netwire | 48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b

Analysis

max time kernel
169s
max time network
297s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
15-07-2022 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE3.xll
Size

891KB
MD5

df41c83b6684fdd3d1d56ffe490a04d7
SHA1

72cee1661333584e3ce4f4063a8f196545141cd6
SHA256

48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b
SHA512

66ba4abad68589d5d1af9a525d302200438eb399f5d4713cf185cbf189ee349369d48cf514628b1a3c9eae57b359659fec90a915ce46da0a73bdc35f7bf295af

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

194.5.98.126:3378

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Pass@2023
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4632-543-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/4632-610-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4632-613-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	604	4448	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4248	4448	cmd.exe	EXCEL.EXE

Executes dropped EXE 1 IoCs

Processes:

appXLQFBTZQWC.txt.exe

pid process

228 appXLQFBTZQWC.txt.exe
Loads dropped DLL 4 IoCs

Processes:

EXCEL.EXE

pid process

4448 EXCEL.EXE
4448 EXCEL.EXE
4448 EXCEL.EXE
4448 EXCEL.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

appXLQFBTZQWC.txt.exe

description pid process target process

PID 228 set thread context of 4632 228 appXLQFBTZQWC.txt.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
228	appXLQFBTZQWC.txt.exe

description	pid	process	target process
PID 228 set thread context of 4632	228	appXLQFBTZQWC.txt.exe	InstallUtil.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4448 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeappXLQFBTZQWC.txt.exe

pid process

1976 powershell.exe
1976 powershell.exe
1976 powershell.exe
228 appXLQFBTZQWC.txt.exe
228 appXLQFBTZQWC.txt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

appXLQFBTZQWC.txt.exepowershell.exe

description pid process

Token: SeDebugPrivilege 228 appXLQFBTZQWC.txt.exe
Token: SeDebugPrivilege 1976 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4448 EXCEL.EXE
4448 EXCEL.EXE

pid	process
1976	powershell.exe
1976	powershell.exe
1976	powershell.exe
228	appXLQFBTZQWC.txt.exe
228	appXLQFBTZQWC.txt.exe

description	pid	process
Token: SeDebugPrivilege	228	appXLQFBTZQWC.txt.exe
Token: SeDebugPrivilege	1976	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
4448	EXCEL.EXE
4448	EXCEL.EXE
4448	EXCEL.EXE
4448	EXCEL.EXE
4448	EXCEL.EXE
4448	EXCEL.EXE
4448	EXCEL.EXE
4448	EXCEL.EXE
4448	EXCEL.EXE
4448	EXCEL.EXE
4448	EXCEL.EXE
4448	EXCEL.EXE
4448	EXCEL.EXE
4448	EXCEL.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EXCEL.EXEcmd.execmd.exeappXLQFBTZQWC.txt.exe

description	pid	process	target process
PID 4448 wrote to memory of 604	4448	EXCEL.EXE	cmd.exe
PID 4448 wrote to memory of 604	4448	EXCEL.EXE	cmd.exe
PID 604 wrote to memory of 1884	604	cmd.exe	certutil.exe
PID 604 wrote to memory of 1884	604	cmd.exe	certutil.exe
PID 4448 wrote to memory of 4248	4448	EXCEL.EXE	cmd.exe
PID 4448 wrote to memory of 4248	4448	EXCEL.EXE	cmd.exe
PID 4248 wrote to memory of 444	4248	cmd.exe	certutil.exe
PID 4248 wrote to memory of 444	4248	cmd.exe	certutil.exe
PID 4248 wrote to memory of 228	4248	cmd.exe	appXLQFBTZQWC.txt.exe
PID 4248 wrote to memory of 228	4248	cmd.exe	appXLQFBTZQWC.txt.exe
PID 4248 wrote to memory of 228	4248	cmd.exe	appXLQFBTZQWC.txt.exe
PID 228 wrote to memory of 1976	228	appXLQFBTZQWC.txt.exe	powershell.exe
PID 228 wrote to memory of 1976	228	appXLQFBTZQWC.txt.exe	powershell.exe
PID 228 wrote to memory of 1976	228	appXLQFBTZQWC.txt.exe	powershell.exe
PID 228 wrote to memory of 4632	228	appXLQFBTZQWC.txt.exe	InstallUtil.exe
PID 228 wrote to memory of 4632	228	appXLQFBTZQWC.txt.exe	InstallUtil.exe
PID 228 wrote to memory of 4632	228	appXLQFBTZQWC.txt.exe	InstallUtil.exe
PID 228 wrote to memory of 4632	228	appXLQFBTZQWC.txt.exe	InstallUtil.exe
PID 228 wrote to memory of 4632	228	appXLQFBTZQWC.txt.exe	InstallUtil.exe
PID 228 wrote to memory of 4632	228	appXLQFBTZQWC.txt.exe	InstallUtil.exe
PID 228 wrote to memory of 4632	228	appXLQFBTZQWC.txt.exe	InstallUtil.exe
PID 228 wrote to memory of 4632	228	appXLQFBTZQWC.txt.exe	InstallUtil.exe
PID 228 wrote to memory of 4632	228	appXLQFBTZQWC.txt.exe	InstallUtil.exe
PID 228 wrote to memory of 4632	228	appXLQFBTZQWC.txt.exe	InstallUtil.exe
PID 228 wrote to memory of 4632	228	appXLQFBTZQWC.txt.exe	InstallUtil.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\INVOICE3.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C certutil -decode C:\Users\Admin\Downloads\appXLQFBTZQWC.txt C:\Users\Admin\Downloads\appXLQFBTZQWC.txt.xlsx
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Admin\Downloads\appXLQFBTZQWC.txt C:\Users\Admin\Downloads\appXLQFBTZQWC.txt.xlsx
3⤵
PID:1884

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C certutil -decode C:\Users\Admin\Downloads\appXLQFBTZQWC.txt C:\Users\Admin\Downloads\appXLQFBTZQWC.txt.exe & C:\Users\Admin\Downloads\appXLQFBTZQWC.txt.exe
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Admin\Downloads\appXLQFBTZQWC.txt C:\Users\Admin\Downloads\appXLQFBTZQWC.txt.exe
3⤵
PID:444

C:\Users\Admin\Downloads\appXLQFBTZQWC.txt.exe
C:\Users\Admin\Downloads\appXLQFBTZQWC.txt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:4632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\appXLQFBTZQWC.txt

Filesize
57KB

MD5
3bf777b958059b015e552c1fb0a153c1

SHA1
dcc21ff8bb10a2cccca322d04db740f6bc5f411d

SHA256
7a59d3b1d56a7776f0534f84497162965c24d3423fbe4d19569ae20debeccbf5

SHA512
91a5f31ada101554e6f4e55cbd661cae31b92775978d7db048319ed21b1300243b092e0df23758642bf35a383a284cc34b52901bd58c5e8bc8c022b54dbb1a78

Download Submit
C:\Users\Admin\Downloads\appXLQFBTZQWC.txt

Filesize
197KB

MD5
875d8d44c9fa71c89a15de91a8a75e76

SHA1
ef45aa1fe3d23f4e25106dfeead5c07346b41708

SHA256
265ff87c32bb82acfe31f7f37004a92739bba6a4bd390372ac6765f8b3027a75

SHA512
30f01089f20b4b5853648a2dde1219d4a82d47bdaabb284509bd7ab7bfbd1835c2dc3195bbf9bd0d8a91d982973d93f5cf2a65356fef38085970295bf28d6897

Download Submit
C:\Users\Admin\Downloads\appXLQFBTZQWC.txt.exe

Filesize
74KB

MD5
ba31550ebfc4e0ac892d22e3e0c69f51

SHA1
09ad10ee191101a472eedfbd3d4b8fa19fb4cdcb

SHA256
372e7d0d0d0f0847d2cb347b562d78b410e4525a7110f954d3aa3da9c2159324

SHA512
8b60b60131028fa5644648d2be5ff4a6e3bca9d4c0bf5f03fa833ba5c0380e87734b05b6654f9b4e5ef00f8a2f2ae3ec5d67ca1ff78d8f190ae2996b82d58205

Download Submit
C:\Users\Admin\Downloads\appXLQFBTZQWC.txt.exe

Filesize
74KB

MD5
ba31550ebfc4e0ac892d22e3e0c69f51

SHA1
09ad10ee191101a472eedfbd3d4b8fa19fb4cdcb

SHA256
372e7d0d0d0f0847d2cb347b562d78b410e4525a7110f954d3aa3da9c2159324

SHA512
8b60b60131028fa5644648d2be5ff4a6e3bca9d4c0bf5f03fa833ba5c0380e87734b05b6654f9b4e5ef00f8a2f2ae3ec5d67ca1ff78d8f190ae2996b82d58205

Download Submit
C:\Users\Admin\Downloads\appXLQFBTZQWC.txt.xlsx

Filesize
43KB

MD5
287e0b1bd13fbdca2aa0baf624e04901

SHA1
20f0976f0882d61f77c78cf27b1124e16946040c

SHA256
c1ea924fc0fa2f07be75b263c5d624740e8f0a59e7fd24d1c90b620b97f02432

SHA512
4cbf9faa72ccbbeca9995c4970a49cb762f44a659e46169a5418bff1e883a63d84713dc1fe016ac139e64347f8f7e48796c92801b3da359fe10702e13850b5cb

Download Submit
\Users\Admin\AppData\Local\Temp\INVOICE3.xll

Filesize
891KB

MD5
df41c83b6684fdd3d1d56ffe490a04d7

SHA1
72cee1661333584e3ce4f4063a8f196545141cd6

SHA256
48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b

SHA512
66ba4abad68589d5d1af9a525d302200438eb399f5d4713cf185cbf189ee349369d48cf514628b1a3c9eae57b359659fec90a915ce46da0a73bdc35f7bf295af

Download Submit
\Users\Admin\AppData\Local\Temp\INVOICE3.xll

Filesize
891KB

MD5
df41c83b6684fdd3d1d56ffe490a04d7

SHA1
72cee1661333584e3ce4f4063a8f196545141cd6

SHA256
48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b

SHA512
66ba4abad68589d5d1af9a525d302200438eb399f5d4713cf185cbf189ee349369d48cf514628b1a3c9eae57b359659fec90a915ce46da0a73bdc35f7bf295af

Download Submit
\Users\Admin\AppData\Local\Temp\INVOICE3.xll

Filesize
891KB

MD5
df41c83b6684fdd3d1d56ffe490a04d7

SHA1
72cee1661333584e3ce4f4063a8f196545141cd6

SHA256
48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b

SHA512
66ba4abad68589d5d1af9a525d302200438eb399f5d4713cf185cbf189ee349369d48cf514628b1a3c9eae57b359659fec90a915ce46da0a73bdc35f7bf295af

Download Submit
\Users\Admin\AppData\Local\Temp\INVOICE3.xll

Filesize
891KB

MD5
df41c83b6684fdd3d1d56ffe490a04d7

SHA1
72cee1661333584e3ce4f4063a8f196545141cd6

SHA256
48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b

SHA512
66ba4abad68589d5d1af9a525d302200438eb399f5d4713cf185cbf189ee349369d48cf514628b1a3c9eae57b359659fec90a915ce46da0a73bdc35f7bf295af

Download Submit
memory/228-390-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-368-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-540-0x0000000026C00000-0x00000000270FE000-memory.dmp

Filesize
5.0MB

Download
memory/228-539-0x0000000026660000-0x00000000266F2000-memory.dmp

Filesize
584KB

Download
memory/228-435-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/228-434-0x0000000005F90000-0x0000000005FF0000-memory.dmp

Filesize
384KB

Download
memory/228-421-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-420-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-419-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-414-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-416-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-417-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-418-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-360-0x0000000000000000-mapping.dmp

Download
memory/228-362-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-363-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-364-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-365-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-366-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-367-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-397-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-370-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-371-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-415-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-372-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-376-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-374-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-377-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-378-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-379-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-396-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-381-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-383-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-382-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-384-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-386-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-387-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-388-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-385-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-389-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-391-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-413-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-392-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-393-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-394-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-395-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-380-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-412-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-401-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-399-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-400-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-398-0x0000000000DB0000-0x0000000000DC8000-memory.dmp

Filesize
96KB

Download
memory/228-402-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-403-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-404-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-406-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-405-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-407-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-408-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-410-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-409-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/228-411-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/444-358-0x0000000000000000-mapping.dmp

Download
memory/604-340-0x0000000000000000-mapping.dmp

Download
memory/1884-341-0x0000000000000000-mapping.dmp

Download
memory/1976-512-0x0000000007940000-0x000000000798B000-memory.dmp

Filesize
300KB

Download
memory/1976-527-0x0000000009450000-0x0000000009AC8000-memory.dmp

Filesize
6.5MB

Download
memory/1976-481-0x0000000000CA0000-0x0000000000CD6000-memory.dmp

Filesize
216KB

Download
memory/1976-516-0x0000000007BC0000-0x0000000007C36000-memory.dmp

Filesize
472KB

Download
memory/1976-486-0x0000000006CC0000-0x00000000072E8000-memory.dmp

Filesize
6.2MB

Download
memory/1976-528-0x00000000089C0000-0x00000000089DA000-memory.dmp

Filesize
104KB

Download
memory/1976-511-0x0000000007360000-0x000000000737C000-memory.dmp

Filesize
112KB

Download
memory/1976-508-0x00000000075F0000-0x0000000007940000-memory.dmp

Filesize
3.3MB

Download
memory/1976-507-0x00000000072F0000-0x0000000007356000-memory.dmp

Filesize
408KB

Download
memory/1976-506-0x0000000006BD0000-0x0000000006C36000-memory.dmp

Filesize
408KB

Download
memory/1976-503-0x0000000006B30000-0x0000000006B52000-memory.dmp

Filesize
136KB

Download
memory/1976-445-0x0000000000000000-mapping.dmp

Download
memory/4248-357-0x0000000000000000-mapping.dmp

Download
memory/4448-117-0x00007FFC64F50000-0x00007FFC64F60000-memory.dmp

Filesize
64KB

Download
memory/4448-127-0x00007FFC61C00000-0x00007FFC61C10000-memory.dmp

Filesize
64KB

Download
memory/4448-321-0x0000021303450000-0x0000021303486000-memory.dmp

Filesize
216KB

Download
memory/4448-325-0x000002130379C000-0x000002130379F000-memory.dmp

Filesize
12KB

Download
memory/4448-429-0x000002130379C000-0x000002130379F000-memory.dmp

Filesize
12KB

Download
memory/4448-327-0x00000213036B0000-0x0000021303722000-memory.dmp

Filesize
456KB

Download
memory/4448-126-0x00007FFC61C00000-0x00007FFC61C10000-memory.dmp

Filesize
64KB

Download
memory/4448-114-0x00007FFC64F50000-0x00007FFC64F60000-memory.dmp

Filesize
64KB

Download
memory/4448-116-0x00007FFC64F50000-0x00007FFC64F60000-memory.dmp

Filesize
64KB

Download
memory/4448-115-0x00007FFC64F50000-0x00007FFC64F60000-memory.dmp

Filesize
64KB

Download
memory/4448-281-0x0000021303390000-0x00000213033AC000-memory.dmp

Filesize
112KB

Download
memory/4448-248-0x0000021300D30000-0x0000021300E28000-memory.dmp

Filesize
992KB

Download
memory/4632-543-0x000000000040242D-mapping.dmp

Download
memory/4632-610-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-613-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download