azorult | 81367795956e95f29bc717f98bbae4e5a568badb8226aafa08774156df2b129f

Analysis

max time kernel
6s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

371268663c923cffb927f6a5d151ff56.exe
Size

3.1MB
MD5

371268663c923cffb927f6a5d151ff56
SHA1

f009c7ae7ff41fcdeda11dcd0323d3a38a026718
SHA256

81367795956e95f29bc717f98bbae4e5a568badb8226aafa08774156df2b129f
SHA512

4ac459dc845ae3cd69ef0e2591fb3f26e16a54b1cfd2a913fd2691f64612a6858b34cece03613536f26310516b850bbcc222fc091bce8feb415bb985f92ac16d
SSDEEP

98304:QdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf83:QdNB4ianUstYuUR2CSHsVP83

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/2808-39-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2808-45-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2808-61-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2808-63-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2808-38-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2808-37-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2808-36-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 4 IoCs

pid	Process
2200	test.exe
2760	File.exe
1580	tmp.exe
2808	svhost.exe

Loads dropped DLL 6 IoCs

pid	Process
2832	cmd.exe
2200	test.exe
2200	test.exe
2760	File.exe
2760	File.exe
2760	File.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1940-1-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/1940-79-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/1940-84-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 2808	2200	test.exe	49

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2200	test.exe
2760	File.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	test.exe
Token: SeDebugPrivilege	2760	File.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2832	1940	371268663c923cffb927f6a5d151ff56.exe	18
PID 1940 wrote to memory of 2832	1940	371268663c923cffb927f6a5d151ff56.exe	18
PID 1940 wrote to memory of 2832	1940	371268663c923cffb927f6a5d151ff56.exe	18
PID 1940 wrote to memory of 2832	1940	371268663c923cffb927f6a5d151ff56.exe	18
PID 2832 wrote to memory of 2200	2832	cmd.exe	17
PID 2832 wrote to memory of 2200	2832	cmd.exe	17
PID 2832 wrote to memory of 2200	2832	cmd.exe	17
PID 2832 wrote to memory of 2200	2832	cmd.exe	17
PID 2832 wrote to memory of 2200	2832	cmd.exe	17
PID 2832 wrote to memory of 2200	2832	cmd.exe	17
PID 2832 wrote to memory of 2200	2832	cmd.exe	17
PID 2200 wrote to memory of 2760	2200	test.exe	20
PID 2200 wrote to memory of 2760	2200	test.exe	20
PID 2200 wrote to memory of 2760	2200	test.exe	20
PID 2200 wrote to memory of 2760	2200	test.exe	20
PID 2200 wrote to memory of 2760	2200	test.exe	20
PID 2200 wrote to memory of 2760	2200	test.exe	20
PID 2200 wrote to memory of 2760	2200	test.exe	20
PID 2200 wrote to memory of 2808	2200	test.exe	49
PID 2200 wrote to memory of 2808	2200	test.exe	49
PID 2200 wrote to memory of 2808	2200	test.exe	49
PID 2200 wrote to memory of 2808	2200	test.exe	49
PID 2200 wrote to memory of 2808	2200	test.exe	49
PID 2760 wrote to memory of 1580	2760	File.exe	32
PID 2760 wrote to memory of 1580	2760	File.exe	32
PID 2760 wrote to memory of 1580	2760	File.exe	32
PID 2760 wrote to memory of 1580	2760	File.exe	32
PID 2200 wrote to memory of 2808	2200	test.exe	49
PID 2200 wrote to memory of 2808	2200	test.exe	49
PID 2200 wrote to memory of 2808	2200	test.exe	49
PID 2200 wrote to memory of 2808	2200	test.exe	49
PID 2200 wrote to memory of 2808	2200	test.exe	49
PID 2760 wrote to memory of 2608	2760	File.exe	48
PID 2760 wrote to memory of 2608	2760	File.exe	48
PID 2760 wrote to memory of 2608	2760	File.exe	48
PID 2760 wrote to memory of 2608	2760	File.exe	48
PID 2200 wrote to memory of 2808	2200	test.exe	49
PID 2200 wrote to memory of 2808	2200	test.exe	49
PID 2760 wrote to memory of 2608	2760	File.exe	48
PID 2760 wrote to memory of 2608	2760	File.exe	48
PID 2760 wrote to memory of 2608	2760	File.exe	48
PID 2760 wrote to memory of 2608	2760	File.exe	48
PID 2760 wrote to memory of 2608	2760	File.exe	48
PID 2760 wrote to memory of 2608	2760	File.exe	48

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Roaming\tmp.exe
    "C:\Users\Admin\AppData\Roaming\tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
    3⤵
    PID:2400
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
  2⤵
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
  2⤵
  PID:1660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
  2⤵
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\371268663c923cffb927f6a5d151ff56.exe
"C:\Users\Admin\AppData\Local\Temp\371268663c923cffb927f6a5d151ff56.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
63KB

MD5
b2e04df9db341b9d5fc30bc3681cca8a

SHA1
857f0a2d8040a1c874f7333cd38ba187bb822ad2

SHA256
4ebccc2c60e584ff58f55982500e890de63ae99ed21408e11c9576690e894e50

SHA512
27dd30ed93c0d39ff3a440f2f3af731aff4b33d27793e2f3040fbfc97bb930590e599ac5d7b95976c1f8bd9a23226a4598c3cf4d1677538be6b6c33ca2a2bd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
80KB

MD5
38facafbeb3e13468ee1a8722b5a382d

SHA1
895af5a02399f44335e1d83706f2602aa11bfb61

SHA256
f40ed4519a0ae63deacb4c48fad4befd4d5e6c229d1834a45d01a94c75d182e4

SHA512
226532442e0d06d793ebf8340f17ae56d8741314bfaab24778fb501f61a071a2e9af18028afe6ce1ffd8e4ea5308c2b6de7908d1d4f64b547dd2c239942cbe4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
141KB

MD5
4b05410df1f09b9c971e1a08a3281a3f

SHA1
9909f3c28746bf1ce3960a06ba4fa912ec0bc9d8

SHA256
07f6d8c6c8f80ae708099aa8a26b42accf90d6e847d39c808c19c70ffda5cb4f

SHA512
d1dfe03e993f00d57fc73a75e25604c34103d6f36e04c813fe33c332d11d0365b84acc182cf8d08e1369511cc26c6aff16d8c9f6b8e18b44d5e101a67fce710a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
138KB

MD5
3e96949d028b95016e074503121d2bf3

SHA1
78c344e8b136d04623cc542222b7e364a86fcbcd

SHA256
64434fc9a123821bcb5d79bdf564fcc66655f6f78a0207029a03f047ca974d7d

SHA512
b2b73fe3b0fcc4b3589ef0d89caef7d921080435843d1ec99f35d9ce43bec8b0fda4a0124a204bda598a3bc5deeed053dfcf8a1d30a5f175436b006e0e228436

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
125KB

MD5
f675d8de72fd2f3217b42a12ee8e17ad

SHA1
b6f646e02e576307145015a57aabb42983a9ed56

SHA256
599e665327c582da1c57a3e92fc9191e6d04b2d84d34bcee95f4de7beeeb1393

SHA512
08c4598a61ca664cb181777b127930fd33a27de7cc8d9bc506cc8bcd0b7045fd6027354c6b346be812602fbdcb4c03028e3e50221dd3953c50df393d6ae78f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
947B

MD5
9df73017cb9138e4da0a84b63af670e6

SHA1
15d0c93a8dcfcfea5e409c10f9fe517c2095f34f

SHA256
1295a938ffd356c4d8fa7c3a9bcab3d589455a5138237fc218e2a19847d320bb

SHA512
a3965b2e269eeb42d4f3db98b1a06168fdb106e9d6431e2ff4c0f23938f998dbb24f19172b86be63a3894cafaeaf9263bc921919c6542fa7ce0885864ddcd514

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
75KB

MD5
f191880ad14030ec09cd6225776053f7

SHA1
8f4f457a421012bb8625fad35e6cf711cc3c4edf

SHA256
19d45ad87143f0a2acaafa78d1b13a0585376ef7a125737218bb963bce258081

SHA512
f3cb0c516fc99592651a55f9d7c5ac36c4d492c304c8b68998e66632767befb370beade9755e311e467ae8471069f3290eddbe8a7051b89f34acc128b4b87f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
133KB

MD5
fbe647c375b4b92cb3c4bbb570d72e38

SHA1
a3d632311e9de9400027346196c0fad3604a0f72

SHA256
939bde75685ae44f58039b6897d0ec1652671b3c7fd3310382bb618db6f0224b

SHA512
cbb90b2e7233df882a282aae7a9038d6f9c66861f16b27a82ddd51fafd42603949340279976445b480fa192b71b477a872bd74f10906b3794f9dc855fef702d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
135KB

MD5
63af218f8141acec701bfdb2f898f941

SHA1
93b618e13ba929af14772dbc05ee51ff965b6a83

SHA256
71a6dad89fe1f429fe8762d86ffacbcb0acb19e50e3c5b18406dc5d5f08019d6

SHA512
6f383a605e27e1d1f292c9983b6bf0a128f1a77fc7948b23b31736f80f89031e0ba2ba870725db2db3846433c2f7e963991900016f519812e19bb708e743102d

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
88KB

MD5
af80925f92993da8a396e2a18cbc82c0

SHA1
c9a86cb5a3a8aca888db906a62db0dce58ad3673

SHA256
f31fe20ce9b8847c497a6b3e2e31ee653eef72d374d4db39aae630359eec3ca1

SHA512
659d2a24aa038abbedf05cd41ebd4b6fa268aa17915ebfbd2d49eba9bbc86fbcc7641d2f803935daabe384bf6cb3848b75f7b2961fb10a9f20b1a1d7418c93dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
145KB

MD5
804f6e2167f5bfed266b3e544b96745e

SHA1
e3410d0583d8a934bd878eff888a9bf53614b1c2

SHA256
1b385aebb2f1c251f178c78c99aa37bdef63fca801953bf4d41dcbd0ed3a1bca

SHA512
47c0a280c077d337ff206030259c9fb622eb73c0cce2479de80b19e9f0f25552da70187a5a39bf569857dc54360778d46a9062c24f5f688ec4475d5b4e99e113

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
104KB

MD5
d382db39a71eed17315a2ad7c95f3d4b

SHA1
30275c30f0c032b7e604c55bcad3a3d5d8a6c981

SHA256
5bf46d072a9332e21583abfc4b56d2847070b4ea5f6b2b3faa92a1b0d0899e5f

SHA512
aee6e5333b5984187790beff21cc7f5eed3ad933099914c3f5452ff8378cee032455069560222e787ab5a782bc2512d98e265244bf7313ec548a60623c5eba45

Download Submit
\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
165KB

MD5
6a6a0e9f6d2e5d4a5dbf3c5c4328bf08

SHA1
2da516730d9cbc6fa10f8bc05f790b6561a95922

SHA256
f3e168ab85c9ae0d77af2c5c6833fd6ce891b1fd939f67a1f4582f6090333be6

SHA512
bd658fe814b3089524ff7ae191a71e56ec257b1536bdfa6eb7bd68bcada58d79383a46737a95f944670be8827e401ebff8ad130f3d4383844f263f6f265ae104

Download Submit
\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
1KB

MD5
fc008e1af291be684bb643b3eb6fb7bc

SHA1
c577ca1995e3a9590f8a6fa86400b8e8c9bdd597

SHA256
6d6c61f6616505f6db574c691f08b3676915124b2f15f4de672cf234e96ff739

SHA512
cbfb84c1f5f73c29ec1e89bae854d5b0bf6d42ad26a04f4ae0cd49e213b94651721f919375d95dfc61b190dd7abcaf7fb97ffcb812961045c65973ff6d87f100

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
104KB

MD5
98381b609fc0abcc30b8acce33cdb550

SHA1
2221d3e6eca72e9d10ea47041b120b94d4af0d8a

SHA256
6e6e101726426e1b4d9c0207b5e53db61bc9e2bef4256cc17ac06d18e6d42b9c

SHA512
2f78fe79c34dd931d738619e7b9f3bd7743cf4bec7f8b150f014bf4458b4eab9bd8b197dd283cd9663c55546a749ffd2146616fc7cf150e92b34f816c8c9e21b

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe

Filesize
181KB

MD5
4d705add0defddcdb1b280812b92f822

SHA1
b82a820ac7921b481931591e8b07870363dbffba

SHA256
62c6d010dc16e1e9ac674e5055870e8326168f92d8da26d4b02bacc14da600ff

SHA512
c2e256bcfc870961a777d87102260de3420c1c208ba36508cc3ec07411e68904464f58eb0647d8520402de923d4dcd758da220acbdb57bf2c55e4a2ec866edb0

Download Submit
memory/1580-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-79-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/1940-1-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/1940-84-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2200-6-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-8-0x0000000000E80000-0x0000000000F06000-memory.dmp

Filesize
536KB

Download
memory/2200-81-0x0000000000F50000-0x0000000000F90000-memory.dmp

Filesize
256KB

Download
memory/2200-7-0x0000000000F50000-0x0000000000F90000-memory.dmp

Filesize
256KB

Download
memory/2200-82-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-5-0x0000000000FF0000-0x00000000010DE000-memory.dmp

Filesize
952KB

Download
memory/2200-80-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2608-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2760-17-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-18-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2760-83-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-16-0x0000000000360000-0x00000000003BC000-memory.dmp

Filesize
368KB

Download
memory/2760-19-0x00000000005B0000-0x00000000005D4000-memory.dmp

Filesize
144KB

Download
memory/2808-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-42-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download