modiloader | 2688204813e40e64d5451b87d7028267200caba846773f6b115c3d1dbc675032

Analysis

max time kernel
72s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2023 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wbhmdn.exe
Size

753KB
MD5

6d5e7540cc8cb9593f0b0d355b7275a4
SHA1

dffcef6fbf66c16558c8a7fef4d8bc49fcbe224e
SHA256

2688204813e40e64d5451b87d7028267200caba846773f6b115c3d1dbc675032
SHA512

732ae3cde7dd5cfe36f2252232f8d36c918f84481a5cce467fbc676c60cb83c4cf863d88e0de62c58b6ca7723095f2c77cf51f811078490323bac871a52288d6
SSDEEP

12288:NRF268BfCbyuSwcLzXr0cyRmRxW0FPAQMIY5GCIdXKh1uFNuv:fE7CbR9cvoRoxfasY9qQuHuv

Score

10^/10

modiloader netwire botnet persistence rat stealer trojan

Malware Config

Extracted

Family

netwire

pedrohjy.ddns.net:6655

pedrohjy1.ddns.net:6655

pedrohjy2.ddns.net:6655

pedrohjy3.ddns.net:6655

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
dec2022
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
1234
registry_autorun
false
use_mutex
false

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4992-158-0x0000000000400000-0x0000000000434000-memory.dmp	netwire
behavioral2/memory/4992-160-0x0000000000400000-0x0000000000434000-memory.dmp	netwire
behavioral2/memory/4992-164-0x0000000000400000-0x0000000000433095-memory.dmp	netwire
behavioral2/memory/2988-175-0x0000000000400000-0x0000000000434000-memory.dmp	netwire
behavioral2/memory/2988-176-0x0000000000400000-0x0000000000433095-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1652-132-0x00000000022D0000-0x00000000022FF000-memory.dmp	modiloader_stage2
behavioral2/memory/3500-165-0x00000000006E0000-0x000000000070F000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

Processes:

easinvoker.exeHost.exeHost.exe

pid process

3924 easinvoker.exe
3500 Host.exe
2988 Host.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wbhmdn.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wbhmdn.exe
Loads dropped DLL 1 IoCs

Processes:

easinvoker.exe

pid process

3924 easinvoker.exe

pid	process
3924	easinvoker.exe
3500	Host.exe
2988	Host.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wbhmdn.exe

pid	process
3924	easinvoker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wbhmdn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hrvzponp = "C:\\Users\\Public\\Libraries\\pnopzvrH.url"	wbhmdn.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

wbhmdn.exeHost.exe

description	pid	process	target process
PID 1652 set thread context of 4992	1652	wbhmdn.exe	wbhmdn.exe
PID 3500 set thread context of 2988	3500	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2996 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2348 powershell.exe
2348 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2348 powershell.exe

pid	process
2996	PING.EXE

pid	process
2348	powershell.exe
2348	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2348	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

wbhmdn.execmd.exeeasinvoker.execmd.exewbhmdn.exeHost.exe

description	pid	process	target process
PID 1652 wrote to memory of 4936	1652	wbhmdn.exe	cmd.exe
PID 1652 wrote to memory of 4936	1652	wbhmdn.exe	cmd.exe
PID 1652 wrote to memory of 4936	1652	wbhmdn.exe	cmd.exe
PID 4936 wrote to memory of 4264	4936	cmd.exe	cmd.exe
PID 4936 wrote to memory of 4264	4936	cmd.exe	cmd.exe
PID 4936 wrote to memory of 4264	4936	cmd.exe	cmd.exe
PID 4936 wrote to memory of 2192	4936	cmd.exe	xcopy.exe
PID 4936 wrote to memory of 2192	4936	cmd.exe	xcopy.exe
PID 4936 wrote to memory of 2192	4936	cmd.exe	xcopy.exe
PID 4936 wrote to memory of 4148	4936	cmd.exe	cmd.exe
PID 4936 wrote to memory of 4148	4936	cmd.exe	cmd.exe
PID 4936 wrote to memory of 4148	4936	cmd.exe	cmd.exe
PID 4936 wrote to memory of 3060	4936	cmd.exe	xcopy.exe
PID 4936 wrote to memory of 3060	4936	cmd.exe	xcopy.exe
PID 4936 wrote to memory of 3060	4936	cmd.exe	xcopy.exe
PID 4936 wrote to memory of 1624	4936	cmd.exe	cmd.exe
PID 4936 wrote to memory of 1624	4936	cmd.exe	cmd.exe
PID 4936 wrote to memory of 1624	4936	cmd.exe	cmd.exe
PID 4936 wrote to memory of 4020	4936	cmd.exe	xcopy.exe
PID 4936 wrote to memory of 4020	4936	cmd.exe	xcopy.exe
PID 4936 wrote to memory of 4020	4936	cmd.exe	xcopy.exe
PID 4936 wrote to memory of 3924	4936	cmd.exe	easinvoker.exe
PID 4936 wrote to memory of 3924	4936	cmd.exe	easinvoker.exe
PID 3924 wrote to memory of 4536	3924	easinvoker.exe	cmd.exe
PID 3924 wrote to memory of 4536	3924	easinvoker.exe	cmd.exe
PID 4936 wrote to memory of 2996	4936	cmd.exe	PING.EXE
PID 4936 wrote to memory of 2996	4936	cmd.exe	PING.EXE
PID 4936 wrote to memory of 2996	4936	cmd.exe	PING.EXE
PID 4536 wrote to memory of 2348	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 2348	4536	cmd.exe	powershell.exe
PID 1652 wrote to memory of 4992	1652	wbhmdn.exe	wbhmdn.exe
PID 1652 wrote to memory of 4992	1652	wbhmdn.exe	wbhmdn.exe
PID 1652 wrote to memory of 4992	1652	wbhmdn.exe	wbhmdn.exe
PID 1652 wrote to memory of 4992	1652	wbhmdn.exe	wbhmdn.exe
PID 4992 wrote to memory of 3500	4992	wbhmdn.exe	Host.exe
PID 4992 wrote to memory of 3500	4992	wbhmdn.exe	Host.exe
PID 4992 wrote to memory of 3500	4992	wbhmdn.exe	Host.exe
PID 3500 wrote to memory of 2988	3500	Host.exe	Host.exe
PID 3500 wrote to memory of 2988	3500	Host.exe	Host.exe
PID 3500 wrote to memory of 2988	3500	Host.exe	Host.exe
PID 3500 wrote to memory of 2988	3500	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\wbhmdn.exe
"C:\Users\Admin\AppData\Local\Temp\wbhmdn.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\HrvzponpO.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
3⤵
PID:4264

C:\Windows\SysWOW64\xcopy.exe
xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
3⤵
- Enumerates system info in registry
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
3⤵
PID:4148

C:\Windows\SysWOW64\xcopy.exe
xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
3⤵
- Enumerates system info in registry
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
3⤵
PID:1624

C:\Windows\SysWOW64\xcopy.exe
xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
3⤵
- Enumerates system info in registry
PID:4020

C:\Windows \System32\easinvoker.exe
"C:\Windows \System32\easinvoker.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
3⤵
- Runs ping.exe
PID:2996

C:\Users\Admin\AppData\Local\Temp\wbhmdn.exe
"C:\Users\Admin\AppData\Local\Temp\wbhmdn.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4992

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:2988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
754711319399d090fd83609c28768137

SHA1
9733fc959a8fe4bcb71d761e62e8eae9e3bb29a7

SHA256
faa2fc7e8f87dc56ba6ba03f3f2d535277f2db38d561cfb67e103631c96287f7

SHA512
106f3978e9e0a2edfac6a57c95c3a6cd99b0d7a9ea7d5aba6fa374a31693be33b99eaa80874a284d71eb03a5b8b4ef1dec542202c05116f5ef050f8f769de1d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
c136901c2a0696f7a5f4f45ba8725699

SHA1
a319de4877fc337bf0d9e9366c4060e306e1be0d

SHA256
d1fb0a203dfd0d3f900b66de6bc827fcefa90d39e291ef1a7c580ce83faef63d

SHA512
3bf064914a874a96834c35e0859f4338c1422e9cecb913d591aa9ce341da2e4976ed428f3a00f985b699787f118d1558c881b8aa1d102e3da0adbdaf476f5c50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
442B

MD5
302d74aa3072cf0839c4ae03bce6a54c

SHA1
7d85ec347eaefc3667cceae794cead4f1981b3b5

SHA256
7e1556cf174d25b376d83b869862c7a69ec89fe55199c699c7e7d4949caf6a71

SHA512
90f04272876ebaab8a7f296cd8ad15fba1a889612e5904a85e08d28c370a843db6bd427db824a7904c3360a7cdc9aa84362f3297d94ceaa491fee8a69744c866

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
442B

MD5
b23f36427e8e0b4c095fbda78dff1231

SHA1
3ce101f8c53e755c6e2acd61fa83eabfdbd0d557

SHA256
640afd765c26fffaf8414e9c51ada149aef8fc9c74a4d5bb9de60870c8a6f681

SHA512
c06e7d75ade08b0311e047439b90b734686695dea239e5c70106f109d41398cc755728b2a8a75e74184409eef5644e65f3e10472c60d8759db54a54e072172d6

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
753KB

MD5
6d5e7540cc8cb9593f0b0d355b7275a4

SHA1
dffcef6fbf66c16558c8a7fef4d8bc49fcbe224e

SHA256
2688204813e40e64d5451b87d7028267200caba846773f6b115c3d1dbc675032

SHA512
732ae3cde7dd5cfe36f2252232f8d36c918f84481a5cce467fbc676c60cb83c4cf863d88e0de62c58b6ca7723095f2c77cf51f811078490323bac871a52288d6

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
753KB

MD5
6d5e7540cc8cb9593f0b0d355b7275a4

SHA1
dffcef6fbf66c16558c8a7fef4d8bc49fcbe224e

SHA256
2688204813e40e64d5451b87d7028267200caba846773f6b115c3d1dbc675032

SHA512
732ae3cde7dd5cfe36f2252232f8d36c918f84481a5cce467fbc676c60cb83c4cf863d88e0de62c58b6ca7723095f2c77cf51f811078490323bac871a52288d6

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
753KB

MD5
6d5e7540cc8cb9593f0b0d355b7275a4

SHA1
dffcef6fbf66c16558c8a7fef4d8bc49fcbe224e

SHA256
2688204813e40e64d5451b87d7028267200caba846773f6b115c3d1dbc675032

SHA512
732ae3cde7dd5cfe36f2252232f8d36c918f84481a5cce467fbc676c60cb83c4cf863d88e0de62c58b6ca7723095f2c77cf51f811078490323bac871a52288d6

Download Submit
C:\Users\Public\Libraries\HrvzponpO.bat
Filesize
411B

MD5
55aba243e88f6a6813c117ffe1fa5979

SHA1
210b9b028a4b798c837a182321dbf2e50d112816

SHA256
5a11c5641c476891aa30e7ecfa57c2639f6827d8640061f73e9afec0adbbd7d2

SHA512
68009c4c9bbea75a3bfa9f79945d30957a95691ea405d031b4ca7f1cb47504bbc768fcae59173885743ad4d6cfdd2313c3fe0acb515e34e5c809ecdc7f45e307

Download Submit
C:\Users\Public\Libraries\KDECO.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\easinvoker.exe
Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Users\Public\Libraries\netutils.dll
Filesize
109KB

MD5
08aecbf3114e569921df32fb5c8a1dd6

SHA1
9e2fd6ba9b66844292fb49a79fc874ad52f5ecba

SHA256
7c1a178a5629027a0bb19c743e8505b280a5b6dc22088cd1a6a0132e32d79fc2

SHA512
e1895567460a4945690e4d88ada31a41ae7d499eb887108578027cde5aaaa2cfc28779a00fc66d01e49c3e4354caada18a14d61b57fbec40b38de23fd1c91d57

Download Submit
C:\Windows \System32\easinvoker.exe
Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\easinvoker.exe
Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\netutils.dll
Filesize
109KB

MD5
08aecbf3114e569921df32fb5c8a1dd6

SHA1
9e2fd6ba9b66844292fb49a79fc874ad52f5ecba

SHA256
7c1a178a5629027a0bb19c743e8505b280a5b6dc22088cd1a6a0132e32d79fc2

SHA512
e1895567460a4945690e4d88ada31a41ae7d499eb887108578027cde5aaaa2cfc28779a00fc66d01e49c3e4354caada18a14d61b57fbec40b38de23fd1c91d57

Download Submit
C:\Windows \System32\netutils.dll
Filesize
109KB

MD5
08aecbf3114e569921df32fb5c8a1dd6

SHA1
9e2fd6ba9b66844292fb49a79fc874ad52f5ecba

SHA256
7c1a178a5629027a0bb19c743e8505b280a5b6dc22088cd1a6a0132e32d79fc2

SHA512
e1895567460a4945690e4d88ada31a41ae7d499eb887108578027cde5aaaa2cfc28779a00fc66d01e49c3e4354caada18a14d61b57fbec40b38de23fd1c91d57

Download Submit
C:\windows \system32\KDECO.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
memory/1624-142-0x0000000000000000-mapping.dmp

Download
memory/1652-132-0x00000000022D0000-0x00000000022FF000-memory.dmp

Filesize
188KB

Download
memory/2192-137-0x0000000000000000-mapping.dmp

Download
memory/2348-154-0x000001F451E70000-0x000001F451E92000-memory.dmp

Filesize
136KB

Download
memory/2348-153-0x0000000000000000-mapping.dmp

Download
memory/2348-155-0x00007FFDB6170000-0x00007FFDB6C31000-memory.dmp

Filesize
10.8MB

Download
memory/2348-156-0x00007FFDB6170000-0x00007FFDB6C31000-memory.dmp

Filesize
10.8MB

Download
memory/2988-171-0x0000000000000000-mapping.dmp

Download
memory/2988-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-176-0x0000000000400000-0x0000000000433095-memory.dmp

Filesize
204KB

Download
memory/2996-151-0x0000000000000000-mapping.dmp

Download
memory/3060-140-0x0000000000000000-mapping.dmp

Download
memory/3500-165-0x00000000006E0000-0x000000000070F000-memory.dmp

Filesize
188KB

Download
memory/3500-161-0x0000000000000000-mapping.dmp

Download
memory/3924-145-0x0000000000000000-mapping.dmp

Download
memory/4020-143-0x0000000000000000-mapping.dmp

Download
memory/4148-139-0x0000000000000000-mapping.dmp

Download
memory/4264-136-0x0000000000000000-mapping.dmp

Download
memory/4536-150-0x0000000000000000-mapping.dmp

Download
memory/4936-134-0x0000000000000000-mapping.dmp

Download
memory/4992-164-0x0000000000400000-0x0000000000433095-memory.dmp

Filesize
204KB

Download
memory/4992-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-157-0x0000000000000000-mapping.dmp

Download