azorult | 84783d501b78575f30aa33097f9c7c885542b892512403424fc069b048189e98

Analysis

max time kernel
19s
max time network
10s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MTIR20283256_2101013335_20200507083759.exe
Size

991KB
MD5

24c3c3e947e5d29f8de2f545baaaec8e
SHA1

6fb52f0f5fec4a0699903f3777c331acd8c9c044
SHA256

84783d501b78575f30aa33097f9c7c885542b892512403424fc069b048189e98
SHA512

483ea766f3d4591ff164974f6d7c71633e192a9cbd70cb1f00e8364934c5c8bca6e8a6d43995170bb3d0eefdec9ab0eb8e3dd984ae54b8cc056759cea5e51e41

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

http://ensaenerji.com/mep/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 3 IoCs

Processes:

File.exetmp.exesvhost.exe

pid process

1876 File.exe
1676 tmp.exe
1120 svhost.exe

pid	process
1876	File.exe
1676	tmp.exe
1120	svhost.exe

Loads dropped DLL 6 IoCs

Processes:

MTIR20283256_2101013335_20200507083759.exeFile.exe

pid	process
1644	MTIR20283256_2101013335_20200507083759.exe
1876	File.exe
1876	File.exe
1876	File.exe
1876	File.exe
1644	MTIR20283256_2101013335_20200507083759.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

File.exe

description pid process target process

PID 1876 set thread context of 1120 1876 File.exe svhost.exe

description	pid	process	target process
PID 1876 set thread context of 1120	1876	File.exe	svhost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

864 timeout.exe

pid	process
864	timeout.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

MTIR20283256_2101013335_20200507083759.exeFile.exetmp.exe

pid	process
1644	MTIR20283256_2101013335_20200507083759.exe
1876	File.exe
1876	File.exe
1644	MTIR20283256_2101013335_20200507083759.exe
1644	MTIR20283256_2101013335_20200507083759.exe
1676	tmp.exe
1644	MTIR20283256_2101013335_20200507083759.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MTIR20283256_2101013335_20200507083759.exeFile.exe

description pid process

Token: SeDebugPrivilege 1644 MTIR20283256_2101013335_20200507083759.exe
Token: SeDebugPrivilege 1876 File.exe

description	pid	process
Token: SeDebugPrivilege	1644	MTIR20283256_2101013335_20200507083759.exe
Token: SeDebugPrivilege	1876	File.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

MTIR20283256_2101013335_20200507083759.exeFile.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1644 wrote to memory of 1876	1644	MTIR20283256_2101013335_20200507083759.exe	File.exe
PID 1644 wrote to memory of 1876	1644	MTIR20283256_2101013335_20200507083759.exe	File.exe
PID 1644 wrote to memory of 1876	1644	MTIR20283256_2101013335_20200507083759.exe	File.exe
PID 1644 wrote to memory of 1876	1644	MTIR20283256_2101013335_20200507083759.exe	File.exe
PID 1644 wrote to memory of 1876	1644	MTIR20283256_2101013335_20200507083759.exe	File.exe
PID 1644 wrote to memory of 1876	1644	MTIR20283256_2101013335_20200507083759.exe	File.exe
PID 1644 wrote to memory of 1876	1644	MTIR20283256_2101013335_20200507083759.exe	File.exe
PID 1876 wrote to memory of 1676	1876	File.exe	tmp.exe
PID 1876 wrote to memory of 1676	1876	File.exe	tmp.exe
PID 1876 wrote to memory of 1676	1876	File.exe	tmp.exe
PID 1876 wrote to memory of 1676	1876	File.exe	tmp.exe
PID 1876 wrote to memory of 1120	1876	File.exe	svhost.exe
PID 1876 wrote to memory of 1120	1876	File.exe	svhost.exe
PID 1876 wrote to memory of 1120	1876	File.exe	svhost.exe
PID 1876 wrote to memory of 1120	1876	File.exe	svhost.exe
PID 1876 wrote to memory of 1120	1876	File.exe	svhost.exe
PID 1876 wrote to memory of 1120	1876	File.exe	svhost.exe
PID 1876 wrote to memory of 1120	1876	File.exe	svhost.exe
PID 1876 wrote to memory of 1120	1876	File.exe	svhost.exe
PID 1876 wrote to memory of 1120	1876	File.exe	svhost.exe
PID 1876 wrote to memory of 1120	1876	File.exe	svhost.exe
PID 1876 wrote to memory of 964	1876	File.exe	cmd.exe
PID 1876 wrote to memory of 964	1876	File.exe	cmd.exe
PID 1876 wrote to memory of 964	1876	File.exe	cmd.exe
PID 1876 wrote to memory of 964	1876	File.exe	cmd.exe
PID 1876 wrote to memory of 524	1876	File.exe	cmd.exe
PID 1876 wrote to memory of 524	1876	File.exe	cmd.exe
PID 1876 wrote to memory of 524	1876	File.exe	cmd.exe
PID 1876 wrote to memory of 524	1876	File.exe	cmd.exe
PID 524 wrote to memory of 1020	524	cmd.exe	reg.exe
PID 524 wrote to memory of 1020	524	cmd.exe	reg.exe
PID 524 wrote to memory of 1020	524	cmd.exe	reg.exe
PID 524 wrote to memory of 1020	524	cmd.exe	reg.exe
PID 1876 wrote to memory of 1820	1876	File.exe	cmd.exe
PID 1876 wrote to memory of 1820	1876	File.exe	cmd.exe
PID 1876 wrote to memory of 1820	1876	File.exe	cmd.exe
PID 1876 wrote to memory of 1820	1876	File.exe	cmd.exe
PID 1644 wrote to memory of 388	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 388	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 388	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 388	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 1572	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 1572	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 1572	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 1572	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1572 wrote to memory of 1760	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1760	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1760	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1760	1572	cmd.exe	reg.exe
PID 1644 wrote to memory of 1560	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 1560	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 1560	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 1560	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 1952	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 1952	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 1952	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1644 wrote to memory of 1952	1644	MTIR20283256_2101013335_20200507083759.exe	cmd.exe
PID 1952 wrote to memory of 864	1952	cmd.exe	timeout.exe
PID 1952 wrote to memory of 864	1952	cmd.exe	timeout.exe
PID 1952 wrote to memory of 864	1952	cmd.exe	timeout.exe
PID 1952 wrote to memory of 864	1952	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\MTIR20283256_2101013335_20200507083759.exe
"C:\Users\Admin\AppData\Local\Temp\MTIR20283256_2101013335_20200507083759.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1676

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
3⤵
- Executes dropped EXE
PID:1120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
3⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
4⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
3⤵
- NTFS ADS
PID:1820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/MTIR20283256_2101013335_20200507083759.exe" "%temp%\FolderN\name.exe" /Y
2⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
3⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
2⤵
- NTFS ADS
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
29d723a3bcaf51aba96e2a45d7799f89

SHA1
41c8a473ce69a8521add7b90a7c67784a0474cde

SHA256
b640b5a659b07d02837717c76d703716f562c891d494a005a3e7d8e4b714b563

SHA512
04d29bedce60620e6908cc5a37f2e300271e4f89dbe4e6ded5ab09168ea08fc556d98185b6efcedcfe3d7dbe713abed556cb0bddaf990138bf658da817edec07

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
29d723a3bcaf51aba96e2a45d7799f89

SHA1
41c8a473ce69a8521add7b90a7c67784a0474cde

SHA256
b640b5a659b07d02837717c76d703716f562c891d494a005a3e7d8e4b714b563

SHA512
04d29bedce60620e6908cc5a37f2e300271e4f89dbe4e6ded5ab09168ea08fc556d98185b6efcedcfe3d7dbe713abed556cb0bddaf990138bf658da817edec07

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
MD5
29d723a3bcaf51aba96e2a45d7799f89

SHA1
41c8a473ce69a8521add7b90a7c67784a0474cde

SHA256
b640b5a659b07d02837717c76d703716f562c891d494a005a3e7d8e4b714b563

SHA512
04d29bedce60620e6908cc5a37f2e300271e4f89dbe4e6ded5ab09168ea08fc556d98185b6efcedcfe3d7dbe713abed556cb0bddaf990138bf658da817edec07

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
MD5
24c3c3e947e5d29f8de2f545baaaec8e

SHA1
6fb52f0f5fec4a0699903f3777c331acd8c9c044

SHA256
84783d501b78575f30aa33097f9c7c885542b892512403424fc069b048189e98

SHA512
483ea766f3d4591ff164974f6d7c71633e192a9cbd70cb1f00e8364934c5c8bca6e8a6d43995170bb3d0eefdec9ab0eb8e3dd984ae54b8cc056759cea5e51e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
MD5
24c3c3e947e5d29f8de2f545baaaec8e

SHA1
6fb52f0f5fec4a0699903f3777c331acd8c9c044

SHA256
84783d501b78575f30aa33097f9c7c885542b892512403424fc069b048189e98

SHA512
483ea766f3d4591ff164974f6d7c71633e192a9cbd70cb1f00e8364934c5c8bca6e8a6d43995170bb3d0eefdec9ab0eb8e3dd984ae54b8cc056759cea5e51e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
MD5
bfcbf382f036462e63f307ca4ae280c7

SHA1
ffe98d15fa5ea205220d6bc105e317253a6ea003

SHA256
2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727

SHA512
1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk
MD5
5ab4b9d1f2f56338959480f383324d0e

SHA1
b8b754858ac81f75b4cce55aacad93f2c7d4892d

SHA256
4c52871ff9c6de5395c7a70863044f04c3869ca30c17881319c0a2714a854143

SHA512
80cec5f9840e578f155fe5cf090dc63c85106df8afc51263def1a81f7d4f3c9202de630b1d474fd848e1e4f825d3adf1f9fbaa082cb6e3bc577a1e2d203b3dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe
MD5
dfce427b1a3f57b4ce0787b7cb2803f8

SHA1
d5c19c5f98cb8e829a2101df5eb532be60ed1ac7

SHA256
c7f7fdb5bd9d50c87af022cb0c0d7eaccd8c889e7cf966bf3a42480448f9fa05

SHA512
dc4b7125bf4cd0c2bf7b1fd4526bcd74b2cbb4ca8eb59011279e82d33daf4f2a3a17924efc0fc627db658bc0cff16b7e11b225d2c086a721b4307002753e0e84

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
29d723a3bcaf51aba96e2a45d7799f89

SHA1
41c8a473ce69a8521add7b90a7c67784a0474cde

SHA256
b640b5a659b07d02837717c76d703716f562c891d494a005a3e7d8e4b714b563

SHA512
04d29bedce60620e6908cc5a37f2e300271e4f89dbe4e6ded5ab09168ea08fc556d98185b6efcedcfe3d7dbe713abed556cb0bddaf990138bf658da817edec07

Download Submit
\Users\Admin\AppData\Local\Temp\FolderN\name.exe
MD5
29d723a3bcaf51aba96e2a45d7799f89

SHA1
41c8a473ce69a8521add7b90a7c67784a0474cde

SHA256
b640b5a659b07d02837717c76d703716f562c891d494a005a3e7d8e4b714b563

SHA512
04d29bedce60620e6908cc5a37f2e300271e4f89dbe4e6ded5ab09168ea08fc556d98185b6efcedcfe3d7dbe713abed556cb0bddaf990138bf658da817edec07

Download Submit
\Users\Admin\AppData\Local\Temp\FolderN\name.exe
MD5
24c3c3e947e5d29f8de2f545baaaec8e

SHA1
6fb52f0f5fec4a0699903f3777c331acd8c9c044

SHA256
84783d501b78575f30aa33097f9c7c885542b892512403424fc069b048189e98

SHA512
483ea766f3d4591ff164974f6d7c71633e192a9cbd70cb1f00e8364934c5c8bca6e8a6d43995170bb3d0eefdec9ab0eb8e3dd984ae54b8cc056759cea5e51e41

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe
MD5
dfce427b1a3f57b4ce0787b7cb2803f8

SHA1
d5c19c5f98cb8e829a2101df5eb532be60ed1ac7

SHA256
c7f7fdb5bd9d50c87af022cb0c0d7eaccd8c889e7cf966bf3a42480448f9fa05

SHA512
dc4b7125bf4cd0c2bf7b1fd4526bcd74b2cbb4ca8eb59011279e82d33daf4f2a3a17924efc0fc627db658bc0cff16b7e11b225d2c086a721b4307002753e0e84

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe
MD5
dfce427b1a3f57b4ce0787b7cb2803f8

SHA1
d5c19c5f98cb8e829a2101df5eb532be60ed1ac7

SHA256
c7f7fdb5bd9d50c87af022cb0c0d7eaccd8c889e7cf966bf3a42480448f9fa05

SHA512
dc4b7125bf4cd0c2bf7b1fd4526bcd74b2cbb4ca8eb59011279e82d33daf4f2a3a17924efc0fc627db658bc0cff16b7e11b225d2c086a721b4307002753e0e84

Download Submit
memory/388-29-0x0000000000000000-mapping.dmp

Download
memory/524-23-0x0000000000000000-mapping.dmp

Download
memory/864-39-0x0000000000000000-mapping.dmp

Download
memory/964-22-0x0000000000000000-mapping.dmp

Download
memory/1020-24-0x0000000000000000-mapping.dmp

Download
memory/1120-19-0x000000000041A1F8-mapping.dmp

Download
memory/1120-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1120-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1560-36-0x0000000000000000-mapping.dmp

Download
memory/1572-31-0x0000000000000000-mapping.dmp

Download
memory/1612-16-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp

Filesize
2.5MB

Download
memory/1644-0-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1644-3-0x0000000004230000-0x00000000042B8000-memory.dmp

Filesize
544KB

Download
memory/1644-1-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1676-14-0x0000000000000000-mapping.dmp

Download
memory/1760-32-0x0000000000000000-mapping.dmp

Download
memory/1820-27-0x0000000000000000-mapping.dmp

Download
memory/1876-9-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1876-11-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/1876-8-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1876-5-0x0000000000000000-mapping.dmp

Download
memory/1952-37-0x0000000000000000-mapping.dmp

Download