netwire | 552056b97b69043abf8aa860469bd915c9c9c7d74c9ab3bc54e768c199618743

Analysis

max time kernel
203s
max time network
304s
platform
windows10_x64
resource
win10-en-20211014
submitted
02-12-2021 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

list_9394_spares_0034_394830.pdf.exe
Size

363KB
MD5

1be7781cf8cd18e3697e1d757df86faf
SHA1

f7287794a7695a5d548e4edb32b85dbfd796ff9b
SHA256

dec95d20b76f488818e6e59450be1f8e927f5c22ae59ed02e958a3e313145ee5
SHA512

2347bfb437f050da063f2439fd0c1c63237616f5903e477002383e73595cc952e87ca17c48ab23b549a832022d1422cc83705a8d312a4251a518ee978e89b962

Score

10^/10

netwire warzonerat botnet collection infostealer rat stealer

Malware Config

Extracted

Family

warzonerat

exportmunic007.duckdns.org:5200

Extracted

Family

netwire

podzeye.duckdns.org:6688

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
lock_executable
false
mutex
offline_keylogger
false
password
Password
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2056-413-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/2056-424-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2868-145-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2868-146-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/2868-149-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Windows.exe

pid process

652 Windows.exe
Loads dropped DLL 6 IoCs

Processes:

vbc.exe

pid process

2868 vbc.exe
2868 vbc.exe
2868 vbc.exe
2868 vbc.exe
2868 vbc.exe
2868 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
652	Windows.exe

pid	process
2868	vbc.exe
2868	vbc.exe
2868	vbc.exe
2868	vbc.exe
2868	vbc.exe
2868	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

list_9394_spares_0034_394830.pdf.exeWindows.exe

description	pid	process	target process
PID 2780 set thread context of 2868	2780	list_9394_spares_0034_394830.pdf.exe	vbc.exe
PID 652 set thread context of 2056	652	Windows.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2916 schtasks.exe
2612 schtasks.exe

pid	process
2916	schtasks.exe
2612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

list_9394_spares_0034_394830.pdf.exepowershell.exeWindows.exepowershell.exe

pid	process
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
2780	list_9394_spares_0034_394830.pdf.exe
364	powershell.exe
364	powershell.exe
364	powershell.exe
652	Windows.exe
652	Windows.exe
652	Windows.exe
652	Windows.exe
652	Windows.exe
652	Windows.exe
652	Windows.exe
652	Windows.exe
652	Windows.exe
652	Windows.exe
652	Windows.exe
652	Windows.exe
2304	powershell.exe
2304	powershell.exe
2304	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

list_9394_spares_0034_394830.pdf.exepowershell.exeWindows.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2780	list_9394_spares_0034_394830.pdf.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	652	Windows.exe
Token: SeDebugPrivilege	2304	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

list_9394_spares_0034_394830.pdf.exeWindows.exe

description	pid	process	target process
PID 2780 wrote to memory of 652	2780	list_9394_spares_0034_394830.pdf.exe	Windows.exe
PID 2780 wrote to memory of 652	2780	list_9394_spares_0034_394830.pdf.exe	Windows.exe
PID 2780 wrote to memory of 652	2780	list_9394_spares_0034_394830.pdf.exe	Windows.exe
PID 2780 wrote to memory of 364	2780	list_9394_spares_0034_394830.pdf.exe	powershell.exe
PID 2780 wrote to memory of 364	2780	list_9394_spares_0034_394830.pdf.exe	powershell.exe
PID 2780 wrote to memory of 364	2780	list_9394_spares_0034_394830.pdf.exe	powershell.exe
PID 2780 wrote to memory of 2612	2780	list_9394_spares_0034_394830.pdf.exe	schtasks.exe
PID 2780 wrote to memory of 2612	2780	list_9394_spares_0034_394830.pdf.exe	schtasks.exe
PID 2780 wrote to memory of 2612	2780	list_9394_spares_0034_394830.pdf.exe	schtasks.exe
PID 2780 wrote to memory of 2868	2780	list_9394_spares_0034_394830.pdf.exe	vbc.exe
PID 2780 wrote to memory of 2868	2780	list_9394_spares_0034_394830.pdf.exe	vbc.exe
PID 2780 wrote to memory of 2868	2780	list_9394_spares_0034_394830.pdf.exe	vbc.exe
PID 2780 wrote to memory of 2868	2780	list_9394_spares_0034_394830.pdf.exe	vbc.exe
PID 2780 wrote to memory of 2868	2780	list_9394_spares_0034_394830.pdf.exe	vbc.exe
PID 2780 wrote to memory of 2868	2780	list_9394_spares_0034_394830.pdf.exe	vbc.exe
PID 2780 wrote to memory of 2868	2780	list_9394_spares_0034_394830.pdf.exe	vbc.exe
PID 2780 wrote to memory of 2868	2780	list_9394_spares_0034_394830.pdf.exe	vbc.exe
PID 2780 wrote to memory of 2868	2780	list_9394_spares_0034_394830.pdf.exe	vbc.exe
PID 2780 wrote to memory of 2868	2780	list_9394_spares_0034_394830.pdf.exe	vbc.exe
PID 2780 wrote to memory of 2868	2780	list_9394_spares_0034_394830.pdf.exe	vbc.exe
PID 652 wrote to memory of 2304	652	Windows.exe	powershell.exe
PID 652 wrote to memory of 2304	652	Windows.exe	powershell.exe
PID 652 wrote to memory of 2304	652	Windows.exe	powershell.exe
PID 652 wrote to memory of 2916	652	Windows.exe	schtasks.exe
PID 652 wrote to memory of 2916	652	Windows.exe	schtasks.exe
PID 652 wrote to memory of 2916	652	Windows.exe	schtasks.exe
PID 652 wrote to memory of 2056	652	Windows.exe	vbc.exe
PID 652 wrote to memory of 2056	652	Windows.exe	vbc.exe
PID 652 wrote to memory of 2056	652	Windows.exe	vbc.exe
PID 652 wrote to memory of 2056	652	Windows.exe	vbc.exe
PID 652 wrote to memory of 2056	652	Windows.exe	vbc.exe
PID 652 wrote to memory of 2056	652	Windows.exe	vbc.exe
PID 652 wrote to memory of 2056	652	Windows.exe	vbc.exe
PID 652 wrote to memory of 2056	652	Windows.exe	vbc.exe
PID 652 wrote to memory of 2056	652	Windows.exe	vbc.exe
PID 652 wrote to memory of 2056	652	Windows.exe	vbc.exe
PID 652 wrote to memory of 2056	652	Windows.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Users\Admin\AppData\Local\Temp\list_9394_spares_0034_394830.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\list_9394_spares_0034_394830.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Temp\Windows.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pTttiBCRsYvNB.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pTttiBCRsYvNB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB856.tmp"
3⤵
- Creates scheduled task(s)
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dKuoLw.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dKuoLw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF99.tmp"
2⤵
- Creates scheduled task(s)
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9f6aa35b5fc72ab1f07caa2b653252c8

SHA1
74aaa79400b9b6cca30b9662ef82318cce8188ea

SHA256
8ffa13ff9d1d5a506f7d8f0c1e9d7c63834b54731a10f1e3474414a726a393a2

SHA512
eac87f159f972af948ecc32b71106f60692d8853dc2b88663b6177bbe5361a22c09026e35402cac28b33fee9144a7bafeef7ba23dcab8db6483715eb91d56317

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.exe
MD5
863def684cf38c1eb0a965055868202b

SHA1
1a15336ac56b2e63eb29805293a64a0b014fde0d

SHA256
8d348ae8f1e83828ab21de109a0a1d4d3b79c5af12e0ca878e2ee1ad8eddfd6e

SHA512
bbaf8a4287ca8e5f1730c0eec575d9d714385c848ffce61269e9c12aec265264a93f7cfa97966faff2dec3e22983491a8f2bcfe997a483e3e244ceb0290bea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.exe
MD5
863def684cf38c1eb0a965055868202b

SHA1
1a15336ac56b2e63eb29805293a64a0b014fde0d

SHA256
8d348ae8f1e83828ab21de109a0a1d4d3b79c5af12e0ca878e2ee1ad8eddfd6e

SHA512
bbaf8a4287ca8e5f1730c0eec575d9d714385c848ffce61269e9c12aec265264a93f7cfa97966faff2dec3e22983491a8f2bcfe997a483e3e244ceb0290bea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB856.tmp
MD5
55d573e866a994a301def3d4b30d5c63

SHA1
752e8ec06545196f6dad6a35382385b8d20ba372

SHA256
8e6c9abf5bb98e970a6c5de36c502946fdad483e7ed5afcd07dccaccae0eb2aa

SHA512
a8483f0d05a4afe1a2ae87f3e6769cf3be0f5fbb4be1827809c8d9627a93159ad88d20b031596ef721776405e97fdcd653d38d65c34ae4ff120eebeabe219b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF99.tmp
MD5
0887b08ab1340dddede45deb38bde71e

SHA1
d1b9baf46db4de13325dcf4c149b8443885814d1

SHA256
2a54c47be8ce5f258817323c098e6dde49ac35445219603c1b4a6e4ed7b0803c

SHA512
1fc30799e3d733cd140a96665b4147da73b8ed1574df9ca0bddea2761fa1ece4c4f6556ad797080e282d28f041bd082050c0e1974aaf0cdeb7bb64b8f25e1354

Download Submit
\Users\Admin\AppData\Local\Temp\freebl3.dll
MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll
MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll
MD5
d7858e8449004e21b01d468e9fd04b82

SHA1
9524352071ede21c167e7e4f106e9526dc23ef4e

SHA256
78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db

SHA512
1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

Download Submit
\Users\Admin\AppData\Local\Temp\softokn3.dll
MD5
471c983513694ac3002590345f2be0da

SHA1
6612b9af4ff6830fa9b7d4193078434ef72f775b

SHA256
bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f

SHA512
a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/364-169-0x0000000009730000-0x0000000009763000-memory.dmp

Filesize
204KB

Download
memory/364-153-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/364-136-0x0000000000000000-mapping.dmp

Download
memory/364-186-0x0000000009A70000-0x0000000009A71000-memory.dmp

Filesize
4KB

Download
memory/364-138-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/364-139-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/364-140-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/364-185-0x0000000004C53000-0x0000000004C54000-memory.dmp

Filesize
4KB

Download
memory/364-142-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/364-143-0x0000000004C52000-0x0000000004C53000-memory.dmp

Filesize
4KB

Download
memory/364-144-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/364-184-0x000000007E570000-0x000000007E571000-memory.dmp

Filesize
4KB

Download
memory/364-183-0x0000000009860000-0x0000000009861000-memory.dmp

Filesize
4KB

Download
memory/364-178-0x0000000009710000-0x0000000009711000-memory.dmp

Filesize
4KB

Download
memory/364-157-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/364-156-0x0000000008790000-0x0000000008791000-memory.dmp

Filesize
4KB

Download
memory/364-150-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/364-151-0x0000000007F70000-0x0000000007F71000-memory.dmp

Filesize
4KB

Download
memory/364-152-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/364-154-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/652-125-0x0000000000000000-mapping.dmp

Download
memory/652-128-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/652-135-0x00000000057B0000-0x0000000005CAE000-memory.dmp

Filesize
5.0MB

Download
memory/2056-413-0x000000000040242D-mapping.dmp

Download
memory/2056-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-445-0x000000007FA40000-0x000000007FA41000-memory.dmp

Filesize
4KB

Download
memory/2304-412-0x00000000073C2000-0x00000000073C3000-memory.dmp

Filesize
4KB

Download
memory/2304-409-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/2304-402-0x0000000000000000-mapping.dmp

Download
memory/2304-447-0x00000000073C3000-0x00000000073C4000-memory.dmp

Filesize
4KB

Download
memory/2612-137-0x0000000000000000-mapping.dmp

Download
memory/2780-124-0x00000000008A0000-0x00000000008E7000-memory.dmp

Filesize
284KB

Download
memory/2780-115-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2780-120-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/2780-121-0x0000000004BA0000-0x0000000004BA8000-memory.dmp

Filesize
32KB

Download
memory/2780-122-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2780-123-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2780-117-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2780-119-0x0000000004BC0000-0x00000000050BE000-memory.dmp

Filesize
5.0MB

Download
memory/2780-118-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/2868-146-0x0000000000405CE2-mapping.dmp

Download
memory/2868-159-0x0000000008B80000-0x0000000008C04000-memory.dmp

Filesize
528KB

Download
memory/2868-149-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2868-148-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2868-147-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2868-145-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2916-403-0x0000000000000000-mapping.dmp

Download