azorult | e561b6430b7eada808e069b7d7eb49c573e1f68007e3c87c4320039a5d599c52

Analysis

max time kernel
144s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14a8c2f67d92486c89eac26af4d2018d.exe
Size

3.1MB
MD5

14a8c2f67d92486c89eac26af4d2018d
SHA1

0e3ac0615936d2f2b371b751ddc60396c134c0b1
SHA256

e561b6430b7eada808e069b7d7eb49c573e1f68007e3c87c4320039a5d599c52
SHA512

55f366abda35de1a6af889543e68bc1a56ed2ddcddab1d29387edd3fb552e14fb2c08cc6ee50f7f58b85ab329bb1173b5590fa7f2d70165e716ef0846b17d86c
SSDEEP

98304:adNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf85:adNB4ianUstYuUR2CSHsVP85

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/384-31-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/384-30-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/384-27-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

test.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	File.exe

Executes dropped EXE 5 IoCs

Processes:

test.exeFile.exesvhost.exetmp.exesvhost.exe

pid process

2568 test.exe
2032 File.exe
384 svhost.exe
4224 tmp.exe
1896 svhost.exe

pid	process
2568	test.exe
2032	File.exe
384	svhost.exe
4224	tmp.exe
1896	svhost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3932-0-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx
behavioral2/memory/3932-62-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx
behavioral2/memory/3932-67-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

test.exeFile.exe

description pid process target process

PID 2568 set thread context of 384 2568 test.exe svhost.exe
PID 2032 set thread context of 1896 2032 File.exe svhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

4592 1896 WerFault.exe

description	pid	process	target process
PID 2568 set thread context of 384	2568	test.exe	svhost.exe
PID 2032 set thread context of 1896	2032	File.exe	svhost.exe

pid	pid_target	process
4592	1896	WerFault.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

test.exeFile.exe

pid process

2568 test.exe
2032 File.exe
2568 test.exe
2568 test.exe
2568 test.exe
2032 File.exe
2032 File.exe
2032 File.exe
2568 test.exe
2032 File.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

test.exeFile.exe

description pid process

Token: SeDebugPrivilege 2568 test.exe
Token: SeDebugPrivilege 2032 File.exe

pid	process
2568	test.exe
2032	File.exe
2568	test.exe
2568	test.exe
2568	test.exe
2032	File.exe
2032	File.exe
2032	File.exe
2568	test.exe
2032	File.exe

description	pid	process
Token: SeDebugPrivilege	2568	test.exe
Token: SeDebugPrivilege	2032	File.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

14a8c2f67d92486c89eac26af4d2018d.execmd.exetest.exeFile.execmd.execmd.exe

description	pid	process	target process
PID 3932 wrote to memory of 3968	3932	14a8c2f67d92486c89eac26af4d2018d.exe	cmd.exe
PID 3932 wrote to memory of 3968	3932	14a8c2f67d92486c89eac26af4d2018d.exe	cmd.exe
PID 3932 wrote to memory of 3968	3932	14a8c2f67d92486c89eac26af4d2018d.exe	cmd.exe
PID 3968 wrote to memory of 2568	3968	cmd.exe	test.exe
PID 3968 wrote to memory of 2568	3968	cmd.exe	test.exe
PID 3968 wrote to memory of 2568	3968	cmd.exe	test.exe
PID 2568 wrote to memory of 2032	2568	test.exe	File.exe
PID 2568 wrote to memory of 2032	2568	test.exe	File.exe
PID 2568 wrote to memory of 2032	2568	test.exe	File.exe
PID 2568 wrote to memory of 384	2568	test.exe	svhost.exe
PID 2568 wrote to memory of 384	2568	test.exe	svhost.exe
PID 2568 wrote to memory of 384	2568	test.exe	svhost.exe
PID 2568 wrote to memory of 384	2568	test.exe	svhost.exe
PID 2568 wrote to memory of 384	2568	test.exe	svhost.exe
PID 2568 wrote to memory of 384	2568	test.exe	svhost.exe
PID 2568 wrote to memory of 384	2568	test.exe	svhost.exe
PID 2568 wrote to memory of 384	2568	test.exe	svhost.exe
PID 2568 wrote to memory of 384	2568	test.exe	svhost.exe
PID 2568 wrote to memory of 384	2568	test.exe	svhost.exe
PID 2568 wrote to memory of 384	2568	test.exe	svhost.exe
PID 2032 wrote to memory of 4224	2032	File.exe	tmp.exe
PID 2032 wrote to memory of 4224	2032	File.exe	tmp.exe
PID 2032 wrote to memory of 4224	2032	File.exe	tmp.exe
PID 2568 wrote to memory of 1508	2568	test.exe	cmd.exe
PID 2568 wrote to memory of 1508	2568	test.exe	cmd.exe
PID 2568 wrote to memory of 1508	2568	test.exe	cmd.exe
PID 2032 wrote to memory of 1896	2032	File.exe	svhost.exe
PID 2032 wrote to memory of 1896	2032	File.exe	svhost.exe
PID 2032 wrote to memory of 1896	2032	File.exe	svhost.exe
PID 2032 wrote to memory of 1896	2032	File.exe	svhost.exe
PID 2032 wrote to memory of 1896	2032	File.exe	svhost.exe
PID 2032 wrote to memory of 1896	2032	File.exe	svhost.exe
PID 2032 wrote to memory of 1896	2032	File.exe	svhost.exe
PID 2032 wrote to memory of 1896	2032	File.exe	svhost.exe
PID 2032 wrote to memory of 1896	2032	File.exe	svhost.exe
PID 2568 wrote to memory of 2540	2568	test.exe	cmd.exe
PID 2568 wrote to memory of 2540	2568	test.exe	cmd.exe
PID 2568 wrote to memory of 2540	2568	test.exe	cmd.exe
PID 2540 wrote to memory of 2156	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2156	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2156	2540	cmd.exe	reg.exe
PID 2568 wrote to memory of 2524	2568	test.exe	cmd.exe
PID 2568 wrote to memory of 2524	2568	test.exe	cmd.exe
PID 2568 wrote to memory of 2524	2568	test.exe	cmd.exe
PID 2032 wrote to memory of 2236	2032	File.exe	cmd.exe
PID 2032 wrote to memory of 2236	2032	File.exe	cmd.exe
PID 2032 wrote to memory of 2236	2032	File.exe	cmd.exe
PID 2032 wrote to memory of 3472	2032	File.exe	cmd.exe
PID 2032 wrote to memory of 3472	2032	File.exe	cmd.exe
PID 2032 wrote to memory of 3472	2032	File.exe	cmd.exe
PID 3472 wrote to memory of 3400	3472	cmd.exe	reg.exe
PID 3472 wrote to memory of 3400	3472	cmd.exe	reg.exe
PID 3472 wrote to memory of 3400	3472	cmd.exe	reg.exe
PID 2032 wrote to memory of 1992	2032	File.exe	cmd.exe
PID 2032 wrote to memory of 1992	2032	File.exe	cmd.exe
PID 2032 wrote to memory of 1992	2032	File.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\14a8c2f67d92486c89eac26af4d2018d.exe
"C:\Users\Admin\AppData\Local\Temp\14a8c2f67d92486c89eac26af4d2018d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3968

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
    3⤵
    - NTFS ADS
    PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
    3⤵
    PID:2236
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    - Executes dropped EXE
    PID:1896
- - C:\Users\Admin\AppData\Roaming\tmp.exe
    "C:\Users\Admin\AppData\Roaming\tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
  2⤵
  - NTFS ADS
  PID:2524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
  2⤵
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1896 -ip 1896
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 360
1⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:3400

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
76KB

MD5
7f7fa1d1c5471fe9fe7ba54928656925

SHA1
ad27423244c128ecc23b6211d2022d8632c10b10

SHA256
26146af6aec68e1131799bfd96237637bf5905e6e59dddccf9e35615dfbd2b5f

SHA512
6fa0f4c947b76f5b859e7d2b96922f067fdd6139deefc07627c1ce5ecbe88c380f5e44b97806bba90d9d766967aac2b555297556f43bdf4d5e3299fec34a5295

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
126KB

MD5
ca9415bbeb9c29370a4b0cf1026023d1

SHA1
459997adcd0f4df13e7211aac13bda5c42f59ba8

SHA256
761910c70e5966460bc4c499d8555281267dc3ab6a4012dc83be05fbce8b5cce

SHA512
4aa7880f0817f773b6253dfdba2e38a6758290ad5dae255a8909caea2750afa7279b0eedff09dadd8db47974bd54eef632fb54521bf8985cf99c79789b15a33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
203KB

MD5
054422d0495e36d8fbf144e29ae3e938

SHA1
9ec6ea126729989e45f83b73b66e22ada6af444c

SHA256
d411af3a0aceba1e4705a220612d8ca506172f5fbf96869ef3e08978f813063a

SHA512
206b2ffa1c64779d78f8cbd9dae48355263c12e3fa87e128b5944d9244227711c27fe8e27a03e28bf0f56f2ebffa9c1d04010c92b0420f918497e2d9a65864d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
25KB

MD5
0b263efe678f2e244e0d1ddea5d66dbb

SHA1
20237d7ceb498e37ff2f0e1ab4e6fe25edbf5dc7

SHA256
8720de561c44b1d72e7b5f83ecc6753db8135fa0d665244d9147c77bcf77e000

SHA512
7534c5a718f642402019c3a1615852eebd8ac93a4d42efee5474ceb7cae4d2b35731092677b15b26d0a328781a1d50cfc6fb3a1c70c72afbbccf009183d0c11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
127KB

MD5
bf4f68e24fa13c4fe8a60d5e1098ea19

SHA1
b0f8bbd4a3c41e65a64e0c2ccd5fe727499bc044

SHA256
821b4ec8e9ddd545cbe1c33bb8168643e54487db2e2309d11eb953edcf0fe74c

SHA512
b9338b744297cd2ab1ca4495e139fc3b398b5585ff4c48a66cc36bcb79ad897006a4fa5ec55f809abcd7ee480dc26e5ed292d97f27aadc859c7d814de2a47772

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
36KB

MD5
e40bbab6801bcf1924b45114dfc912fe

SHA1
2d132b34a85eddee3fde65da4b1a586e193922a2

SHA256
ff102132c76757a31b60be89b929e38b7d8e4632f165c26d235a8a2e4ffa967a

SHA512
c1eebbd5a0d0c968e003b7fc2aff4444f090ac6a2b03b1b83a3d58f3592ac6229fa1627599503d83b2a71c94ffd616bc21baeb360c42dabb798fb4e1326218b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
1KB

MD5
22571474ff2a1180795b52c09da9ec3c

SHA1
513560c1d0fffdf431ffa29cf318f37b6952df81

SHA256
4de1a88334568ac16c161de05f157d2b609cea96dd7d6aa3d14b5639e2660f8f

SHA512
159408da28bfb66943299800a1a44c1dfee2bd4f91c6118a3fc231e7ca0ec5143fe82a972501f999575abeede1eb98c3d2a724dedd34c7091d9fb5409697b7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
201KB

MD5
13f33424351f8a8cb7aae86a6cbb6db9

SHA1
94550376ca182309bca16a0008588a3e96e461c2

SHA256
acf28936b7b585b1c40b008c6bdc1c194f65c14e734aa0d201904a8caa84bed0

SHA512
8b5c476c57ba3de7efc9ec1dd3386de3b9cfb747bf4420ff4eb98449b5cbb2e872dc2182c9a1c7c6856ac93a08ddb97417906b824156f3ca8dca76a31450aa50

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
175KB

MD5
752f1c04a3718e33021952e916a2b838

SHA1
ece72b9f477c333bd046d48bfc276de5af0fd99c

SHA256
44380c97ad2a993fbc558cec51d42d2dc56a15ac200cc18b2c4445b84b3634fd

SHA512
97acee87d8656889ba423c3b26e0e31d2803df2072c5eaf67bcac26ede1605120cf787037263dae15308e1eb14188f359cfc071cc0fb261a2128a37827a7911d

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
57KB

MD5
60830409ee56de6501a77422c3a3df29

SHA1
3b75e1c75c1a25a189a56c4ef140b5240d58aa93

SHA256
03f05eb21c48a147fbe9ed5697385257fa422c94c5cd4484e1574be559677120

SHA512
07cf5f37b340531704231d222b9b9caf282e4bd1f2c5b4374c8292ded1d3c951d0bc0403f999ffb991e0a61a48aee1edb01787f8398716845fab9aee09a1793e

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
42KB

MD5
1d87fc08ab1793255f04e3d80d8bbd07

SHA1
b2d5cc83bf33409e24bd8ff4ecbd7cce602484cc

SHA256
dc19c8cdccbe47114c274be61dc646c32f43da9f612d92a29573b066f5d2ab9b

SHA512
915fec563a62d17136cd4b9ba82dfeb905ee4ede455515e7e6ba37259a14bdaeb94d570b869909d8def859bfa9ccf1bcc95d80b5dda95b681912c602726de902

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
57KB

MD5
05b232b70385205e3293b8628447d03b

SHA1
a7fc461092026e4f9538dc6b750bfcd06caaa672

SHA256
faf3914f5d13d975dc801d38f4ae51a4953a0e489b685c77c91e8e8f222ed2a4

SHA512
255b66f84cccf12161e5eb8773be1070349a5294b76979fdc9229099594ac06243d84647f5a37545d61555a1470ed30d3e0bc113bb4a25223aab76a60e0148e4

Download Submit
memory/384-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-42-0x0000000000800000-0x0000000000820000-memory.dmp

Filesize
128KB

Download
memory/1896-44-0x0000000000800000-0x0000000000820000-memory.dmp

Filesize
128KB

Download
memory/1896-49-0x0000000000800000-0x0000000000820000-memory.dmp

Filesize
128KB

Download
memory/2032-23-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2032-24-0x0000000002830000-0x0000000002854000-memory.dmp

Filesize
144KB

Download
memory/2032-69-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/2032-21-0x00000000003F0000-0x000000000044C000-memory.dmp

Filesize
368KB

Download
memory/2032-22-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/2568-8-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/2568-6-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/2568-7-0x0000000005290000-0x000000000532C000-memory.dmp

Filesize
624KB

Download
memory/2568-5-0x00000000007E0000-0x00000000008CE000-memory.dmp

Filesize
952KB

Download
memory/2568-9-0x0000000005330000-0x00000000053B6000-memory.dmp

Filesize
536KB

Download
memory/2568-63-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/2568-65-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/3932-0-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/3932-62-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/3932-67-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/4224-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download