netwire | 6d880189693cf93dd4ca145b0d3cc8e9295da375654d04ea68a5f67c9f62ae87

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2023, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS.exe
Size

1.7MB
MD5

0f7ae75bde16c261d817cf6fab4e7770
SHA1

030733fd3ed1ad22a1842ee53ffc7ae312652ecd
SHA256

6d880189693cf93dd4ca145b0d3cc8e9295da375654d04ea68a5f67c9f62ae87
SHA512

51698c963bd829c6875d6d70e4e3f44cd99b87bcb2b589f0a1d268cec008a07cd8d9182a51b0eb7714b8cd0c0261e1e279a0404ef59b5877a6e6d5f1c2f69f67
SSDEEP

1536:RbEp4Z40d4I4I4I4I4I4I4I4I4V3424GI5Ac4dONlIKO67gHrc64hUQyOCH1Rog5:Rbnfu

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Malware Config

Extracted

Family

netwire

haija.mine.nu:1338

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Alien
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
qays1122
registry_autorun
false
use_mutex
false

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe\""	KMS.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	KMS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	KMS.exe

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1472-116-0x0000000000400000-0x0000000000434000-memory.dmp	netwire
behavioral1/memory/1472-119-0x0000000000400000-0x0000000000434000-memory.dmp	netwire
behavioral1/memory/1472-127-0x0000000000400000-0x0000000000434000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe = "0"	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KMS.exe = "0"	KMS.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation	KMS.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe	KMS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe	KMS.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	KMS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe = "0"	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KMS.exe = "0"	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	KMS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	KMS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	KMS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	KMS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	KMS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	KMS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KMS.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe"	KMS.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5104 set thread context of 1472	5104	KMS.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1184	5104	WerFault.exe	84

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1868	timeout.exe
1788	timeout.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2200	powershell.exe
2200	powershell.exe
1424	powershell.exe
1424	powershell.exe
4696	powershell.exe
4696	powershell.exe
320	powershell.exe
320	powershell.exe
1424	powershell.exe
2200	powershell.exe
4696	powershell.exe
320	powershell.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe
5104	KMS.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5104	KMS.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3608	5104	KMS.exe	86
PID 5104 wrote to memory of 3608	5104	KMS.exe	86
PID 5104 wrote to memory of 3608	5104	KMS.exe	86
PID 3608 wrote to memory of 1868	3608	cmd.exe	88
PID 3608 wrote to memory of 1868	3608	cmd.exe	88
PID 3608 wrote to memory of 1868	3608	cmd.exe	88
PID 5104 wrote to memory of 2200	5104	KMS.exe	97
PID 5104 wrote to memory of 2200	5104	KMS.exe	97
PID 5104 wrote to memory of 2200	5104	KMS.exe	97
PID 5104 wrote to memory of 1424	5104	KMS.exe	99
PID 5104 wrote to memory of 1424	5104	KMS.exe	99
PID 5104 wrote to memory of 1424	5104	KMS.exe	99
PID 5104 wrote to memory of 4696	5104	KMS.exe	101
PID 5104 wrote to memory of 4696	5104	KMS.exe	101
PID 5104 wrote to memory of 4696	5104	KMS.exe	101
PID 5104 wrote to memory of 320	5104	KMS.exe	103
PID 5104 wrote to memory of 320	5104	KMS.exe	103
PID 5104 wrote to memory of 320	5104	KMS.exe	103
PID 5104 wrote to memory of 2304	5104	KMS.exe	106
PID 5104 wrote to memory of 2304	5104	KMS.exe	106
PID 5104 wrote to memory of 2304	5104	KMS.exe	106
PID 2304 wrote to memory of 1788	2304	cmd.exe	108
PID 2304 wrote to memory of 1788	2304	cmd.exe	108
PID 2304 wrote to memory of 1788	2304	cmd.exe	108
PID 5104 wrote to memory of 4708	5104	KMS.exe	109
PID 5104 wrote to memory of 4708	5104	KMS.exe	109
PID 5104 wrote to memory of 4708	5104	KMS.exe	109
PID 5104 wrote to memory of 4204	5104	KMS.exe	110
PID 5104 wrote to memory of 4204	5104	KMS.exe	110
PID 5104 wrote to memory of 4204	5104	KMS.exe	110
PID 5104 wrote to memory of 1472	5104	KMS.exe	111
PID 5104 wrote to memory of 1472	5104	KMS.exe	111
PID 5104 wrote to memory of 1472	5104	KMS.exe	111
PID 5104 wrote to memory of 1472	5104	KMS.exe	111
PID 5104 wrote to memory of 1472	5104	KMS.exe	111
PID 5104 wrote to memory of 1472	5104	KMS.exe	111
PID 5104 wrote to memory of 1472	5104	KMS.exe	111
PID 5104 wrote to memory of 1472	5104	KMS.exe	111
PID 5104 wrote to memory of 1472	5104	KMS.exe	111
PID 5104 wrote to memory of 1472	5104	KMS.exe	111
PID 5104 wrote to memory of 1472	5104	KMS.exe	111
PID 5104 wrote to memory of 1472	5104	KMS.exe	111

C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c timeout 5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:1868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\KMS.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1788
- C:\Users\Admin\AppData\Local\Temp\KMS.exe
  "C:\Users\Admin\AppData\Local\Temp\KMS.exe"
  2⤵
  PID:4708
- C:\Users\Admin\AppData\Local\Temp\KMS.exe
  "C:\Users\Admin\AppData\Local\Temp\KMS.exe"
  2⤵
  PID:4204
- C:\Users\Admin\AppData\Local\Temp\KMS.exe
  "C:\Users\Admin\AppData\Local\Temp\KMS.exe"
  2⤵
  PID:1472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 2204
  2⤵
  - Program crash
  PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5104 -ip 5104
1⤵
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c10f420b63dc6e7609d5e453e03c1447

SHA1
94623bca1fb9455c6787d5c94650a1abefa93a61

SHA256
856b9a9d4a68021f97978b71b112099422a328b5410350d36eeb243aac93a916

SHA512
32b967c1e78f7d0dcb38a4601dc720eb030bfafc00b4062d4025853239e2d02595ed352abaf51cb63426bd0a0086c1bb4453f7a2568be6bbd44bb6d90ab729f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c10f420b63dc6e7609d5e453e03c1447

SHA1
94623bca1fb9455c6787d5c94650a1abefa93a61

SHA256
856b9a9d4a68021f97978b71b112099422a328b5410350d36eeb243aac93a916

SHA512
32b967c1e78f7d0dcb38a4601dc720eb030bfafc00b4062d4025853239e2d02595ed352abaf51cb63426bd0a0086c1bb4453f7a2568be6bbd44bb6d90ab729f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c10f420b63dc6e7609d5e453e03c1447

SHA1
94623bca1fb9455c6787d5c94650a1abefa93a61

SHA256
856b9a9d4a68021f97978b71b112099422a328b5410350d36eeb243aac93a916

SHA512
32b967c1e78f7d0dcb38a4601dc720eb030bfafc00b4062d4025853239e2d02595ed352abaf51cb63426bd0a0086c1bb4453f7a2568be6bbd44bb6d90ab729f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsguoku2.cjh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/320-99-0x000000006FD70000-0x000000006FDBC000-memory.dmp

Filesize
304KB

Download
memory/320-130-0x0000000007320000-0x000000000732E000-memory.dmp

Filesize
56KB

Download
memory/320-62-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/320-125-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/320-126-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/320-131-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/320-69-0x000000007F9E0000-0x000000007F9F0000-memory.dmp

Filesize
64KB

Download
memory/320-60-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

Filesize
120KB

Download
memory/320-41-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/320-18-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/320-143-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/320-132-0x0000000007430000-0x000000000744A000-memory.dmp

Filesize
104KB

Download
memory/320-17-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/1424-110-0x000000007F690000-0x000000007F6A0000-memory.dmp

Filesize
64KB

Download
memory/1424-11-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/1424-63-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/1424-19-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/1424-122-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/1424-14-0x0000000005AB0000-0x0000000005AD2000-memory.dmp

Filesize
136KB

Download
memory/1424-142-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/1424-12-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/1424-121-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/1424-8-0x0000000005AE0000-0x0000000006108000-memory.dmp

Filesize
6.2MB

Download
memory/1424-112-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

Filesize
104KB

Download
memory/1424-114-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/1424-113-0x0000000007C20000-0x0000000007C2A000-memory.dmp

Filesize
40KB

Download
memory/1424-9-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/1424-70-0x000000006FD70000-0x000000006FDBC000-memory.dmp

Filesize
304KB

Download
memory/1472-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-128-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/2200-144-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/2200-100-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/2200-7-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/2200-111-0x0000000007A00000-0x000000000807A000-memory.dmp

Filesize
6.5MB

Download
memory/2200-10-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/2200-68-0x000000006FD70000-0x000000006FDBC000-memory.dmp

Filesize
304KB

Download
memory/2200-64-0x000000007F730000-0x000000007F740000-memory.dmp

Filesize
64KB

Download
memory/2200-65-0x0000000007230000-0x0000000007262000-memory.dmp

Filesize
200KB

Download
memory/2200-117-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/2200-26-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/2200-6-0x0000000004B00000-0x0000000004B36000-memory.dmp

Filesize
216KB

Download
memory/2200-120-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/2200-61-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/2200-25-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/4696-66-0x000000007FBC0000-0x000000007FBD0000-memory.dmp

Filesize
64KB

Download
memory/4696-15-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4696-123-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4696-115-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4696-85-0x00000000070F0000-0x000000000710E000-memory.dmp

Filesize
120KB

Download
memory/4696-145-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4696-124-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4696-67-0x000000006FD70000-0x000000006FDBC000-memory.dmp

Filesize
304KB

Download
memory/4696-13-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4696-16-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4696-133-0x00000000075D0000-0x00000000075D8000-memory.dmp

Filesize
32KB

Download
memory/5104-134-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-40-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/5104-0-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-4-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-3-0x0000000005200000-0x000000000529C000-memory.dmp

Filesize
624KB

Download
memory/5104-2-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/5104-129-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/5104-1-0x0000000000670000-0x0000000000822000-memory.dmp

Filesize
1.7MB

Download