aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
80s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voiceadequovl.exevoiceadequovl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 6 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exevoiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

4188 voiceadequovl.exe
1340 voiceadequovl.exe
2532 voiceadequovl.exe
3472 voiceadequovl.exe
1404 voiceadequovl.exe
4304 voiceadequovl.exe

pid	process
4188	voiceadequovl.exe
1340	voiceadequovl.exe
2532	voiceadequovl.exe
3472	voiceadequovl.exe
1404	voiceadequovl.exe
4304	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1340 set thread context of 4304 1340 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1340 set thread context of 4304	1340	voiceadequovl.exe	voiceadequovl.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exevoiceadequovl.exepowershell.exe

pid	process
3520	powershell.exe
3520	powershell.exe
1340	voiceadequovl.exe
1340	voiceadequovl.exe
1340	voiceadequovl.exe
1340	voiceadequovl.exe
1340	voiceadequovl.exe
1340	voiceadequovl.exe
4960	powershell.exe
4960	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1340	voiceadequovl.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeIncreaseQuotaPrivilege	1124	wmic.exe
Token: SeSecurityPrivilege	1124	wmic.exe
Token: SeTakeOwnershipPrivilege	1124	wmic.exe
Token: SeLoadDriverPrivilege	1124	wmic.exe
Token: SeSystemProfilePrivilege	1124	wmic.exe
Token: SeSystemtimePrivilege	1124	wmic.exe
Token: SeProfSingleProcessPrivilege	1124	wmic.exe
Token: SeIncBasePriorityPrivilege	1124	wmic.exe
Token: SeCreatePagefilePrivilege	1124	wmic.exe
Token: SeBackupPrivilege	1124	wmic.exe
Token: SeRestorePrivilege	1124	wmic.exe
Token: SeShutdownPrivilege	1124	wmic.exe
Token: SeDebugPrivilege	1124	wmic.exe
Token: SeSystemEnvironmentPrivilege	1124	wmic.exe
Token: SeRemoteShutdownPrivilege	1124	wmic.exe
Token: SeUndockPrivilege	1124	wmic.exe
Token: SeManageVolumePrivilege	1124	wmic.exe
Token: 33	1124	wmic.exe
Token: 34	1124	wmic.exe
Token: 35	1124	wmic.exe
Token: 36	1124	wmic.exe
Token: SeIncreaseQuotaPrivilege	1124	wmic.exe
Token: SeSecurityPrivilege	1124	wmic.exe
Token: SeTakeOwnershipPrivilege	1124	wmic.exe
Token: SeLoadDriverPrivilege	1124	wmic.exe
Token: SeSystemProfilePrivilege	1124	wmic.exe
Token: SeSystemtimePrivilege	1124	wmic.exe
Token: SeProfSingleProcessPrivilege	1124	wmic.exe
Token: SeIncBasePriorityPrivilege	1124	wmic.exe
Token: SeCreatePagefilePrivilege	1124	wmic.exe
Token: SeBackupPrivilege	1124	wmic.exe
Token: SeRestorePrivilege	1124	wmic.exe
Token: SeShutdownPrivilege	1124	wmic.exe
Token: SeDebugPrivilege	1124	wmic.exe
Token: SeSystemEnvironmentPrivilege	1124	wmic.exe
Token: SeRemoteShutdownPrivilege	1124	wmic.exe
Token: SeUndockPrivilege	1124	wmic.exe
Token: SeManageVolumePrivilege	1124	wmic.exe
Token: 33	1124	wmic.exe
Token: 34	1124	wmic.exe
Token: 35	1124	wmic.exe
Token: 36	1124	wmic.exe
Token: SeIncreaseQuotaPrivilege	5052	WMIC.exe
Token: SeSecurityPrivilege	5052	WMIC.exe
Token: SeTakeOwnershipPrivilege	5052	WMIC.exe
Token: SeLoadDriverPrivilege	5052	WMIC.exe
Token: SeSystemProfilePrivilege	5052	WMIC.exe
Token: SeSystemtimePrivilege	5052	WMIC.exe
Token: SeProfSingleProcessPrivilege	5052	WMIC.exe
Token: SeIncBasePriorityPrivilege	5052	WMIC.exe
Token: SeCreatePagefilePrivilege	5052	WMIC.exe
Token: SeBackupPrivilege	5052	WMIC.exe
Token: SeRestorePrivilege	5052	WMIC.exe
Token: SeShutdownPrivilege	5052	WMIC.exe
Token: SeDebugPrivilege	5052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5052	WMIC.exe
Token: SeRemoteShutdownPrivilege	5052	WMIC.exe
Token: SeUndockPrivilege	5052	WMIC.exe
Token: SeManageVolumePrivilege	5052	WMIC.exe
Token: 33	5052	WMIC.exe
Token: 34	5052	WMIC.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 3484 wrote to memory of 4188	3484	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 3484 wrote to memory of 4188	3484	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 3484 wrote to memory of 4188	3484	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4188 wrote to memory of 1340	4188	voiceadequovl.exe	voiceadequovl.exe
PID 4188 wrote to memory of 1340	4188	voiceadequovl.exe	voiceadequovl.exe
PID 4188 wrote to memory of 1340	4188	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 3520	1340	voiceadequovl.exe	powershell.exe
PID 1340 wrote to memory of 3520	1340	voiceadequovl.exe	powershell.exe
PID 1340 wrote to memory of 3520	1340	voiceadequovl.exe	powershell.exe
PID 1340 wrote to memory of 3952	1340	voiceadequovl.exe	cmd.exe
PID 1340 wrote to memory of 3952	1340	voiceadequovl.exe	cmd.exe
PID 1340 wrote to memory of 3952	1340	voiceadequovl.exe	cmd.exe
PID 3952 wrote to memory of 4960	3952	cmd.exe	powershell.exe
PID 3952 wrote to memory of 4960	3952	cmd.exe	powershell.exe
PID 3952 wrote to memory of 4960	3952	cmd.exe	powershell.exe
PID 1340 wrote to memory of 2532	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 2532	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 2532	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 3472	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 3472	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 3472	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 1404	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 1404	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 1404	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 4304	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 4304	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 4304	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 4304	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 4304	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 4304	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 4304	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 4304	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 4304	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 4304	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 4304	1340	voiceadequovl.exe	voiceadequovl.exe
PID 4304 wrote to memory of 1124	4304	voiceadequovl.exe	wmic.exe
PID 4304 wrote to memory of 1124	4304	voiceadequovl.exe	wmic.exe
PID 4304 wrote to memory of 1124	4304	voiceadequovl.exe	wmic.exe
PID 4304 wrote to memory of 3196	4304	voiceadequovl.exe	cmd.exe
PID 4304 wrote to memory of 3196	4304	voiceadequovl.exe	cmd.exe
PID 4304 wrote to memory of 3196	4304	voiceadequovl.exe	cmd.exe
PID 3196 wrote to memory of 5052	3196	cmd.exe	WMIC.exe
PID 3196 wrote to memory of 5052	3196	cmd.exe	WMIC.exe
PID 3196 wrote to memory of 5052	3196	cmd.exe	WMIC.exe
PID 4304 wrote to memory of 4964	4304	voiceadequovl.exe	cmd.exe
PID 4304 wrote to memory of 4964	4304	voiceadequovl.exe	cmd.exe
PID 4304 wrote to memory of 4964	4304	voiceadequovl.exe	cmd.exe
PID 4964 wrote to memory of 4608	4964	cmd.exe	WMIC.exe
PID 4964 wrote to memory of 4608	4964	cmd.exe	WMIC.exe
PID 4964 wrote to memory of 4608	4964	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:2532

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:4608

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1404

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:3472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
0b6b295650c4bf2e0645d1c50b31af97

SHA1
3df6b294f3803b1d6429a02bfb947e94deefd2b6

SHA256
75fce9f15b0294f265e86da3b1e50d1ee7b379e09f2e46ae61e57e66561e03ae

SHA512
d4715510868161574fd8e316702e8c24f80b33fd80bd4afe3e256bd0f15755d08798fea94e7d723231d450256a9de5e5a76dc8c23eb4ae6b68c636d9e8e5db11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
329.9MB

MD5
9651b618b38f019bd34a26a20cd3860d

SHA1
daf719347eb21ab944e19e546aba2939eb039eaa

SHA256
5cb48e43f820e41a23407dfd5377f4369abb3010e8f5dd5984aab1659dfe1e70

SHA512
a59e747a564a3a62d5e956500425202d0720e33475c306af7bf70473f8fab800b7194e4f7500cb574f6a77abce0704120f93b1261756be5debf3a7dc1ad630c8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
253.0MB

MD5
887ca1339a03e6aa84182a6244656299

SHA1
3e991a7433bdd4b2046f2727af06641328e96a74

SHA256
7fa1d685f5bc0c055c7b4bd9202f1d6119ccc63f0a43d900f027cd50e1e70f2a

SHA512
362c091595fb6819da60aae5370e17b9144d6a9dea9b83eaf8b4cde366aa19a22f482e82a2b1cf058062ae362315d38a00876b2e047b853f9c6df920d102b101

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
244.7MB

MD5
8981ba726429cf29d283db803b9bdeeb

SHA1
5c68505db15fb5578cdc3d4068956febdbb42982

SHA256
2f68c93b5892cd7a5e4e0268ab3ab92d34139c06283da26bb74b0291d8116636

SHA512
ea735cd1884f8f0134c1eca1132e241fe77f9920967e80abf0e4612e6cef91863ca17f5e10de7a41d34d2a2cb0d294d1702f8245fe4cda670bfca208144098dd

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
112.1MB

MD5
196aba7ebab42299121075d4c45546d5

SHA1
665ab1b13512cc758deec1177a7838d3cd33d8d0

SHA256
92026a0908148bd7c9ad03b7bd2913615a912bf4fb61734b42064e7f7413f156

SHA512
af08192e5b9db9152dda44e4c18cfd4413337d01dc63469ac6ffc6fe0b38ab64d9556674db4e3eb7b9c812b5dbcc266951796c35402ace631e02fa2a8eb39149

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
113.8MB

MD5
4fdf08709831307043f6f84a18e45a57

SHA1
2f5927691c3163ee78cbe242fb908f6c90eecf61

SHA256
336fb0d2430311e74819e524fdc1a0418e4c8fe276470fbb34df86f463d9897f

SHA512
2e05a0c365a6321165ed3c1977831e332ce9c81f74451e6c853ed9b63e48981d0b8cce129d3b91bb42b192ef1559736eb2eb9377c5ddad4ce71fcf69bf1afa7a

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
114.6MB

MD5
b00aecc71994d0450fd2094bdd325494

SHA1
d83c37b9c267168ef24a16e04d634b3e60fda551

SHA256
2a9e6ed9e12e28503dc88be8deb96813b9f85f11c7538b6ab24b1587f80e51bc

SHA512
3a67af157e881d2b6f5bad91005faa7f35be14bc542749e26dff0faaac48505e4eba97a30f8d778f19df634321813d5b2fe89908def6dde5e986a922a27c6bf1

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
117.0MB

MD5
0bfeb6e4227cd6e6f6d3bdb2102fb97a

SHA1
279f584bdd12c57d40e32c5e54437174fa7c7aa0

SHA256
0d66a13421a908b932ebddecf1c797c9385909cb8188f8648348553b2faca3d3

SHA512
7863959c9871da8d15ad66ae30371745b255f228ceb8cbead5f6a964561f2eccd2dbc6766e19fb0f9842a96f511b3c04f33dbc0f48230d220c4d27c6636eab71

Download Submit
memory/1124-167-0x0000000000000000-mapping.dmp

Download
memory/1340-139-0x0000000007270000-0x0000000007292000-memory.dmp

Filesize
136KB

Download
memory/1340-138-0x0000000000BB0000-0x0000000001324000-memory.dmp

Filesize
7.5MB

Download
memory/1340-135-0x0000000000000000-mapping.dmp

Download
memory/1404-155-0x0000000000000000-mapping.dmp

Download
memory/2532-150-0x0000000000000000-mapping.dmp

Download
memory/3196-171-0x0000000000000000-mapping.dmp

Download
memory/3472-153-0x0000000000000000-mapping.dmp

Download
memory/3520-143-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/3520-144-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/3520-140-0x0000000000000000-mapping.dmp

Download
memory/3520-147-0x0000000006BF0000-0x0000000006C0A000-memory.dmp

Filesize
104KB

Download
memory/3520-141-0x0000000003110000-0x0000000003146000-memory.dmp

Filesize
216KB

Download
memory/3520-142-0x00000000059F0000-0x0000000006018000-memory.dmp

Filesize
6.2MB

Download
memory/3520-146-0x0000000007D10000-0x000000000838A000-memory.dmp

Filesize
6.5MB

Download
memory/3520-145-0x00000000066D0000-0x00000000066EE000-memory.dmp

Filesize
120KB

Download
memory/3952-148-0x0000000000000000-mapping.dmp

Download
memory/4188-132-0x0000000000000000-mapping.dmp

Download
memory/4304-163-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4304-161-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4304-178-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4304-158-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4304-157-0x0000000000000000-mapping.dmp

Download
memory/4608-174-0x0000000000000000-mapping.dmp

Download
memory/4960-168-0x00000000072D0000-0x00000000072EE000-memory.dmp

Filesize
120KB

Download
memory/4960-169-0x00000000074E0000-0x00000000074EA000-memory.dmp

Filesize
40KB

Download
memory/4960-170-0x0000000007730000-0x00000000077C6000-memory.dmp

Filesize
600KB

Download
memory/4960-149-0x0000000000000000-mapping.dmp

Download
memory/4960-166-0x0000000073730000-0x000000007377C000-memory.dmp

Filesize
304KB

Download
memory/4960-175-0x0000000005FB0000-0x0000000005FBE000-memory.dmp

Filesize
56KB

Download
memory/4960-176-0x0000000007690000-0x00000000076AA000-memory.dmp

Filesize
104KB

Download
memory/4960-177-0x0000000007670000-0x0000000007678000-memory.dmp

Filesize
32KB

Download
memory/4960-165-0x0000000007310000-0x0000000007342000-memory.dmp

Filesize
200KB

Download
memory/4964-173-0x0000000000000000-mapping.dmp

Download
memory/5052-172-0x0000000000000000-mapping.dmp

Download