azorult | 3bb7c47aa4dbab2d785c8058555788595be24c6c021fe03fd6b2ecce8730dff1

Analysis

max time kernel
132s
max time network
131s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55467CY.xlsm
Size

2.8MB
MD5

736c9bf1bbf0332f1acf1967fc1470e7
SHA1

40a3360c60fc0714581e5b32c7f6c3b7727da2f0
SHA256

3bb7c47aa4dbab2d785c8058555788595be24c6c021fe03fd6b2ecce8730dff1
SHA512

b5ed20a6421cead68f2d0ad43f680172b695cbd8a0c1234f8be9cea21c360130095131f8f8fe1fe2c60355beab49cf60b909176b31031ab15f1bb1ee0bc63990

Score

10^/10

azorult discovery infostealer spyware trojan

Malware Config

Extracted

Family

azorult

https://www.themindset.org.ng/nc_assets/fonts/098/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cscript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3492	1160	cscript.exe	EXCEL.EXE

Blacklisted process makes network request 1 IoCs

Processes:

cscript.exe

flow pid process

27 3492 cscript.exe
Executes dropped EXE 3 IoCs

Processes:

55467CY.exevpvbfm.pifRegSvcs.exe

pid process

2308 55467CY.exe
3980 vpvbfm.pif
3732 RegSvcs.exe
Loads dropped DLL 4 IoCs

Processes:

RegSvcs.exe

pid process

3732 RegSvcs.exe
3732 RegSvcs.exe
3732 RegSvcs.exe
3732 RegSvcs.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
27	3492	cscript.exe

pid	process
2308	55467CY.exe
3980	vpvbfm.pif
3732	RegSvcs.exe

pid	process
3732	RegSvcs.exe
3732	RegSvcs.exe
3732	RegSvcs.exe
3732	RegSvcs.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll	js

Suspicious use of SetThreadContext 1 IoCs

Processes:

vpvbfm.pif

description pid process target process

PID 3980 set thread context of 3732 3980 vpvbfm.pif RegSvcs.exe

description	pid	process	target process
PID 3980 set thread context of 3732	3980	vpvbfm.pif	RegSvcs.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exeEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegSvcs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RegSvcs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegSvcs.exe

NTFS ADS 3 IoCs

Processes:

EXCEL.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{4D63065F-2637-4862-953A-28117D5B717C}\q:Zone.Identifier	EXCEL.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{4D63065F-2637-4862-953A-28117D5B717C}\xx:Zone.Identifier	EXCEL.EXE
File created	C:\programdata\asc.txt:script1.vbs	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1160 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

vpvbfm.pifRegSvcs.exe

pid	process
3980	vpvbfm.pif
3980	vpvbfm.pif
3980	vpvbfm.pif
3980	vpvbfm.pif
3980	vpvbfm.pif
3980	vpvbfm.pif
3980	vpvbfm.pif
3980	vpvbfm.pif
3980	vpvbfm.pif
3980	vpvbfm.pif
3980	vpvbfm.pif
3980	vpvbfm.pif
3980	vpvbfm.pif
3980	vpvbfm.pif
3732	RegSvcs.exe
3732	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1160 EXCEL.EXE
1160 EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

EXCEL.EXEcscript.exe55467CY.exevpvbfm.pif

description	pid	process	target process
PID 1160 wrote to memory of 3492	1160	EXCEL.EXE	cscript.exe
PID 1160 wrote to memory of 3492	1160	EXCEL.EXE	cscript.exe
PID 3492 wrote to memory of 2308	3492	cscript.exe	55467CY.exe
PID 3492 wrote to memory of 2308	3492	cscript.exe	55467CY.exe
PID 3492 wrote to memory of 2308	3492	cscript.exe	55467CY.exe
PID 2308 wrote to memory of 3980	2308	55467CY.exe	vpvbfm.pif
PID 2308 wrote to memory of 3980	2308	55467CY.exe	vpvbfm.pif
PID 2308 wrote to memory of 3980	2308	55467CY.exe	vpvbfm.pif
PID 3980 wrote to memory of 2208	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2208	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2208	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 1364	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 1364	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 1364	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 1120	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 1120	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 1120	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2076	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2076	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2076	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2372	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2372	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2372	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2228	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2228	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2228	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2712	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2712	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 2712	3980	vpvbfm.pif	mshta.exe
PID 3980 wrote to memory of 3732	3980	vpvbfm.pif	RegSvcs.exe
PID 3980 wrote to memory of 3732	3980	vpvbfm.pif	RegSvcs.exe
PID 3980 wrote to memory of 3732	3980	vpvbfm.pif	RegSvcs.exe
PID 3980 wrote to memory of 3732	3980	vpvbfm.pif	RegSvcs.exe
PID 3980 wrote to memory of 3732	3980	vpvbfm.pif	RegSvcs.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\55467CY.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\system32\cscript.exe
"C:\Windows\system32\cscript.exe" C:\programdata\asc.txt:script1.vbs
2⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3492

C:\programdata\55467CY.exe
C:\programdata\55467CY.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308

C:\37558992\vpvbfm.pif
"C:\37558992\vpvbfm.pif" asjmbpxf.pft
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
5⤵
PID:2208

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
5⤵
PID:1364

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
5⤵
PID:1120

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
5⤵
PID:2076

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
5⤵
PID:2372

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
5⤵
PID:2228

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
5⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:3732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\37558992\asjmbpxf.pft
MD5
b3defc138f5406fc8819f448e7378274

SHA1
2c084421a604339e35b8f3a1b92f511f35fcab1d

SHA256
d865303eabf5f64a2f4dcf103f128289cceabc53f12cb69e13dcd37cf49f06e1

SHA512
09146e9554398658cf188c5d9071a02fa2812a5b13b1e44b7407c204a81303c2a6613ebb4649cc1bff0a145e04fb098199ffc453626eb84a1c21d42e08e9083c

Download Submit
C:\37558992\fnscdjqluq.msc
MD5
74fd727bdcf0ae8f29e2a6ecfe3a6eb8

SHA1
79c1109ae4d0a5ff9e2f15bcd9b7e7c5ebcc60d5

SHA256
187644d563f5c19da5a112bec6ac23dbf122e9d922fff9b777e5ee85a9c35f4e

SHA512
c3c46ac4d8f9329f257c7aa9484f1be5776b5accbc597101019e16dd8218d5640970c5233e5e16c8071e6c5973a303c64755c5011aa62d6c204af90b31506e57

Download Submit
C:\37558992\vpvbfm.pif
MD5
43e7db53ce5c130179aef5b47dcf7608

SHA1
5398e207d9ad301860b570d87601c1664ada9c0a

SHA256
9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

SHA512
a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

Download Submit
C:\37558992\vpvbfm.pif
MD5
43e7db53ce5c130179aef5b47dcf7608

SHA1
5398e207d9ad301860b570d87601c1664ada9c0a

SHA256
9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

SHA512
a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

Download Submit
C:\ProgramData\55467CY.exe
MD5
574c8d7fdf2cbf1dc4a9f50a0b105076

SHA1
39a81e9a14956ed8ab680d8a672e8e2170d545cd

SHA256
2a65e229bd86d048aba1f43a69b144735660c7bbf4e3756be772b5935cb4057d

SHA512
166170d00f65a8dc0b61f3971d68b52103947d1fd5c02dd180e581a9a9d23249f05c478fd696c604c8db444a430526b54e6a8a9e04418ef6f05641f4766d4857

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\programdata\55467CY.exe
MD5
574c8d7fdf2cbf1dc4a9f50a0b105076

SHA1
39a81e9a14956ed8ab680d8a672e8e2170d545cd

SHA256
2a65e229bd86d048aba1f43a69b144735660c7bbf4e3756be772b5935cb4057d

SHA512
166170d00f65a8dc0b61f3971d68b52103947d1fd5c02dd180e581a9a9d23249f05c478fd696c604c8db444a430526b54e6a8a9e04418ef6f05641f4766d4857

Download Submit
C:\programdata\asc.txt:script1.vbs
MD5
f1dd122be3ca4cd8c9ae1655b19d3f8b

SHA1
10d651834a3f41cfe6e3ccdf88b7f45cdf5cc748

SHA256
d08d66c0b0ab25e27c1046f60627cc12ba3ff95a7561c1f6f51544f951adfe34

SHA512
8976d0dadb81374794a7bcecd361e26d7a96e64685a917b3602a71788b3bb85cff2ceff4c803b14b7a3927f91488c3caffcdb12069b4b2bcc706fe0394aaf4c8

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll
MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll
MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/1120-19-0x0000000000000000-mapping.dmp

Download
memory/1160-0-0x00007FFE20AF0000-0x00007FFE21127000-memory.dmp

Filesize
6.2MB

Download
memory/1160-2-0x000001E95C699000-0x000001E95C6AA000-memory.dmp

Filesize
68KB

Download
memory/1364-18-0x0000000000000000-mapping.dmp

Download
memory/2076-20-0x0000000000000000-mapping.dmp

Download
memory/2208-17-0x0000000000000000-mapping.dmp

Download
memory/2228-22-0x0000000000000000-mapping.dmp

Download
memory/2308-7-0x0000000000000000-mapping.dmp

Download
memory/2372-21-0x0000000000000000-mapping.dmp

Download
memory/2712-23-0x0000000000000000-mapping.dmp

Download
memory/3492-5-0x0000000000000000-mapping.dmp

Download
memory/3732-25-0x000000000061A1F8-mapping.dmp

Download
memory/3732-29-0x0000000000600000-0x0000000000B14000-memory.dmp

Filesize
5.1MB

Download
memory/3732-28-0x0000000072C20000-0x0000000072CB3000-memory.dmp

Filesize
588KB

Download
memory/3732-24-0x0000000000600000-0x0000000000B14000-memory.dmp

Filesize
5.1MB

Download
memory/3980-14-0x0000000072C20000-0x0000000072CB3000-memory.dmp

Filesize
588KB

Download
memory/3980-11-0x0000000000000000-mapping.dmp

Download