netwire | bad749cf90bba616c3b4dc66bcc60a62b3bcd6286b731e90740f578a0e6d4970

Analysis

max time kernel
157s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bad749cf90bba616c3b4dc66bcc60a62b3bcd6286b731e90740f578a0e6d4970.exe
Size

779KB
MD5

d1822b2bd8c78299a0d9b89548800861
SHA1

9e04cf773926d88d69d617289a3d413c915a1447
SHA256

bad749cf90bba616c3b4dc66bcc60a62b3bcd6286b731e90740f578a0e6d4970
SHA512

8e4f805c2ff1ba145f1544d3c68b8af834ce557aba1a43d6fb6622cfdae259bec7a65f4a7edb889a2c600c5b838456032f1e40d0c44da48088d56fef9b537e9f
SSDEEP

12288:QK2mhAMJ/cPlZZbsRcrjztWwctzEDwU4FhTtcc68h7UHy5y+TS4SMQaD/FYkSZQI:N2O/GlZZSc/zcwSQ94j97Aml9SZW73cF

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4412-160-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral2/memory/4412-166-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

cvfts.execvfts.exe

pid process

5020 cvfts.exe
2348 cvfts.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bad749cf90bba616c3b4dc66bcc60a62b3bcd6286b731e90740f578a0e6d4970.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	bad749cf90bba616c3b4dc66bcc60a62b3bcd6286b731e90740f578a0e6d4970.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cvfts.exeRegSvcs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cvfts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdsdowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\xdkqa\\cvfts.exe C:\\Users\\Admin\\AppData\\Roaming\\xdkqa\\erams.qjj"	cvfts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdsdowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\xdkqa\\cvfts.exe C:\\Users\\Admin\\AppData\\Roaming\\xdkqa\\erams.qjj"	RegSvcs.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

cvfts.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cvfts.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cvfts.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cvfts.exe

description	pid	process	target process
PID 2348 set thread context of 4412	2348	cvfts.exe	RegSvcs.exe
PID 2348 set thread context of 4592	2348	cvfts.exe	RegSvcs.exe

Drops file in Windows directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cvfts.exeRegSvcs.exe

pid	process
5020	cvfts.exe
5020	cvfts.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

bad749cf90bba616c3b4dc66bcc60a62b3bcd6286b731e90740f578a0e6d4970.execvfts.execvfts.exe

description	pid	process	target process
PID 4884 wrote to memory of 5020	4884	bad749cf90bba616c3b4dc66bcc60a62b3bcd6286b731e90740f578a0e6d4970.exe	cvfts.exe
PID 4884 wrote to memory of 5020	4884	bad749cf90bba616c3b4dc66bcc60a62b3bcd6286b731e90740f578a0e6d4970.exe	cvfts.exe
PID 4884 wrote to memory of 5020	4884	bad749cf90bba616c3b4dc66bcc60a62b3bcd6286b731e90740f578a0e6d4970.exe	cvfts.exe
PID 5020 wrote to memory of 2348	5020	cvfts.exe	cvfts.exe
PID 5020 wrote to memory of 2348	5020	cvfts.exe	cvfts.exe
PID 5020 wrote to memory of 2348	5020	cvfts.exe	cvfts.exe
PID 2348 wrote to memory of 4412	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4412	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4412	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4412	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4412	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4412	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4412	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4412	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4412	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4592	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4592	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4592	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4592	2348	cvfts.exe	RegSvcs.exe
PID 2348 wrote to memory of 4592	2348	cvfts.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\bad749cf90bba616c3b4dc66bcc60a62b3bcd6286b731e90740f578a0e6d4970.exe
"C:\Users\Admin\AppData\Local\Temp\bad749cf90bba616c3b4dc66bcc60a62b3bcd6286b731e90740f578a0e6d4970.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Roaming\xdkqa\cvfts.exe
"C:\Users\Admin\AppData\Roaming\xdkqa\cvfts.exe" erams.qjj
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020

C:\Users\Admin\AppData\Roaming\xdkqa\cvfts.exe
C:\Users\Admin\AppData\Roaming\xdkqa\cvfts.exe C:\Users\Admin\AppData\Roaming\xdkqa\MURFG
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
- Drops file in Windows directory
PID:4412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
C:\Users\Admin\AppData\Roaming\xdkqa\MURFG
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\xdkqa\MURFG
Filesize
91KB

MD5
95da1e6539333b1e58e22e4615cb0138

SHA1
02f825b227f559539621e3bb042576c9792d61c7

SHA256
e56c096e7fbf783f01c6ab0a43792612b0b4659ae10d0109fc4c80c6ee85b98b

SHA512
09e75b4bc14339d6d39dcbe0e071fda9a7edd9f74147976b5a3db90ceb3d923e3b5ef00dee4dd2d678fa092566832092dd94c384819a473a17d916de19790daf

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\YMQGIX
Filesize
35KB

MD5
f9d66d65727362e615e51559db07d7fe

SHA1
09365e5eb510b444b2c20a8fa093e6aa4ef07f43

SHA256
a047b043788cd7294d4bd8a1f71c0456394450cac7b338a931e104126927b867

SHA512
452ec4d88ea531c38a09e28886330561e5ca186260da911703a431759a0ffd20360946c308da761ebb7a48e9ea321c919127f182b4213e4319458b21bdf01980

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\biqkv.mai
Filesize
715B

MD5
e1c916e6c61237903f840887f1905de7

SHA1
17fe92a7872bf76f21fdd5c239046094465e3608

SHA256
1df7d095be52f8929793cfedad7bb8b08815c2f8630338f623e11ba30c7c55f9

SHA512
1d4c3511b5e4547a0dcd6d751319fb78c82307abeabbadc7abc387928e31c2810c2e9eee8c865dfaec5dc6d6f5bdd92b5afdf4bb7eb5be72b22962bad375432a

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\bqkin.ghb
Filesize
518B

MD5
3140137ba775ee3755f2cac17594671b

SHA1
0a3245e363966da6dfb6068adc568ca179319311

SHA256
ffa9d9dfb086537d56345becc58098ebf80c21edff724ae1006952f126425090

SHA512
bcd84fa42601fe2b494177a28322cc1df48423063f6dbe5e760c64862c96e4249b22131e47dfb6b7c439c1a6c6270b17e1aab695be35b22e29ceccd0774e371c

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\cnwuc.qmq
Filesize
490B

MD5
215eecb607900c112dc001aefc537230

SHA1
b8bd78aa40b27baec9cda9defeaec1e1b2edfc1e

SHA256
800d1699fac1d5f81808d5ffa0182a7468dd2a37b8df05929e1053450438a1e8

SHA512
b5c229129383159b2607585be98860cae28cd4ad31fd5a8f0a7e54c2d663656b80c4504ef49060adbd6d6e9a63d51d2ac2029955745794933a2f4c810c35020e

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\cvfts.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\cvfts.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\cvfts.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\deefo.boc
Filesize
614B

MD5
03a0a784e0f4af96e7d0d477b314c09c

SHA1
eb6f0ae424fe0fce5be59ff31194e74526a1d3b5

SHA256
d24f376c500d63a801d7b781546b4c6a03690b421e9caee796b2f5bff782fbc0

SHA512
8ca10e491e4fa233f54dfe7784ab5af85e2ed0cea43fc690d8ae7905d9b45e7de351ea42d893b2bb8fe4634de736bcf5c7cee04a9c7720309234009877849983

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\erams.qjj
Filesize
812KB

MD5
4d67e5dc7da1124c1180012a68d6d03f

SHA1
3d459b217d4f3d9a52e11e39d23cc221cf02942c

SHA256
8e8e4aadb976b7f86661adf2de4572ce8338ca467b594e70a9c19d4d9a1f047f

SHA512
ba5dfca3446362075d60ec26e084da83b07f5317f74e5317b2ad4ca1ba528019e4cf49b94668940c7e87e4d480114e2abda0b1963e5feaefde7b70bd5d4bf385

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\ipcne.stv
Filesize
69B

MD5
0127ada206fc0d1199e2b5aeeae08b71

SHA1
1c7581ff1f0e89da2462abd556d5c400e935f7fb

SHA256
1f97bcf15c0448e666c276ce8d020310076c81a4fad956150651acd46a36f1e8

SHA512
9f09045c6153061917ab90c56b688fd9c6419cea45c034ec1bcc2167b94c8a2508770a509538ddeeb28e10c6aef2215655c03d1664e52c0402d47f8522a5bf0b

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\iumje.jeo
Filesize
322B

MD5
407993b4990acb2da91ac69a7cd0f7e3

SHA1
c4dad33e31e42af16452b4d83d084e067ad4b598

SHA256
bb78378b82c74348ee170843d352276f0190b49fa2f7366b4b0cd45f142a4a87

SHA512
5ca2b25826033296493ea1014af1591e83f4f7ca43d9aa88197a1f25a6f56744300b35d4518bcbb0d7c2917b361d0664a1590cf4b2c592ff510a0bb0595235d7

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\jculp.ipb
Filesize
151B

MD5
4f8ae0125c7c832ac365e32a38b4ff7c

SHA1
24c44872dbcfef9954743174eb1e8541f23d2308

SHA256
debebd06b840708f2f7578a4c7ad2a74806b44e610ba972f243b8a5e5c85a5b0

SHA512
9f5417740332315f01c17aecd1e065babcc188fb3d3d83e4c38b3841b4afa7bba55b76694d48f5a20e340e773c021e654cc00ba6a94d6e05545eaf1ac071a87c

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\kc
Filesize
68KB

MD5
88e3c114872bc6415e77819bba327bb2

SHA1
84dd7f9f4035168df99a1b50945fa929adc85db6

SHA256
136656e0ec276d798420698631bcb425828ea3518f06d429af39e1224625a5c3

SHA512
fa2122c67407855b5fb797b00eb9455a38b1610bc07ca940ddf0efa14ef3778309e435094d8e30453f99e18fe58e668ca1c03b90034fa1060a41928e38902fa5

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\llbha.eml
Filesize
232B

MD5
06016c50ccd23723695f988848c94e57

SHA1
3bea075bbf64c144357ddc7bd2d00c70ea77381c

SHA256
2b5eb6c09a4c267c3b113844c93f0ed908831db1b4f17cddf718d9eefb02e1f0

SHA512
dd1c970f0a2c03bfd50307b10cbea2a0645b67d1866390be1b62a2ee1bd286f1c1b5a60f1e35e8f373c13c494e94fdbc055b2d1fceaad32481d5e114e054b43f

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\ormtx.nnt
Filesize
344B

MD5
bb4ad69dea7cb930513207431098ace6

SHA1
794bdb4034ad40ed2f85b994c816a477a186351b

SHA256
dad2de178c582a5e0cdf20bbe5fbf9cb86d182f6ed4ed8027ca348d5bba52d89

SHA512
285934638f6242d06638ea9d5d0ac0fe5fe5768262e12a2529c5201fbb359751314745cf1bd2fce35e231c13189a262ed740d979df286303e3b26568d55fea2f

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\spd
Filesize
4B

MD5
098f6bcd4621d373cade4e832627b4f6

SHA1
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

SHA256
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

SHA512
ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\todjb.qtg
Filesize
97B

MD5
c35bae4817a01d7c33f0e2dfa6aa4acf

SHA1
6a3e28ccdd748e2030ebabc325f44c1cc87e9635

SHA256
51dd06889efd0d10b715d156f7caac1ea24b3506d2072192c5fd1e5709e57250

SHA512
14ad502ae6e92d1edecbedfd42529b8b5674f8801c9300f567d0ab34982524b1a3e632dbf9719d65b1b42910bd539a63710c2f67f93cfd819cac3bcd146d5c84

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\tu
Filesize
91KB

MD5
78c062b63bd589a1416ede1706d42e9a

SHA1
aebde98d2dff43f79b3f7ed9e03b2bbad1277141

SHA256
4ace811f03bc7618b4a44175dc45195975bd9f3b64c06dbd737387e35576bfe9

SHA512
a3727749da81316ddf51474e76245678f60c54e2c8a488618f0fdf49fcb6f906741bed3ddc7ca85a21ba2e2a9cd928c13a068ed05da87db3e654c6e540933389

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\uvnof.trr
Filesize
294B

MD5
8712cf87b2f9408098f527144eec7e1a

SHA1
c616d9e41bf69b19b3fa4b3e641c2b5f9ae5f07c

SHA256
e9b902446216a4d957da17ffd38a84d3214e05da3bc749333ce5bf706bb06f89

SHA512
9415913823914bdda784bd8c7f82ba278f437c40dc6f92ef33fca23d816b93e57bb1e1e6b04c5feab1307291f46c8f9bb7045291512ada48eececec347218286

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\vbcju.fqg
Filesize
112B

MD5
b7af9a9105f2fcd6609bb1c8c03483b7

SHA1
fcd3a7d9d4a7553d72b2d81427f66de98ace3ccc

SHA256
58894fc086c297a053afe4aaa9fbc247b4db75ad66318ba9a69a5ee0089d3275

SHA512
9ffc73635e67aa6f060c623f6aaf57ba10244211e2d631833602eaf528cb90a7264c228fa546b7cfb14c00d74ad324aa4b19b9f0ef48251299e124c7809f5382

Download Submit
C:\Users\Admin\AppData\Roaming\xdkqa\xlqhq.llv
Filesize
228B

MD5
6ccd6fbde99d702c3a8e9945d7f95f80

SHA1
a022325da53f57be088a8cc4c39801b2b98e3b11

SHA256
0c291881413ae95ac9399bd8fe7ed295112f191ca5bc4555632c831974290b42

SHA512
8453ff36eae89c392d62b0f36aee025e182c4930606d0b832a9aed58c090f8a24ee453aff19c16c17d74ef218dc2b37e62b0876888f6a36ba5d008a02337fd24

Download Submit
memory/2348-152-0x0000000000000000-mapping.dmp

Download
memory/4412-166-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4412-155-0x0000000000000000-mapping.dmp

Download
memory/4412-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4412-158-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4412-160-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4592-159-0x0000000000000000-mapping.dmp

Download
memory/4592-163-0x0000000000D30000-0x0000000000DFC000-memory.dmp

Filesize
816KB

Download
memory/4592-164-0x0000000000D30000-0x0000000000DFC000-memory.dmp

Filesize
816KB

Download
memory/4592-161-0x0000000000D30000-0x0000000000DFC000-memory.dmp

Filesize
816KB

Download
memory/4592-167-0x0000000000D30000-0x0000000000DFC000-memory.dmp

Filesize
816KB

Download
memory/5020-132-0x0000000000000000-mapping.dmp

Download