azorult | bd464b10f6cf96a48f52e2f893d86b0b804047ff4f67bba89bb12e80b8d84142

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a426a26e587749e368137e727a8e806.exe
Size

3.1MB
MD5

4a426a26e587749e368137e727a8e806
SHA1

f497b63c89f4c897a73931386d28c2b3d9f01840
SHA256

bd464b10f6cf96a48f52e2f893d86b0b804047ff4f67bba89bb12e80b8d84142
SHA512

04e12f4a0fa24de194c985ce7b30d9d3f3f176931b944c99907b350aab488a15228ad75787a533e0322aa5f2d2a0891e257bff1f78e72f005a7b09e3470b1374
SSDEEP

98304:YdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8S:YdNB4ianUstYuUR2CSHsVP8S

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3968-30-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3968-32-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3968-27-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

test.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	File.exe

Executes dropped EXE 5 IoCs

Processes:

test.exeFile.exesvhost.exetmp.exesvhost.exe

pid process

3628 test.exe
3472 File.exe
3968 svhost.exe
3380 tmp.exe
4876 svhost.exe

pid	process
3628	test.exe
3472	File.exe
3968	svhost.exe
3380	tmp.exe
4876	svhost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1256-0-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx
behavioral2/memory/1256-60-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx
behavioral2/memory/1256-66-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

test.exeFile.exe

description	pid	process	target process
PID 3628 set thread context of 3968	3628	test.exe	svhost.exe
PID 3472 set thread context of 4876	3472	File.exe	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

test.exeFile.exe

pid process

3628 test.exe
3472 File.exe
3628 test.exe
3628 test.exe
3472 File.exe
3472 File.exe
3628 test.exe
3472 File.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

test.exeFile.exe

description pid process

Token: SeDebugPrivilege 3628 test.exe
Token: SeDebugPrivilege 3472 File.exe

pid	process
3628	test.exe
3472	File.exe
3628	test.exe
3628	test.exe
3472	File.exe
3472	File.exe
3628	test.exe
3472	File.exe

description	pid	process
Token: SeDebugPrivilege	3628	test.exe
Token: SeDebugPrivilege	3472	File.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

4a426a26e587749e368137e727a8e806.execmd.exetest.exeFile.execmd.execmd.exe

description	pid	process	target process
PID 1256 wrote to memory of 4508	1256	4a426a26e587749e368137e727a8e806.exe	cmd.exe
PID 1256 wrote to memory of 4508	1256	4a426a26e587749e368137e727a8e806.exe	cmd.exe
PID 1256 wrote to memory of 4508	1256	4a426a26e587749e368137e727a8e806.exe	cmd.exe
PID 4508 wrote to memory of 3628	4508	cmd.exe	test.exe
PID 4508 wrote to memory of 3628	4508	cmd.exe	test.exe
PID 4508 wrote to memory of 3628	4508	cmd.exe	test.exe
PID 3628 wrote to memory of 3472	3628	test.exe	File.exe
PID 3628 wrote to memory of 3472	3628	test.exe	File.exe
PID 3628 wrote to memory of 3472	3628	test.exe	File.exe
PID 3628 wrote to memory of 3968	3628	test.exe	svhost.exe
PID 3628 wrote to memory of 3968	3628	test.exe	svhost.exe
PID 3628 wrote to memory of 3968	3628	test.exe	svhost.exe
PID 3628 wrote to memory of 3968	3628	test.exe	svhost.exe
PID 3628 wrote to memory of 3968	3628	test.exe	svhost.exe
PID 3628 wrote to memory of 3968	3628	test.exe	svhost.exe
PID 3628 wrote to memory of 3968	3628	test.exe	svhost.exe
PID 3628 wrote to memory of 3968	3628	test.exe	svhost.exe
PID 3628 wrote to memory of 3968	3628	test.exe	svhost.exe
PID 3628 wrote to memory of 3968	3628	test.exe	svhost.exe
PID 3628 wrote to memory of 3968	3628	test.exe	svhost.exe
PID 3472 wrote to memory of 3380	3472	File.exe	tmp.exe
PID 3472 wrote to memory of 3380	3472	File.exe	tmp.exe
PID 3472 wrote to memory of 3380	3472	File.exe	tmp.exe
PID 3628 wrote to memory of 3152	3628	test.exe	cmd.exe
PID 3628 wrote to memory of 3152	3628	test.exe	cmd.exe
PID 3628 wrote to memory of 3152	3628	test.exe	cmd.exe
PID 3472 wrote to memory of 4876	3472	File.exe	svhost.exe
PID 3472 wrote to memory of 4876	3472	File.exe	svhost.exe
PID 3472 wrote to memory of 4876	3472	File.exe	svhost.exe
PID 3472 wrote to memory of 4876	3472	File.exe	svhost.exe
PID 3472 wrote to memory of 4876	3472	File.exe	svhost.exe
PID 3472 wrote to memory of 4876	3472	File.exe	svhost.exe
PID 3472 wrote to memory of 4876	3472	File.exe	svhost.exe
PID 3472 wrote to memory of 4876	3472	File.exe	svhost.exe
PID 3472 wrote to memory of 4876	3472	File.exe	svhost.exe
PID 3628 wrote to memory of 4356	3628	test.exe	cmd.exe
PID 3628 wrote to memory of 4356	3628	test.exe	cmd.exe
PID 3628 wrote to memory of 4356	3628	test.exe	cmd.exe
PID 4356 wrote to memory of 2736	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 2736	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 2736	4356	cmd.exe	reg.exe
PID 3628 wrote to memory of 3780	3628	test.exe	cmd.exe
PID 3628 wrote to memory of 3780	3628	test.exe	cmd.exe
PID 3628 wrote to memory of 3780	3628	test.exe	cmd.exe
PID 3472 wrote to memory of 2764	3472	File.exe	cmd.exe
PID 3472 wrote to memory of 2764	3472	File.exe	cmd.exe
PID 3472 wrote to memory of 2764	3472	File.exe	cmd.exe
PID 3472 wrote to memory of 1684	3472	File.exe	cmd.exe
PID 3472 wrote to memory of 1684	3472	File.exe	cmd.exe
PID 3472 wrote to memory of 1684	3472	File.exe	cmd.exe
PID 1684 wrote to memory of 1740	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1740	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1740	1684	cmd.exe	reg.exe
PID 3472 wrote to memory of 3236	3472	File.exe	cmd.exe
PID 3472 wrote to memory of 3236	3472	File.exe	cmd.exe
PID 3472 wrote to memory of 3236	3472	File.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4a426a26e587749e368137e727a8e806.exe
"C:\Users\Admin\AppData\Local\Temp\4a426a26e587749e368137e727a8e806.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        NTFS ADS
        
        PID:3236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4876
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:3380
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      NTFS ADS
      PID:3780
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      Executes dropped EXE
      PID:3968

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
100KB

MD5
2a9b122401b3a8b91f9e9f758e98406b

SHA1
3f2a080866f568300605f433f801322c7a339b13

SHA256
2184a9d7076902725b9b899447c9a0f14aebe08e8bdc8b1feb7be99970b259c2

SHA512
dc84f452755f4257c75b39aa9066f7fa8c9e2b80060b1640b0bebc5c1a5d9af39e2464692c9dfd36a094fbc3bc1df442c6637c8cdd8b342ddea8d964e14ecf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
102KB

MD5
6dd0aacf570f837d8da588b02027d732

SHA1
c590bd67cb8c95815cb8d3706299e42cc0d730ab

SHA256
c0000826e6555ed3b3f87f290217c01cf5e1677753f85bdf2a399ea4d8398dc6

SHA512
09c2f00cad4415ea9b481880d7172d7fd873260bdc5f4b6616f87984d66d2e0b97eb911c9016338029fe8ae2a94b6e70e9909d2d013f71ca7ff7de26d98bf7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
121KB

MD5
41638e42037dc80d99053230a2d43190

SHA1
b1f350ac9ae6cab563b91b031c7341b3d9dec999

SHA256
2520ec77ba9d6d928ebcbb8944ba850582b526d081963c2b8eb88880bedcf59a

SHA512
166391eb37c291d619095e89a6f298de4e2bc9cabdd729260ab38082e5cba72e0ed727cc49b825182cff8617f6554c5ff914e0213e3df5a76c5be4fef5a22f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
234KB

MD5
e9b93d248a1fc9fd2e8a14233515e6f5

SHA1
bd60f6ebca29e4034e7cf996626cd0f8de3df799

SHA256
bd0e77b3c6e86430862d1e1e738e8036f1be10536d727c7d2a68ad842422e1f4

SHA512
57c0b70c8a7c9192d45433520c813ceb76140713c4a95c77469dc98077a509405eda90986fb72cb3bc0faf79e0202f41650edac2d88edad6f6c6ccc3751045cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
149KB

MD5
19ececf5ca4d420da8b1edcf0627ea44

SHA1
8896957aebf1630faf89696567c14cc67b4e594d

SHA256
8c5c15a67073a34db9192b54ec14700e43d34bf1eb43e8aebe39ad6ca8c8c2dc

SHA512
2e84a9c2c048edc3d25e538d5f4c09522f118d5c890cc4ecf26f573440e0d51c4ccbaac337730490a16a5a8d1f4285d419e61e37645b9b1eb98d94b51a334634

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
185KB

MD5
b601dfde142a1590667b6f0351aeed53

SHA1
0056bf28f29864144efde6323c7e1f6a0933fd46

SHA256
0513c09d8fb0a88e6e1429961e616f119f6383afdf92915cb1cae28907b8c5b8

SHA512
12224c68690714e576a799649749a7c54f823e4d87abad8967cfceb16ff86b363d89482b70f0d4dd1ec3ae178fe844435043118c1fedda61e7914cc9a0f225a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
1KB

MD5
6155401ed3b043f26fe496de17ed2751

SHA1
aee8f41226f75553a56b112ee20176f3f5eb295f

SHA256
8e86858dd16426087a27bf0b5d7456035c97407390ecb606a6625c2fb83a491b

SHA512
4a4c1c030dd16c5a839547f721b50a74aec3646e8b69cefefab0595310300948ca270482917f42855fe523851385c6d00b97aef2c54038910690402716d2a8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
84KB

MD5
8de1a876ff81662d8bffa12060202e3c

SHA1
5e2870a5f0dca29bdbb271ae0bdc312c0ef0961d

SHA256
d8e08da3e4c2d926d4f298738870e4b8fe34d30daceea7b9537416a8aac7a5db

SHA512
c6b742f6439b5d8b389ea07a3eec5306412d97da34c0798f99b0056a6020241a0e82ca6b2d87a0198dc29adf9bf8dd64ea73247d2ac35d44c93af8d5474bb73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
54KB

MD5
2406a36cf728db1c759db72ae7b416f8

SHA1
3624fafce32966c00d7e0191925a069e02c9c812

SHA256
04c8de6ae013c83fa49c39c2f61eaec3b5970138f865d7c45b95dcc08e84c027

SHA512
8fc768155766ac0e381b2ecb39800d132a5bc84a17be9b7a248dcc5bbf0eeba465f0bcc4d6e52d8970b1acf4d4c9db0d6834907adea30088489785862d60fb5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
144KB

MD5
2af98c0c074a8229624db71f16a46d88

SHA1
b8a61f024a73ca89cf94357a6c6acfb47f042bad

SHA256
abae5b7bf971a60622f672b3a1302a1adafe4f3ab2c641efabac3d17ae4f284f

SHA512
b1f54fca1b65df90c86001a648d427ff89b946121cfd96b46d4c7d2fa95e3d824647565c4b2377bae52edf1ab201a1865bee771649d4c283a0c92ab770524fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
34KB

MD5
554d706ec9b128e21eb6fa99c084e838

SHA1
610cb89e5765fdd324b9561fb9b584853c5a91b2

SHA256
61a6ca3546262c0bca6039d8977c2ade988da1bd4bf927e39fcab8d4853f3a72

SHA512
7aedf23194d681852411109b83d0182346c00a00a04d1a6b1d641bb8cb7685b4df0c374b4055ddf1b1497ebe88e2052f4d648ea690bea44c47e3cdd796782987

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
27KB

MD5
38714f3d4eeec7c68f98fbdf72f62467

SHA1
59c4ea002213760502e6a9add4a3ace679099d21

SHA256
7ffad0643a8eef12e8a53b8240fd69c11f9818d355a92833c8c49311f8dfe4cf

SHA512
dd4d2c3c32b3e6e8af3b0f13740a469b0c217e1a36dbc728794e82d9d970b87f5fc1207f700c2e0145f382ac90ff7e54a5fce40bf1277e94ea782d8ff112ea14

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
57KB

MD5
05b232b70385205e3293b8628447d03b

SHA1
a7fc461092026e4f9538dc6b750bfcd06caaa672

SHA256
faf3914f5d13d975dc801d38f4ae51a4953a0e489b685c77c91e8e8f222ed2a4

SHA512
255b66f84cccf12161e5eb8773be1070349a5294b76979fdc9229099594ac06243d84647f5a37545d61555a1470ed30d3e0bc113bb4a25223aab76a60e0148e4

Download Submit
memory/1256-66-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/1256-0-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/1256-60-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/3380-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3472-21-0x0000000000B70000-0x0000000000BCC000-memory.dmp

Filesize
368KB

Download
memory/3472-68-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3472-23-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/3472-24-0x0000000002EA0000-0x0000000002EC4000-memory.dmp

Filesize
144KB

Download
memory/3472-22-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3628-8-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/3628-62-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/3628-64-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3628-7-0x0000000004C50000-0x0000000004CEC000-memory.dmp

Filesize
624KB

Download
memory/3628-6-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3628-9-0x0000000004BB0000-0x0000000004C36000-memory.dmp

Filesize
536KB

Download
memory/3628-5-0x0000000000190000-0x000000000027E000-memory.dmp

Filesize
952KB

Download
memory/3628-61-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3968-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4876-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4876-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download