netwire | 823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4

Analysis

max time kernel
176s
max time network
221s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
Size

322KB
MD5

8c6786529c56bfe3802712e393a13e4c
SHA1

e88851e8fb9b948911616d4fad67e3f4b7b970af
SHA256

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4
SHA512

769a5434ebc6079dbd9d056e6b31d1bcc7338bb209e376b6b02d85476348e9fff8d098c5dbdea9eb11e26d09ed6b2f619198aa1c02c68732a0bf29be6e21f46d
SSDEEP

3072:is9Poak1p9oc77gB2Iz3p2j1abSHLTXaUjxTsqu7oDE7wuTJOu:3PoDj9/EBnUpPXFBZl4Jl

Score

10^/10

netwire botnet evasion rat stealer trojan

Malware Config

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1044-61-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1044-63-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1044-64-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1044-67-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1044-74-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1968-93-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1968-104-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1044-106-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe

Executes dropped EXE 3 IoCs

Processes:

AppMgnt.exehknswc.exeAppMgnt.exe

pid process

1284 AppMgnt.exe
1828 hknswc.exe
1680 AppMgnt.exe
Loads dropped DLL 3 IoCs

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exeAppMgnt.exehknswc.exe

pid process

1428 823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
1284 AppMgnt.exe
1828 hknswc.exe

pid	process
1284	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\.Identifier	svchost.exe
File opened for modification	C:\Windows\SysWOW64\.Identifier	svchost.exe
File opened for modification	C:\Windows\SysWOW64\.Identifier	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exehknswc.exe

description	pid	process	target process
PID 1428 set thread context of 1044	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 1828 set thread context of 1968	1828	hknswc.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1592 schtasks.exe
992 schtasks.exe

pid	process
1592	schtasks.exe
992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exeAppMgnt.exehknswc.exeAppMgnt.exe

pid	process
1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
1284	AppMgnt.exe
1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
1284	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1680	AppMgnt.exe
1828	hknswc.exe
1680	AppMgnt.exe
1828	hknswc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exeAppMgnt.exehknswc.exeAppMgnt.exe

description	pid	process
Token: SeDebugPrivilege	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
Token: SeDebugPrivilege	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
Token: SeDebugPrivilege	1284	AppMgnt.exe
Token: SeDebugPrivilege	1828	hknswc.exe
Token: SeDebugPrivilege	1680	AppMgnt.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exeAppMgnt.exehknswc.exeAppMgnt.exe

description	pid	process	target process
PID 1428 wrote to memory of 1044	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 1428 wrote to memory of 1044	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 1428 wrote to memory of 1044	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 1428 wrote to memory of 1044	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 1428 wrote to memory of 1044	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 1428 wrote to memory of 1044	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 1428 wrote to memory of 1044	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 1428 wrote to memory of 1044	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 1428 wrote to memory of 1044	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	svchost.exe
PID 1428 wrote to memory of 1284	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	AppMgnt.exe
PID 1428 wrote to memory of 1284	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	AppMgnt.exe
PID 1428 wrote to memory of 1284	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	AppMgnt.exe
PID 1428 wrote to memory of 1284	1428	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe	AppMgnt.exe
PID 1284 wrote to memory of 1592	1284	AppMgnt.exe	schtasks.exe
PID 1284 wrote to memory of 1592	1284	AppMgnt.exe	schtasks.exe
PID 1284 wrote to memory of 1592	1284	AppMgnt.exe	schtasks.exe
PID 1284 wrote to memory of 1592	1284	AppMgnt.exe	schtasks.exe
PID 1284 wrote to memory of 1828	1284	AppMgnt.exe	hknswc.exe
PID 1284 wrote to memory of 1828	1284	AppMgnt.exe	hknswc.exe
PID 1284 wrote to memory of 1828	1284	AppMgnt.exe	hknswc.exe
PID 1284 wrote to memory of 1828	1284	AppMgnt.exe	hknswc.exe
PID 1828 wrote to memory of 1968	1828	hknswc.exe	svchost.exe
PID 1828 wrote to memory of 1968	1828	hknswc.exe	svchost.exe
PID 1828 wrote to memory of 1968	1828	hknswc.exe	svchost.exe
PID 1828 wrote to memory of 1968	1828	hknswc.exe	svchost.exe
PID 1828 wrote to memory of 1968	1828	hknswc.exe	svchost.exe
PID 1828 wrote to memory of 1968	1828	hknswc.exe	svchost.exe
PID 1828 wrote to memory of 1968	1828	hknswc.exe	svchost.exe
PID 1828 wrote to memory of 1968	1828	hknswc.exe	svchost.exe
PID 1828 wrote to memory of 1968	1828	hknswc.exe	svchost.exe
PID 1828 wrote to memory of 1680	1828	hknswc.exe	AppMgnt.exe
PID 1828 wrote to memory of 1680	1828	hknswc.exe	AppMgnt.exe
PID 1828 wrote to memory of 1680	1828	hknswc.exe	AppMgnt.exe
PID 1828 wrote to memory of 1680	1828	hknswc.exe	AppMgnt.exe
PID 1680 wrote to memory of 992	1680	AppMgnt.exe	schtasks.exe
PID 1680 wrote to memory of 992	1680	AppMgnt.exe	schtasks.exe
PID 1680 wrote to memory of 992	1680	AppMgnt.exe	schtasks.exe
PID 1680 wrote to memory of 992	1680	AppMgnt.exe	schtasks.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe

C:\Users\Admin\AppData\Local\Temp\823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe
"C:\Users\Admin\AppData\Local\Temp\823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1428

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Drops file in System32 directory
PID:1044

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
- Drops file in System32 directory
PID:1968

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
Filesize
322KB

MD5
8c6786529c56bfe3802712e393a13e4c

SHA1
e88851e8fb9b948911616d4fad67e3f4b7b970af

SHA256
823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4

SHA512
769a5434ebc6079dbd9d056e6b31d1bcc7338bb209e376b6b02d85476348e9fff8d098c5dbdea9eb11e26d09ed6b2f619198aa1c02c68732a0bf29be6e21f46d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
Filesize
322KB

MD5
8c6786529c56bfe3802712e393a13e4c

SHA1
e88851e8fb9b948911616d4fad67e3f4b7b970af

SHA256
823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4

SHA512
769a5434ebc6079dbd9d056e6b31d1bcc7338bb209e376b6b02d85476348e9fff8d098c5dbdea9eb11e26d09ed6b2f619198aa1c02c68732a0bf29be6e21f46d

Download Submit
C:\Windows\SysWOW64\.Identifier
Filesize
68B

MD5
767abe429edb255ea75cc5a1038c5672

SHA1
b236c41038d4bcbcaf7cd417862e5039c8f6cc5c

SHA256
bb1b0d0313eba4ead2f17cc110d99cf9c1e66a0464ef9d73bff05c8fcf592f7f

SHA512
6b8703800ed6670f3d45c1b31c70ab83e01b60095ecd0bdb017a35319c8148e05caa01fe6af64026dcd200207dc449143cf08bc077a420a2d55585b1b66763c7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
Filesize
322KB

MD5
8c6786529c56bfe3802712e393a13e4c

SHA1
e88851e8fb9b948911616d4fad67e3f4b7b970af

SHA256
823af0190dc3ae5d1952000b7f47e920472e1451b3f38441656f0c3e8ce6cbb4

SHA512
769a5434ebc6079dbd9d056e6b31d1bcc7338bb209e376b6b02d85476348e9fff8d098c5dbdea9eb11e26d09ed6b2f619198aa1c02c68732a0bf29be6e21f46d

Download Submit
memory/992-103-0x0000000000000000-mapping.dmp

Download
memory/1044-106-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-64-0x0000000000402196-mapping.dmp

Download
memory/1044-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1284-83-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1284-75-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1284-69-0x0000000000000000-mapping.dmp

Download
memory/1428-73-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1428-84-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1428-55-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1428-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1592-77-0x0000000000000000-mapping.dmp

Download
memory/1680-99-0x0000000000000000-mapping.dmp

Download
memory/1680-105-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1680-108-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1828-82-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1828-79-0x0000000000000000-mapping.dmp

Download
memory/1828-107-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1968-93-0x0000000000402196-mapping.dmp

Download
memory/1968-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download