aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
92s
max time network
96s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1228-66-0x0000000006460000-0x0000000006800000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1952 voiceadequovl.exe
1228 voiceadequovl.exe
1392 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1952 voiceadequovl.exe
1952 voiceadequovl.exe
1952 voiceadequovl.exe
1952 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1952	voiceadequovl.exe
1228	voiceadequovl.exe
1392	voiceadequovl.exe

pid	process
1952	voiceadequovl.exe
1952	voiceadequovl.exe
1952	voiceadequovl.exe
1952	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1228 set thread context of 1392 1228 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

928 powershell.exe
1092 powershell.exe

description	pid	process	target process
PID 1228 set thread context of 1392	1228	voiceadequovl.exe	voiceadequovl.exe

pid	process
928	powershell.exe
1092	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1228	voiceadequovl.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeIncreaseQuotaPrivilege	1576	wmic.exe
Token: SeSecurityPrivilege	1576	wmic.exe
Token: SeTakeOwnershipPrivilege	1576	wmic.exe
Token: SeLoadDriverPrivilege	1576	wmic.exe
Token: SeSystemProfilePrivilege	1576	wmic.exe
Token: SeSystemtimePrivilege	1576	wmic.exe
Token: SeProfSingleProcessPrivilege	1576	wmic.exe
Token: SeIncBasePriorityPrivilege	1576	wmic.exe
Token: SeCreatePagefilePrivilege	1576	wmic.exe
Token: SeBackupPrivilege	1576	wmic.exe
Token: SeRestorePrivilege	1576	wmic.exe
Token: SeShutdownPrivilege	1576	wmic.exe
Token: SeDebugPrivilege	1576	wmic.exe
Token: SeSystemEnvironmentPrivilege	1576	wmic.exe
Token: SeRemoteShutdownPrivilege	1576	wmic.exe
Token: SeUndockPrivilege	1576	wmic.exe
Token: SeManageVolumePrivilege	1576	wmic.exe
Token: 33	1576	wmic.exe
Token: 34	1576	wmic.exe
Token: 35	1576	wmic.exe
Token: SeIncreaseQuotaPrivilege	1576	wmic.exe
Token: SeSecurityPrivilege	1576	wmic.exe
Token: SeTakeOwnershipPrivilege	1576	wmic.exe
Token: SeLoadDriverPrivilege	1576	wmic.exe
Token: SeSystemProfilePrivilege	1576	wmic.exe
Token: SeSystemtimePrivilege	1576	wmic.exe
Token: SeProfSingleProcessPrivilege	1576	wmic.exe
Token: SeIncBasePriorityPrivilege	1576	wmic.exe
Token: SeCreatePagefilePrivilege	1576	wmic.exe
Token: SeBackupPrivilege	1576	wmic.exe
Token: SeRestorePrivilege	1576	wmic.exe
Token: SeShutdownPrivilege	1576	wmic.exe
Token: SeDebugPrivilege	1576	wmic.exe
Token: SeSystemEnvironmentPrivilege	1576	wmic.exe
Token: SeRemoteShutdownPrivilege	1576	wmic.exe
Token: SeUndockPrivilege	1576	wmic.exe
Token: SeManageVolumePrivilege	1576	wmic.exe
Token: 33	1576	wmic.exe
Token: 34	1576	wmic.exe
Token: 35	1576	wmic.exe
Token: SeIncreaseQuotaPrivilege	1340	WMIC.exe
Token: SeSecurityPrivilege	1340	WMIC.exe
Token: SeTakeOwnershipPrivilege	1340	WMIC.exe
Token: SeLoadDriverPrivilege	1340	WMIC.exe
Token: SeSystemProfilePrivilege	1340	WMIC.exe
Token: SeSystemtimePrivilege	1340	WMIC.exe
Token: SeProfSingleProcessPrivilege	1340	WMIC.exe
Token: SeIncBasePriorityPrivilege	1340	WMIC.exe
Token: SeCreatePagefilePrivilege	1340	WMIC.exe
Token: SeBackupPrivilege	1340	WMIC.exe
Token: SeRestorePrivilege	1340	WMIC.exe
Token: SeShutdownPrivilege	1340	WMIC.exe
Token: SeDebugPrivilege	1340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1340	WMIC.exe
Token: SeRemoteShutdownPrivilege	1340	WMIC.exe
Token: SeUndockPrivilege	1340	WMIC.exe
Token: SeManageVolumePrivilege	1340	WMIC.exe
Token: 33	1340	WMIC.exe
Token: 34	1340	WMIC.exe
Token: 35	1340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1340	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 1908 wrote to memory of 1952	1908	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1908 wrote to memory of 1952	1908	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1908 wrote to memory of 1952	1908	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1908 wrote to memory of 1952	1908	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1952 wrote to memory of 1228	1952	voiceadequovl.exe	voiceadequovl.exe
PID 1952 wrote to memory of 1228	1952	voiceadequovl.exe	voiceadequovl.exe
PID 1952 wrote to memory of 1228	1952	voiceadequovl.exe	voiceadequovl.exe
PID 1952 wrote to memory of 1228	1952	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 928	1228	voiceadequovl.exe	powershell.exe
PID 1228 wrote to memory of 928	1228	voiceadequovl.exe	powershell.exe
PID 1228 wrote to memory of 928	1228	voiceadequovl.exe	powershell.exe
PID 1228 wrote to memory of 928	1228	voiceadequovl.exe	powershell.exe
PID 1228 wrote to memory of 768	1228	voiceadequovl.exe	cmd.exe
PID 1228 wrote to memory of 768	1228	voiceadequovl.exe	cmd.exe
PID 1228 wrote to memory of 768	1228	voiceadequovl.exe	cmd.exe
PID 1228 wrote to memory of 768	1228	voiceadequovl.exe	cmd.exe
PID 768 wrote to memory of 1092	768	cmd.exe	powershell.exe
PID 768 wrote to memory of 1092	768	cmd.exe	powershell.exe
PID 768 wrote to memory of 1092	768	cmd.exe	powershell.exe
PID 768 wrote to memory of 1092	768	cmd.exe	powershell.exe
PID 1228 wrote to memory of 1392	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 1392	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 1392	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 1392	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 1392	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 1392	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 1392	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 1392	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 1392	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 1392	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 1392	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 1392	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1392 wrote to memory of 1576	1392	voiceadequovl.exe	wmic.exe
PID 1392 wrote to memory of 1576	1392	voiceadequovl.exe	wmic.exe
PID 1392 wrote to memory of 1576	1392	voiceadequovl.exe	wmic.exe
PID 1392 wrote to memory of 1576	1392	voiceadequovl.exe	wmic.exe
PID 1392 wrote to memory of 844	1392	voiceadequovl.exe	cmd.exe
PID 1392 wrote to memory of 844	1392	voiceadequovl.exe	cmd.exe
PID 1392 wrote to memory of 844	1392	voiceadequovl.exe	cmd.exe
PID 1392 wrote to memory of 844	1392	voiceadequovl.exe	cmd.exe
PID 844 wrote to memory of 1340	844	cmd.exe	WMIC.exe
PID 844 wrote to memory of 1340	844	cmd.exe	WMIC.exe
PID 844 wrote to memory of 1340	844	cmd.exe	WMIC.exe
PID 844 wrote to memory of 1340	844	cmd.exe	WMIC.exe
PID 1392 wrote to memory of 1276	1392	voiceadequovl.exe	cmd.exe
PID 1392 wrote to memory of 1276	1392	voiceadequovl.exe	cmd.exe
PID 1392 wrote to memory of 1276	1392	voiceadequovl.exe	cmd.exe
PID 1392 wrote to memory of 1276	1392	voiceadequovl.exe	cmd.exe
PID 1276 wrote to memory of 1304	1276	cmd.exe	WMIC.exe
PID 1276 wrote to memory of 1304	1276	cmd.exe	WMIC.exe
PID 1276 wrote to memory of 1304	1276	cmd.exe	WMIC.exe
PID 1276 wrote to memory of 1304	1276	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
357.0MB

MD5
9cd68e588d2a986b9a5f4f9b85feb8f6

SHA1
5436ee009bb710f40503f51b618b2e563a5eff54

SHA256
cee1cdfeb5a9d88c7bc596b0697c124aa160d68782b88e014db685e51fe9ca7b

SHA512
a3afa1c4ab76dcdd833c55ad879b8ad1f6981eb3be6e686389cfe99365da62d0e39326749f9208710ceb8cb500c8a715ceaf660e232350ddcb7d688425860f5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
2c0ec0ea989227ba6c3efa6900828674

SHA1
b5865af94073b4bc542fd03bf5885c3772b4056b

SHA256
a42eac412bf95b9de765c45a6213a4e6c4998c4ddb562d0faaa1a54954d5642f

SHA512
fb918ac970f576d593ca085f83ab18d4281cd5acd05e01e41df39ec636176c064883315ed3139592b32a12baa3cb656dccd21757cfb4e7d8db028ae890ad21d7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
283.9MB

MD5
bde0acf0493fa578120bedab96114221

SHA1
cb691127a2910a87c2fc91bc8e1f3547118a97d8

SHA256
44a4109be20c33ffd78f1863bfe647f40d57011ba711171c01dcaf2d454135f9

SHA512
00b1f97773ddb459e703b9780a3fb17f34c344a92f86bbfdcc3ec94e7ede4c2aaade64f2ad4cdb5d049673e4a034148c2a619eda3c71ec156247f2b22919640f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
275.7MB

MD5
bfd61114b28659a3d5d7fc1ff251686e

SHA1
c430a76d650517edc03f81405307d55cb8bd2b6f

SHA256
851b61b1594e195fd3772264d5a5eca4739c1f09f1dc8607acb5de7cf95fbb4f

SHA512
69505bcce58395ddad2360c95f233f283a43d48f10e565c5fa3f74660c91f5787004e1134a67aafd0aa3c7df8039d11280079695560132a9ceb6eb4685d6977e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
139.7MB

MD5
25a195ff3b433e1ece921edf3a714bb7

SHA1
d7ee98d0421bb8040f4a19ff8cfbadb24125164c

SHA256
228cefaf651e82614e7a01380373215ec2e64e3281d88e5897b63a55f0408fae

SHA512
de08c3401908aaf9dc63943cceda7096d6780a340a8f59fbca366f9b86de8d182918f91d169bf36514b11753f0b34c01765551f9355f57cb0504ef42386ef328

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
281.3MB

MD5
aebe8611a8870c7beb963e63a0520a01

SHA1
dfbf1fe809bf539a9964fb34838e90680f5e365b

SHA256
abd1cac2ee42c93d128edb85c3105f1591a7e2bea049ac50b5dfeb94a85479a8

SHA512
760aa1392143da6df1dd003032b36caa6427624735d7a8a91166b1f367ec2420077324ab6f1562ce51016cd77e7d64344d681add1790b41b4fa5857d24c52f65

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
282.8MB

MD5
98cf3edac7b2c02b51f990a397e4e068

SHA1
857812686058de48cc70ccf9d9342b9009234271

SHA256
5afab7ae8bd647aa27e44851f7de8c5020be6b3b865efe4e407ebecf2af2a43f

SHA512
04d78c36c896caa7ce3ebb4aba01ef9ede7a1a044ee1a773a754a0ee3a9e0e82cb85e78bbc5bd7fa9be09343fb878b9bbc1eac1069b0da832ec205769daa383c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
280.2MB

MD5
1db16dfdcf8612e4bc02ec1a47328d17

SHA1
4dc4684d7bda4755d2045e325e4c974b71d3dbcd

SHA256
9783249313f3d2c7f8c75c201ae90587bbd0715b467badba7ca64640f3d6d284

SHA512
0ea45a542dc30adf1f686ef38a8a6b9f491c7c6ca5d9174157c3858190d2a07f26f1947cc7f7b2d5083ba6b63a71e50a9de58ad2a491924d1c6175481ad02ab7

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
282.3MB

MD5
35424a7d0b5f80991216d17968788b62

SHA1
1c0472a879f34e2f52486336ade427433b750f55

SHA256
9912e92fa25a0524ee8ae454554c4e8aaddd0de3e2f824a4a7ced89675041a4b

SHA512
a597a162b0e8798a2c5d128ceba3c1593a0f0b57df7a8774e8cfb2d39347e9ae2ac3d32ed81aba9edb770ea48d983a7ab7f935bbe69355e63a9ce1034bff43b8

Download Submit
memory/768-72-0x0000000000000000-mapping.dmp

Download
memory/844-97-0x0000000000000000-mapping.dmp

Download
memory/928-70-0x0000000070210000-0x00000000707BB000-memory.dmp

Filesize
5.7MB

Download
memory/928-67-0x0000000000000000-mapping.dmp

Download
memory/928-69-0x0000000070210000-0x00000000707BB000-memory.dmp

Filesize
5.7MB

Download
memory/928-71-0x0000000070210000-0x00000000707BB000-memory.dmp

Filesize
5.7MB

Download
memory/1092-73-0x0000000000000000-mapping.dmp

Download
memory/1092-95-0x000000006FF90000-0x000000007053B000-memory.dmp

Filesize
5.7MB

Download
memory/1092-93-0x000000006FF90000-0x000000007053B000-memory.dmp

Filesize
5.7MB

Download
memory/1228-66-0x0000000006460000-0x0000000006800000-memory.dmp

Filesize
3.6MB

Download
memory/1228-74-0x00000000053E0000-0x0000000005552000-memory.dmp

Filesize
1.4MB

Download
memory/1228-65-0x00000000011C0000-0x0000000001934000-memory.dmp

Filesize
7.5MB

Download
memory/1228-62-0x0000000000000000-mapping.dmp

Download
memory/1276-99-0x0000000000000000-mapping.dmp

Download
memory/1304-100-0x0000000000000000-mapping.dmp

Download
memory/1340-98-0x0000000000000000-mapping.dmp

Download
memory/1392-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1392-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1392-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1392-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1392-89-0x0000000000464C20-mapping.dmp

Download
memory/1392-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1392-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1392-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1392-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1392-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1392-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1392-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1576-96-0x0000000000000000-mapping.dmp

Download
memory/1952-56-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1952-54-0x0000000000000000-mapping.dmp

Download