netwire | 5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe
Size

988KB
MD5

d03ba9e213edd46a343511e079637126
SHA1

5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44
SHA256

5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f
SHA512

302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Score

10^/10

netwire warzonerat botnet infostealer persistence rat stealer

Malware Config

Extracted

Family

warzonerat

43.226.229.43:2031

Signatures

NetWire RAT payload 17 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4600-130-0x0000000000400000-0x00000000004FD000-memory.dmp	netwire
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\windows\windows.exe	netwire
C:\Users\Admin\AppData\Roaming\windows\windows.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\windows\windows.exe	netwire
C:\Users\Admin\AppData\Roaming\windows\windows.exe	netwire
behavioral2/memory/4172-144-0x0000000000400000-0x00000000004FD000-memory.dmp	netwire
C:\ProgramData\images.exe	netwire
C:\ProgramData\images.exe	netwire
behavioral2/memory/1120-169-0x0000000000400000-0x00000000004FD000-memory.dmp	netwire
C:\Users\Admin\AppData\Roaming\windows\windows.exe	netwire
behavioral2/memory/260-172-0x0000000000400000-0x00000000004FD000-memory.dmp	netwire
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\windows\windows.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3704-145-0x0000000002230000-0x000000000224D000-memory.dmp	warzonerat
behavioral2/memory/3704-151-0x0000000002230000-0x000000000224D000-memory.dmp	warzonerat

Executes dropped EXE 9 IoCs

Processes:

Host.exewindows.exeHost.exewindows.exewindows.exeimages.exewindows.exeHost.exewindows.exe

pid process

1424 Host.exe
4172 windows.exe
1032 Host.exe
3704 windows.exe
1120 windows.exe
260 images.exe
828 windows.exe
4444 Host.exe
3888 windows.exe

pid	process
1424	Host.exe
4172	windows.exe
1032	Host.exe
3704	windows.exe
1120	windows.exe
260	images.exe
828	windows.exe
4444	Host.exe
3888	windows.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

images.exe5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exeHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	images.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	Host.exe

Drops startup file 1 IoCs

Processes:

windows.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.vbs windows.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.vbs	windows.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exewindows.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	windows.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

windows.exe

description pid process target process

PID 4172 set thread context of 3704 4172 windows.exe windows.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4172 set thread context of 3704	4172	windows.exe	windows.exe

NTFS ADS 3 IoCs

Processes:

5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exewindows.exeimages.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\windows\windows.exe:ZoneIdentifier	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe
File created	C:\ProgramData\images.exe\:ZoneIdentifier:$DATA	windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\windows\windows.exe:ZoneIdentifier	images.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exewindows.exewindows.exepowershell.exewindows.exeimages.exe

pid	process
4600	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe
4600	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe
4172	windows.exe
4172	windows.exe
3704	windows.exe
3704	windows.exe
3704	windows.exe
3704	windows.exe
4044	powershell.exe
4044	powershell.exe
1120	windows.exe
1120	windows.exe
1120	windows.exe
1120	windows.exe
260	images.exe
260	images.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

windows.exe

pid process

4172 windows.exe
4172 windows.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4044 powershell.exe

pid	process
4172	windows.exe
4172	windows.exe

description	pid	process
Token: SeDebugPrivilege	4044	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exeHost.exewindows.exewindows.exewindows.exeimages.exe

description	pid	process	target process
PID 4600 wrote to memory of 1424	4600	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	Host.exe
PID 4600 wrote to memory of 1424	4600	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	Host.exe
PID 4600 wrote to memory of 1424	4600	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	Host.exe
PID 4600 wrote to memory of 4172	4600	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	windows.exe
PID 4600 wrote to memory of 4172	4600	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	windows.exe
PID 4600 wrote to memory of 4172	4600	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	windows.exe
PID 1424 wrote to memory of 1032	1424	Host.exe	Host.exe
PID 1424 wrote to memory of 1032	1424	Host.exe	Host.exe
PID 1424 wrote to memory of 1032	1424	Host.exe	Host.exe
PID 4172 wrote to memory of 3704	4172	windows.exe	windows.exe
PID 4172 wrote to memory of 3704	4172	windows.exe	windows.exe
PID 4172 wrote to memory of 3704	4172	windows.exe	windows.exe
PID 4172 wrote to memory of 1120	4172	windows.exe	windows.exe
PID 4172 wrote to memory of 1120	4172	windows.exe	windows.exe
PID 4172 wrote to memory of 1120	4172	windows.exe	windows.exe
PID 3704 wrote to memory of 4044	3704	windows.exe	powershell.exe
PID 3704 wrote to memory of 4044	3704	windows.exe	powershell.exe
PID 3704 wrote to memory of 4044	3704	windows.exe	powershell.exe
PID 3704 wrote to memory of 260	3704	windows.exe	images.exe
PID 3704 wrote to memory of 260	3704	windows.exe	images.exe
PID 3704 wrote to memory of 260	3704	windows.exe	images.exe
PID 1120 wrote to memory of 828	1120	windows.exe	windows.exe
PID 1120 wrote to memory of 828	1120	windows.exe	windows.exe
PID 1120 wrote to memory of 828	1120	windows.exe	windows.exe
PID 260 wrote to memory of 4444	260	images.exe	Host.exe
PID 260 wrote to memory of 4444	260	images.exe	Host.exe
PID 260 wrote to memory of 4444	260	images.exe	Host.exe
PID 260 wrote to memory of 3888	260	images.exe	windows.exe
PID 260 wrote to memory of 3888	260	images.exe	windows.exe
PID 260 wrote to memory of 3888	260	images.exe	windows.exe

C:\Users\Admin\AppData\Local\Temp\5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe
"C:\Users\Admin\AppData\Local\Temp\5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe"
1⤵
- Checks computer location settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4600

C:\Users\Admin\AppData\Local\Temp\Host.exe
"C:\Users\Admin\AppData\Local\Temp\Host.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1032

C:\Users\Admin\AppData\Roaming\windows\windows.exe
"C:\Users\Admin\AppData\Roaming\windows\windows.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Roaming\windows\windows.exe
"C:\Users\Admin\AppData\Roaming\windows\windows.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:260

C:\Users\Admin\AppData\Local\Temp\Host.exe
"C:\Users\Admin\AppData\Local\Temp\Host.exe"
5⤵
- Executes dropped EXE
PID:4444

C:\Users\Admin\AppData\Roaming\windows\windows.exe
"C:\Users\Admin\AppData\Roaming\windows\windows.exe"
5⤵
- Executes dropped EXE
PID:3888

C:\Users\Admin\AppData\Roaming\windows\windows.exe
"C:\Users\Admin\AppData\Roaming\windows\windows.exe" 2 3704 240659906
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Roaming\windows\windows.exe
"C:\Users\Admin\AppData\Roaming\windows\windows.exe"
4⤵
- Executes dropped EXE
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
988KB

MD5
d03ba9e213edd46a343511e079637126

SHA1
5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44

SHA256
5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

SHA512
302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Download Submit
C:\ProgramData\images.exe

Filesize
988KB

MD5
d03ba9e213edd46a343511e079637126

SHA1
5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44

SHA256
5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

SHA512
302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
127KB

MD5
a0801a22c0b8384e64e8e86c7315d450

SHA1
ac63c13511c952fdb432c2ef4994dde73f25e1a0

SHA256
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5

SHA512
466732fbeb41f212ae4e7e67d86eb23824b262a1262cc86c015390cacc5f994e28e90037d62186d1ae192ed5cbd7cb090827014b078bafb46deb2a573ba27a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
127KB

MD5
a0801a22c0b8384e64e8e86c7315d450

SHA1
ac63c13511c952fdb432c2ef4994dde73f25e1a0

SHA256
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5

SHA512
466732fbeb41f212ae4e7e67d86eb23824b262a1262cc86c015390cacc5f994e28e90037d62186d1ae192ed5cbd7cb090827014b078bafb46deb2a573ba27a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
127KB

MD5
a0801a22c0b8384e64e8e86c7315d450

SHA1
ac63c13511c952fdb432c2ef4994dde73f25e1a0

SHA256
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5

SHA512
466732fbeb41f212ae4e7e67d86eb23824b262a1262cc86c015390cacc5f994e28e90037d62186d1ae192ed5cbd7cb090827014b078bafb46deb2a573ba27a37

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
127KB

MD5
a0801a22c0b8384e64e8e86c7315d450

SHA1
ac63c13511c952fdb432c2ef4994dde73f25e1a0

SHA256
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5

SHA512
466732fbeb41f212ae4e7e67d86eb23824b262a1262cc86c015390cacc5f994e28e90037d62186d1ae192ed5cbd7cb090827014b078bafb46deb2a573ba27a37

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
127KB

MD5
a0801a22c0b8384e64e8e86c7315d450

SHA1
ac63c13511c952fdb432c2ef4994dde73f25e1a0

SHA256
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5

SHA512
466732fbeb41f212ae4e7e67d86eb23824b262a1262cc86c015390cacc5f994e28e90037d62186d1ae192ed5cbd7cb090827014b078bafb46deb2a573ba27a37

Download Submit
C:\Users\Admin\AppData\Roaming\windows\windows.exe

Filesize
988KB

MD5
d03ba9e213edd46a343511e079637126

SHA1
5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44

SHA256
5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

SHA512
302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Download Submit
C:\Users\Admin\AppData\Roaming\windows\windows.exe

Filesize
988KB

MD5
d03ba9e213edd46a343511e079637126

SHA1
5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44

SHA256
5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

SHA512
302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Download Submit
C:\Users\Admin\AppData\Roaming\windows\windows.exe

Filesize
988KB

MD5
d03ba9e213edd46a343511e079637126

SHA1
5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44

SHA256
5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

SHA512
302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Download Submit
C:\Users\Admin\AppData\Roaming\windows\windows.exe

Filesize
988KB

MD5
d03ba9e213edd46a343511e079637126

SHA1
5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44

SHA256
5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

SHA512
302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Download Submit
C:\Users\Admin\AppData\Roaming\windows\windows.exe

Filesize
988KB

MD5
d03ba9e213edd46a343511e079637126

SHA1
5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44

SHA256
5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

SHA512
302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Download Submit
C:\Users\Admin\AppData\Roaming\windows\windows.exe

Filesize
988KB

MD5
d03ba9e213edd46a343511e079637126

SHA1
5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44

SHA256
5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

SHA512
302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Download Submit
memory/260-172-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/260-148-0x0000000000000000-mapping.dmp

Download
memory/828-170-0x0000000000000000-mapping.dmp

Download
memory/1032-137-0x0000000000000000-mapping.dmp

Download
memory/1120-142-0x0000000000000000-mapping.dmp

Download
memory/1120-169-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/1424-131-0x0000000000000000-mapping.dmp

Download
memory/3704-152-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/3704-151-0x0000000002230000-0x000000000224D000-memory.dmp

Filesize
116KB

Download
memory/3704-140-0x0000000000000000-mapping.dmp

Download
memory/3704-145-0x0000000002230000-0x000000000224D000-memory.dmp

Filesize
116KB

Download
memory/3704-146-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/3888-175-0x0000000000000000-mapping.dmp

Download
memory/4044-163-0x0000000006E20000-0x0000000006E3A000-memory.dmp

Filesize
104KB

Download
memory/4044-167-0x0000000007160000-0x000000000717A000-memory.dmp

Filesize
104KB

Download
memory/4044-158-0x0000000005B30000-0x0000000005B4E000-memory.dmp

Filesize
120KB

Download
memory/4044-159-0x0000000006100000-0x0000000006132000-memory.dmp

Filesize
200KB

Download
memory/4044-160-0x0000000074750000-0x000000007479C000-memory.dmp

Filesize
304KB

Download
memory/4044-161-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/4044-162-0x0000000007460000-0x0000000007ADA000-memory.dmp

Filesize
6.5MB

Download
memory/4044-156-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/4044-164-0x0000000006E90000-0x0000000006E9A000-memory.dmp

Filesize
40KB

Download
memory/4044-165-0x00000000070A0000-0x0000000007136000-memory.dmp

Filesize
600KB

Download
memory/4044-166-0x0000000007050000-0x000000000705E000-memory.dmp

Filesize
56KB

Download
memory/4044-157-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/4044-168-0x0000000007140000-0x0000000007148000-memory.dmp

Filesize
32KB

Download
memory/4044-147-0x0000000000000000-mapping.dmp

Download
memory/4044-155-0x0000000004B10000-0x0000000004B32000-memory.dmp

Filesize
136KB

Download
memory/4044-154-0x0000000004C30000-0x0000000005258000-memory.dmp

Filesize
6.2MB

Download
memory/4044-153-0x0000000002180000-0x00000000021B6000-memory.dmp

Filesize
216KB

Download
memory/4172-144-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/4172-134-0x0000000000000000-mapping.dmp

Download
memory/4444-173-0x0000000000000000-mapping.dmp

Download
memory/4600-130-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download