cd935860b8b640

SHA512
27ad5521a16eed565afd98df752ddf9b74bf6439b6fed7f23e236f1dd63b0333c2bad6d268f736f88da03399184860ce7e5571a6c7f17c002f0869065fa13fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb_83b1.tmp.exe
MD5
0144accd439cb4d05d547bc226306a90

SHA1
be9ccb630380f6a45b07a85bdc28700e01f9a599

SHA256
1bf2641e0004d676d699746eaf1b488a3573e06abcd4cd7fa81c67a2154ca7ed

SHA512
9edb13afab8300e771067bc93141dcb08a52268d7f408e712e5be84de7913174510d2f2b81e1db2dad4ccb7acd876e242c9969653824e46fa07fa942bd9bef97

Download Submit
C:\Users\Admin\fileu.exe
MD5
f8938b5c44ddb8c25bf1c976a6d2b627

SHA1
d356067d79d709e25b7b5aefcc8fd5e8b9c5f342

SHA256
e2ca1d708de42fa96bf9f6b4ae7059af755ad2b694bc91f59b4e696ddf6a81fb

SHA512
00898e944b2dfc1c61c2bfd066107364ecff4e03fae613fd4b1e8771e229659b4282cac1f88a26c16d57ee49472688f28c7fb16ce2458b56f9d9b36c11c53bd7

Download Submit
C:\Users\Admin\fileu.exe
MD5
f8938b5c44ddb8c25bf1c976a6d2b627

SHA1
d356067d79d709e25b7b5aefcc8fd5e8b9c5f342

SHA256
e2ca1d708de42fa96bf9f6b4ae7059af755ad2b694bc91f59b4e696ddf6a81fb

SHA512
00898e944b2dfc1c61c2bfd066107364ecff4e03fae613fd4b1e8771e229659b4282cac1f88a26c16d57ee49472688f28c7fb16ce2458b56f9d9b36c11c53bd7

Download Submit
C:\Users\Public\69577.exe
MD5
f8938b5c44ddb8c25bf1c976a6d2b627

SHA1
d356067d79d709e25b7b5aefcc8fd5e8b9c5f342

SHA256
e2ca1d708de42fa96bf9f6b4ae7059af755ad2b694bc91f59b4e696ddf6a81fb

SHA512
00898e944b2dfc1c61c2bfd066107364ecff4e03fae613fd4b1e8771e229659b4282cac1f88a26c16d57ee49472688f28c7fb16ce2458b56f9d9b36c11c53bd7

Download Submit
C:\Users\Public\69577.exe
MD5
f8938b5c44ddb8c25bf1c976a6d2b627

SHA1
d356067d79d709e25b7b5aefcc8fd5e8b9c5f342

SHA256
e2ca1d708de42fa96bf9f6b4ae7059af755ad2b694bc91f59b4e696ddf6a81fb

SHA512
00898e944b2dfc1c61c2bfd066107364ecff4e03fae613fd4b1e8771e229659b4282cac1f88a26c16d57ee49472688f28c7fb16ce2458b56f9d9b36c11c53bd7

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Local\Temp\FB_83B1.tmp.exe
MD5
0144accd439cb4d05d547bc226306a90

SHA1
be9ccb630380f6a45b07a85bdc28700e01f9a599

SHA256
1bf2641e0004d676d699746eaf1b488a3573e06abcd4cd7fa81c67a2154ca7ed

SHA512
9edb13afab8300e771067bc93141dcb08a52268d7f408e712e5be84de7913174510d2f2b81e1db2dad4ccb7acd876e242c9969653824e46fa07fa942bd9bef97

Download Submit
\Users\Admin\AppData\Local\Temp\FB_83B1.tmp.exe
MD5
0144accd439cb4d05d547bc226306a90

SHA1
be9ccb630380f6a45b07a85bdc28700e01f9a599

SHA256
1bf2641e0004d676d699746eaf1b488a3573e06abcd4cd7fa81c67a2154ca7ed

SHA512
9edb13afab8300e771067bc93141dcb08a52268d7f408e712e5be84de7913174510d2f2b81e1db2dad4ccb7acd876e242c9969653824e46fa07fa942bd9bef97

Download Submit
\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe
MD5
669c3ae5b4730a47e198541a91d6d0ac

SHA1
b682abe4a0bc4f6d0869e4f14cf36bff6a6c1768

SHA256
239f0d532fcd06fea5ca5c838fde41a30971c8ca3e0f5db0c2cd935860b8b640

SHA512
27ad5521a16eed565afd98df752ddf9b74bf6439b6fed7f23e236f1dd63b0333c2bad6d268f736f88da03399184860ce7e5571a6c7f17c002f0869065fa13fdc

Download Submit
\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe
MD5
669c3ae5b4730a47e198541a91d6d0ac

SHA1
b682abe4a0bc4f6d0869e4f14cf36bff6a6c1768

SHA256
239f0d532fcd06fea5ca5c838fde41a30971c8ca3e0f5db0c2cd935860b8b640

SHA512
27ad5521a16eed565afd98df752ddf9b74bf6439b6fed7f23e236f1dd63b0333c2bad6d268f736f88da03399184860ce7e5571a6c7f17c002f0869065fa13fdc

Download Submit
\Users\Admin\fileu.exe
MD5
f8938b5c44ddb8c25bf1c976a6d2b627

SHA1
d356067d79d709e25b7b5aefcc8fd5e8b9c5f342

SHA256
e2ca1d708de42fa96bf9f6b4ae7059af755ad2b694bc91f59b4e696ddf6a81fb

SHA512
00898e944b2dfc1c61c2bfd066107364ecff4e03fae613fd4b1e8771e229659b4282cac1f88a26c16d57ee49472688f28c7fb16ce2458b56f9d9b36c11c53bd7

Download Submit
\Users\Public\69577.exe
MD5
f8938b5c44ddb8c25bf1c976a6d2b627

SHA1
d356067d79d709e25b7b5aefcc8fd5e8b9c5f342

SHA256
e2ca1d708de42fa96bf9f6b4ae7059af755ad2b694bc91f59b4e696ddf6a81fb

SHA512
00898e944b2dfc1c61c2bfd066107364ecff4e03fae613fd4b1e8771e229659b4282cac1f88a26c16d57ee49472688f28c7fb16ce2458b56f9d9b36c11c53bd7

Download Submit
memory/316-38-0x0000000000000000-mapping.dmp

Download
memory/592-19-0x000000006B4C0000-0x000000006BBAE000-memory.dmp

Filesize
6.9MB

Download
memory/592-20-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/592-24-0x0000000001F70000-0x0000000001F7B000-memory.dmp

Filesize
44KB

Download
memory/592-25-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/592-16-0x0000000000000000-mapping.dmp

Download
memory/1232-13-0x0000000000000000-mapping.dmp

Download
memory/1324-11-0x00000000004B0000-0x00000000004CE000-memory.dmp

Filesize
120KB

Download
memory/1324-12-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1324-9-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/1324-8-0x000000006B4C0000-0x000000006BBAE000-memory.dmp

Filesize
6.9MB

Download
memory/1324-5-0x0000000000000000-mapping.dmp

Download
memory/1648-29-0x0000000000401190-mapping.dmp

Download
memory/1648-31-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1648-28-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1688-3-0x000007FEF6580000-0x000007FEF67FA000-memory.dmp

Filesize
2.5MB

Download
memory/1772-14-0x0000000000000000-mapping.dmp

Download
memory/1780-34-0x0000000000000000-mapping.dmp

Download
memory/1972-2-0x0000000000000000-mapping.dmp

Download