netwire | f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
Size

468KB
MD5

606529b46b36d5989d93440d0f9e85cf
SHA1

9dd95827086393300df86e724644038d014f7473
SHA256

f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3
SHA512

b97d2d3f46e769a33c2d05b5bd46e4cda845c3450d2f123fd9a4486e56b593ea79507d2d08f2add6f0449a677cd9d7bd3127f984c425e081cb7378b94ded2292

Score

10^/10

netwire warzonerat botnet infostealer persistence rat stealer

Malware Config

Extracted

Family

warzonerat

wealthyme.warzonedns.com:5216

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1384-140-0x0000000000400000-0x000000000047B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\Warzonedns.exe	warzonerat
C:\Users\Admin\Warzonedns.exe	warzonerat
\Users\Admin\Warzonedns.exe	warzonerat
C:\Users\Admin\Warzonedns.exe	warzonerat
\ProgramData\images.exe	warzonerat
\ProgramData\images.exe	warzonerat
C:\ProgramData\images.exe	warzonerat
C:\ProgramData\images.exe	warzonerat

Executes dropped EXE 4 IoCs

Processes:

OneDrive.exeWarzonedns.exeOneDrive.exeimages.exe

pid process

1348 OneDrive.exe
1380 Warzonedns.exe
1384 OneDrive.exe
532 images.exe

pid	process
1348	OneDrive.exe
1380	Warzonedns.exe
1384	OneDrive.exe
532	images.exe

Loads dropped DLL 6 IoCs

Processes:

f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exeWarzonedns.exe

pid	process
784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
1380	Warzonedns.exe
1380	Warzonedns.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OneDrive.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup Key = "wscript \"C:\\Users\\Admin\\directory\\OneDrive.vbs\""	OneDrive.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exeOneDrive.exe

description	pid	process	target process
PID 1124 set thread context of 784	1124	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
PID 1348 set thread context of 1384	1348	OneDrive.exe	OneDrive.exe

Drops file in Windows directory 4 IoCs

Processes:

OneDrive.exeOneDrive.exef2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exef2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	OneDrive.exe
File opened for modification	C:\Windows\win.ini	OneDrive.exe
File opened for modification	C:\Windows\win.ini	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
File opened for modification	C:\Windows\win.ini	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1656 powershell.exe
540 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1656 powershell.exe
Token: SeDebugPrivilege 540 powershell.exe

pid	process
1656	powershell.exe
540	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exef2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exeOneDrive.exeOneDrive.exe

pid	process
1124	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
1348	OneDrive.exe
1384	OneDrive.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exef2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exeOneDrive.exeWarzonedns.exeimages.exe

description	pid	process	target process
PID 1124 wrote to memory of 784	1124	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
PID 1124 wrote to memory of 784	1124	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
PID 1124 wrote to memory of 784	1124	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
PID 1124 wrote to memory of 784	1124	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
PID 784 wrote to memory of 1348	784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	OneDrive.exe
PID 784 wrote to memory of 1348	784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	OneDrive.exe
PID 784 wrote to memory of 1348	784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	OneDrive.exe
PID 784 wrote to memory of 1348	784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	OneDrive.exe
PID 784 wrote to memory of 1380	784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	Warzonedns.exe
PID 784 wrote to memory of 1380	784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	Warzonedns.exe
PID 784 wrote to memory of 1380	784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	Warzonedns.exe
PID 784 wrote to memory of 1380	784	f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe	Warzonedns.exe
PID 1348 wrote to memory of 1384	1348	OneDrive.exe	OneDrive.exe
PID 1348 wrote to memory of 1384	1348	OneDrive.exe	OneDrive.exe
PID 1348 wrote to memory of 1384	1348	OneDrive.exe	OneDrive.exe
PID 1348 wrote to memory of 1384	1348	OneDrive.exe	OneDrive.exe
PID 1380 wrote to memory of 1656	1380	Warzonedns.exe	powershell.exe
PID 1380 wrote to memory of 1656	1380	Warzonedns.exe	powershell.exe
PID 1380 wrote to memory of 1656	1380	Warzonedns.exe	powershell.exe
PID 1380 wrote to memory of 1656	1380	Warzonedns.exe	powershell.exe
PID 1380 wrote to memory of 532	1380	Warzonedns.exe	images.exe
PID 1380 wrote to memory of 532	1380	Warzonedns.exe	images.exe
PID 1380 wrote to memory of 532	1380	Warzonedns.exe	images.exe
PID 1380 wrote to memory of 532	1380	Warzonedns.exe	images.exe
PID 532 wrote to memory of 540	532	images.exe	powershell.exe
PID 532 wrote to memory of 540	532	images.exe	powershell.exe
PID 532 wrote to memory of 540	532	images.exe	powershell.exe
PID 532 wrote to memory of 540	532	images.exe	powershell.exe
PID 532 wrote to memory of 1632	532	images.exe	cmd.exe
PID 532 wrote to memory of 1632	532	images.exe	cmd.exe
PID 532 wrote to memory of 1632	532	images.exe	cmd.exe
PID 532 wrote to memory of 1632	532	images.exe	cmd.exe
PID 532 wrote to memory of 1632	532	images.exe	cmd.exe
PID 532 wrote to memory of 1632	532	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
"C:\Users\Admin\AppData\Local\Temp\f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
"C:\Users\Admin\AppData\Local\Temp\f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\directory\OneDrive.exe
"C:\Users\Admin\directory\OneDrive.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\directory\OneDrive.exe
"C:\Users\Admin\directory\OneDrive.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Users\Admin\Warzonedns.exe
"C:\Users\Admin\Warzonedns.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
100KB

MD5
0349cc83ad82303b698208de1d94a398

SHA1
fc0d69a89b08de47f6f84ae598d63505c5855d9d

SHA256
6b6ba8ede3ae7217dcc7fcbdd8806ae6cc707b5046da96406aa05df076675a55

SHA512
45c554287a5f38c86e201d3d841e9e5b0e9973a26432b6d45965a9bb960614e12b23335965d9c13b0b92171cc81972a70919b9ff1e51b566aa368cb34ac9108a

Download Submit
C:\ProgramData\images.exe

Filesize
100KB

MD5
0349cc83ad82303b698208de1d94a398

SHA1
fc0d69a89b08de47f6f84ae598d63505c5855d9d

SHA256
6b6ba8ede3ae7217dcc7fcbdd8806ae6cc707b5046da96406aa05df076675a55

SHA512
45c554287a5f38c86e201d3d841e9e5b0e9973a26432b6d45965a9bb960614e12b23335965d9c13b0b92171cc81972a70919b9ff1e51b566aa368cb34ac9108a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0ed2f26fc5a9b4ca71e0a88fcc8e1bd7

SHA1
03b938e6bc4e3f2b33bea4a5aaaf478adda66a3f

SHA256
caf3a5c718b2dc6f919dd831fe9c6e83a8b14edc4893d7798ccd2e91394de860

SHA512
79e610250e654ee070ded517f1612ebf8bccd92e935ed01d4bef17ae6bcb8a1d54a7931dfa8705783ff122985ddba259ea5a2ddab5f8a3f7606a12f38e809c6c

Download Submit
C:\Users\Admin\Warzonedns.exe

Filesize
100KB

MD5
0349cc83ad82303b698208de1d94a398

SHA1
fc0d69a89b08de47f6f84ae598d63505c5855d9d

SHA256
6b6ba8ede3ae7217dcc7fcbdd8806ae6cc707b5046da96406aa05df076675a55

SHA512
45c554287a5f38c86e201d3d841e9e5b0e9973a26432b6d45965a9bb960614e12b23335965d9c13b0b92171cc81972a70919b9ff1e51b566aa368cb34ac9108a

Download Submit
C:\Users\Admin\Warzonedns.exe

Filesize
100KB

MD5
0349cc83ad82303b698208de1d94a398

SHA1
fc0d69a89b08de47f6f84ae598d63505c5855d9d

SHA256
6b6ba8ede3ae7217dcc7fcbdd8806ae6cc707b5046da96406aa05df076675a55

SHA512
45c554287a5f38c86e201d3d841e9e5b0e9973a26432b6d45965a9bb960614e12b23335965d9c13b0b92171cc81972a70919b9ff1e51b566aa368cb34ac9108a

Download Submit
C:\Users\Admin\directory\OneDrive.exe

Filesize
468KB

MD5
606529b46b36d5989d93440d0f9e85cf

SHA1
9dd95827086393300df86e724644038d014f7473

SHA256
f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3

SHA512
b97d2d3f46e769a33c2d05b5bd46e4cda845c3450d2f123fd9a4486e56b593ea79507d2d08f2add6f0449a677cd9d7bd3127f984c425e081cb7378b94ded2292

Download Submit
C:\Users\Admin\directory\OneDrive.exe

Filesize
468KB

MD5
606529b46b36d5989d93440d0f9e85cf

SHA1
9dd95827086393300df86e724644038d014f7473

SHA256
f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3

SHA512
b97d2d3f46e769a33c2d05b5bd46e4cda845c3450d2f123fd9a4486e56b593ea79507d2d08f2add6f0449a677cd9d7bd3127f984c425e081cb7378b94ded2292

Download Submit
C:\Users\Admin\directory\OneDrive.exe

Filesize
468KB

MD5
606529b46b36d5989d93440d0f9e85cf

SHA1
9dd95827086393300df86e724644038d014f7473

SHA256
f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3

SHA512
b97d2d3f46e769a33c2d05b5bd46e4cda845c3450d2f123fd9a4486e56b593ea79507d2d08f2add6f0449a677cd9d7bd3127f984c425e081cb7378b94ded2292

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\ProgramData\images.exe

Filesize
100KB

MD5
0349cc83ad82303b698208de1d94a398

SHA1
fc0d69a89b08de47f6f84ae598d63505c5855d9d

SHA256
6b6ba8ede3ae7217dcc7fcbdd8806ae6cc707b5046da96406aa05df076675a55

SHA512
45c554287a5f38c86e201d3d841e9e5b0e9973a26432b6d45965a9bb960614e12b23335965d9c13b0b92171cc81972a70919b9ff1e51b566aa368cb34ac9108a

Download Submit
\ProgramData\images.exe

Filesize
100KB

MD5
0349cc83ad82303b698208de1d94a398

SHA1
fc0d69a89b08de47f6f84ae598d63505c5855d9d

SHA256
6b6ba8ede3ae7217dcc7fcbdd8806ae6cc707b5046da96406aa05df076675a55

SHA512
45c554287a5f38c86e201d3d841e9e5b0e9973a26432b6d45965a9bb960614e12b23335965d9c13b0b92171cc81972a70919b9ff1e51b566aa368cb34ac9108a

Download Submit
\Users\Admin\Warzonedns.exe

Filesize
100KB

MD5
0349cc83ad82303b698208de1d94a398

SHA1
fc0d69a89b08de47f6f84ae598d63505c5855d9d

SHA256
6b6ba8ede3ae7217dcc7fcbdd8806ae6cc707b5046da96406aa05df076675a55

SHA512
45c554287a5f38c86e201d3d841e9e5b0e9973a26432b6d45965a9bb960614e12b23335965d9c13b0b92171cc81972a70919b9ff1e51b566aa368cb34ac9108a

Download Submit
\Users\Admin\Warzonedns.exe

Filesize
100KB

MD5
0349cc83ad82303b698208de1d94a398

SHA1
fc0d69a89b08de47f6f84ae598d63505c5855d9d

SHA256
6b6ba8ede3ae7217dcc7fcbdd8806ae6cc707b5046da96406aa05df076675a55

SHA512
45c554287a5f38c86e201d3d841e9e5b0e9973a26432b6d45965a9bb960614e12b23335965d9c13b0b92171cc81972a70919b9ff1e51b566aa368cb34ac9108a

Download Submit
\Users\Admin\directory\OneDrive.exe

Filesize
468KB

MD5
606529b46b36d5989d93440d0f9e85cf

SHA1
9dd95827086393300df86e724644038d014f7473

SHA256
f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3

SHA512
b97d2d3f46e769a33c2d05b5bd46e4cda845c3450d2f123fd9a4486e56b593ea79507d2d08f2add6f0449a677cd9d7bd3127f984c425e081cb7378b94ded2292

Download Submit
\Users\Admin\directory\OneDrive.exe

Filesize
468KB

MD5
606529b46b36d5989d93440d0f9e85cf

SHA1
9dd95827086393300df86e724644038d014f7473

SHA256
f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3

SHA512
b97d2d3f46e769a33c2d05b5bd46e4cda845c3450d2f123fd9a4486e56b593ea79507d2d08f2add6f0449a677cd9d7bd3127f984c425e081cb7378b94ded2292

Download Submit
memory/532-148-0x0000000000000000-mapping.dmp

Download
memory/540-154-0x0000000000000000-mapping.dmp

Download
memory/540-158-0x00000000735C0000-0x0000000073B6B000-memory.dmp

Filesize
5.7MB

Download
memory/784-57-0x0000000000000000-mapping.dmp

Download
memory/784-100-0x0000000077C70000-0x0000000077D46000-memory.dmp

Filesize
856KB

Download
memory/784-99-0x0000000077A80000-0x0000000077C29000-memory.dmp

Filesize
1.7MB

Download
memory/784-97-0x0000000000370000-0x0000000000373000-memory.dmp

Filesize
12KB

Download
memory/1124-67-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-74-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-80-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-81-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-82-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-83-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-84-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-85-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-78-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-88-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-77-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-76-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-75-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-79-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-73-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-72-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-71-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-70-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-69-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-68-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-66-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-65-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-64-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-63-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-61-0x0000000077A80000-0x0000000077C29000-memory.dmp

Filesize
1.7MB

Download
memory/1124-62-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1124-60-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/1124-56-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/1348-111-0x0000000077A80000-0x0000000077C29000-memory.dmp

Filesize
1.7MB

Download
memory/1348-136-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-119-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-120-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-121-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-122-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-123-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-124-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-125-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-126-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-127-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-128-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-129-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-130-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-131-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-132-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-133-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-134-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-135-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-118-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-137-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-117-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-91-0x0000000000000000-mapping.dmp

Download
memory/1348-141-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-110-0x0000000000500000-0x0000000000503000-memory.dmp

Filesize
12KB

Download
memory/1348-112-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-113-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-116-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-115-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-114-0x0000000077C60000-0x0000000077DE0000-memory.dmp

Filesize
1.5MB

Download
memory/1380-95-0x0000000000000000-mapping.dmp

Download
memory/1384-143-0x0000000077A80000-0x0000000077C29000-memory.dmp

Filesize
1.7MB

Download
memory/1384-142-0x00000000003C0000-0x00000000003C3000-memory.dmp

Filesize
12KB

Download
memory/1384-106-0x0000000000000000-mapping.dmp

Download
memory/1384-140-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1632-155-0x0000000000000000-mapping.dmp

Download
memory/1632-159-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1656-144-0x0000000000000000-mapping.dmp

Download
memory/1656-152-0x0000000073B70000-0x000000007411B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-153-0x0000000073B70000-0x000000007411B000-memory.dmp

Filesize
5.7MB

Download