aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
125s
max time network
130s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1424-66-0x0000000006620000-0x00000000069C0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

948 voiceadequovl.exe
1424 voiceadequovl.exe
1380 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

948 voiceadequovl.exe
948 voiceadequovl.exe
948 voiceadequovl.exe
948 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
948	voiceadequovl.exe
1424	voiceadequovl.exe
1380	voiceadequovl.exe

pid	process
948	voiceadequovl.exe
948	voiceadequovl.exe
948	voiceadequovl.exe
948	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1424 set thread context of 1380 1424 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

516 powershell.exe
1668 powershell.exe

description	pid	process	target process
PID 1424 set thread context of 1380	1424	voiceadequovl.exe	voiceadequovl.exe

pid	process
516	powershell.exe
1668	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1424	voiceadequovl.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeIncreaseQuotaPrivilege	588	wmic.exe
Token: SeSecurityPrivilege	588	wmic.exe
Token: SeTakeOwnershipPrivilege	588	wmic.exe
Token: SeLoadDriverPrivilege	588	wmic.exe
Token: SeSystemProfilePrivilege	588	wmic.exe
Token: SeSystemtimePrivilege	588	wmic.exe
Token: SeProfSingleProcessPrivilege	588	wmic.exe
Token: SeIncBasePriorityPrivilege	588	wmic.exe
Token: SeCreatePagefilePrivilege	588	wmic.exe
Token: SeBackupPrivilege	588	wmic.exe
Token: SeRestorePrivilege	588	wmic.exe
Token: SeShutdownPrivilege	588	wmic.exe
Token: SeDebugPrivilege	588	wmic.exe
Token: SeSystemEnvironmentPrivilege	588	wmic.exe
Token: SeRemoteShutdownPrivilege	588	wmic.exe
Token: SeUndockPrivilege	588	wmic.exe
Token: SeManageVolumePrivilege	588	wmic.exe
Token: 33	588	wmic.exe
Token: 34	588	wmic.exe
Token: 35	588	wmic.exe
Token: SeIncreaseQuotaPrivilege	588	wmic.exe
Token: SeSecurityPrivilege	588	wmic.exe
Token: SeTakeOwnershipPrivilege	588	wmic.exe
Token: SeLoadDriverPrivilege	588	wmic.exe
Token: SeSystemProfilePrivilege	588	wmic.exe
Token: SeSystemtimePrivilege	588	wmic.exe
Token: SeProfSingleProcessPrivilege	588	wmic.exe
Token: SeIncBasePriorityPrivilege	588	wmic.exe
Token: SeCreatePagefilePrivilege	588	wmic.exe
Token: SeBackupPrivilege	588	wmic.exe
Token: SeRestorePrivilege	588	wmic.exe
Token: SeShutdownPrivilege	588	wmic.exe
Token: SeDebugPrivilege	588	wmic.exe
Token: SeSystemEnvironmentPrivilege	588	wmic.exe
Token: SeRemoteShutdownPrivilege	588	wmic.exe
Token: SeUndockPrivilege	588	wmic.exe
Token: SeManageVolumePrivilege	588	wmic.exe
Token: 33	588	wmic.exe
Token: 34	588	wmic.exe
Token: 35	588	wmic.exe
Token: SeIncreaseQuotaPrivilege	904	WMIC.exe
Token: SeSecurityPrivilege	904	WMIC.exe
Token: SeTakeOwnershipPrivilege	904	WMIC.exe
Token: SeLoadDriverPrivilege	904	WMIC.exe
Token: SeSystemProfilePrivilege	904	WMIC.exe
Token: SeSystemtimePrivilege	904	WMIC.exe
Token: SeProfSingleProcessPrivilege	904	WMIC.exe
Token: SeIncBasePriorityPrivilege	904	WMIC.exe
Token: SeCreatePagefilePrivilege	904	WMIC.exe
Token: SeBackupPrivilege	904	WMIC.exe
Token: SeRestorePrivilege	904	WMIC.exe
Token: SeShutdownPrivilege	904	WMIC.exe
Token: SeDebugPrivilege	904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	904	WMIC.exe
Token: SeRemoteShutdownPrivilege	904	WMIC.exe
Token: SeUndockPrivilege	904	WMIC.exe
Token: SeManageVolumePrivilege	904	WMIC.exe
Token: 33	904	WMIC.exe
Token: 34	904	WMIC.exe
Token: 35	904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	904	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 1728 wrote to memory of 948	1728	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1728 wrote to memory of 948	1728	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1728 wrote to memory of 948	1728	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1728 wrote to memory of 948	1728	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 948 wrote to memory of 1424	948	voiceadequovl.exe	voiceadequovl.exe
PID 948 wrote to memory of 1424	948	voiceadequovl.exe	voiceadequovl.exe
PID 948 wrote to memory of 1424	948	voiceadequovl.exe	voiceadequovl.exe
PID 948 wrote to memory of 1424	948	voiceadequovl.exe	voiceadequovl.exe
PID 1424 wrote to memory of 516	1424	voiceadequovl.exe	powershell.exe
PID 1424 wrote to memory of 516	1424	voiceadequovl.exe	powershell.exe
PID 1424 wrote to memory of 516	1424	voiceadequovl.exe	powershell.exe
PID 1424 wrote to memory of 516	1424	voiceadequovl.exe	powershell.exe
PID 1424 wrote to memory of 576	1424	voiceadequovl.exe	cmd.exe
PID 1424 wrote to memory of 576	1424	voiceadequovl.exe	cmd.exe
PID 1424 wrote to memory of 576	1424	voiceadequovl.exe	cmd.exe
PID 1424 wrote to memory of 576	1424	voiceadequovl.exe	cmd.exe
PID 576 wrote to memory of 1668	576	cmd.exe	powershell.exe
PID 576 wrote to memory of 1668	576	cmd.exe	powershell.exe
PID 576 wrote to memory of 1668	576	cmd.exe	powershell.exe
PID 576 wrote to memory of 1668	576	cmd.exe	powershell.exe
PID 1424 wrote to memory of 1380	1424	voiceadequovl.exe	voiceadequovl.exe
PID 1424 wrote to memory of 1380	1424	voiceadequovl.exe	voiceadequovl.exe
PID 1424 wrote to memory of 1380	1424	voiceadequovl.exe	voiceadequovl.exe
PID 1424 wrote to memory of 1380	1424	voiceadequovl.exe	voiceadequovl.exe
PID 1424 wrote to memory of 1380	1424	voiceadequovl.exe	voiceadequovl.exe
PID 1424 wrote to memory of 1380	1424	voiceadequovl.exe	voiceadequovl.exe
PID 1424 wrote to memory of 1380	1424	voiceadequovl.exe	voiceadequovl.exe
PID 1424 wrote to memory of 1380	1424	voiceadequovl.exe	voiceadequovl.exe
PID 1424 wrote to memory of 1380	1424	voiceadequovl.exe	voiceadequovl.exe
PID 1424 wrote to memory of 1380	1424	voiceadequovl.exe	voiceadequovl.exe
PID 1424 wrote to memory of 1380	1424	voiceadequovl.exe	voiceadequovl.exe
PID 1424 wrote to memory of 1380	1424	voiceadequovl.exe	voiceadequovl.exe
PID 1380 wrote to memory of 588	1380	voiceadequovl.exe	wmic.exe
PID 1380 wrote to memory of 588	1380	voiceadequovl.exe	wmic.exe
PID 1380 wrote to memory of 588	1380	voiceadequovl.exe	wmic.exe
PID 1380 wrote to memory of 588	1380	voiceadequovl.exe	wmic.exe
PID 1380 wrote to memory of 1176	1380	voiceadequovl.exe	cmd.exe
PID 1380 wrote to memory of 1176	1380	voiceadequovl.exe	cmd.exe
PID 1380 wrote to memory of 1176	1380	voiceadequovl.exe	cmd.exe
PID 1380 wrote to memory of 1176	1380	voiceadequovl.exe	cmd.exe
PID 1176 wrote to memory of 904	1176	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 904	1176	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 904	1176	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 904	1176	cmd.exe	WMIC.exe
PID 1380 wrote to memory of 1184	1380	voiceadequovl.exe	cmd.exe
PID 1380 wrote to memory of 1184	1380	voiceadequovl.exe	cmd.exe
PID 1380 wrote to memory of 1184	1380	voiceadequovl.exe	cmd.exe
PID 1380 wrote to memory of 1184	1380	voiceadequovl.exe	cmd.exe
PID 1184 wrote to memory of 952	1184	cmd.exe	WMIC.exe
PID 1184 wrote to memory of 952	1184	cmd.exe	WMIC.exe
PID 1184 wrote to memory of 952	1184	cmd.exe	WMIC.exe
PID 1184 wrote to memory of 952	1184	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:576
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1176
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1184
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:952

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
301.3MB

MD5
422fd89cbd19027dfe670d24c566cab5

SHA1
972670953fbcdb64011ba99b87f0786105adc7e7

SHA256
d78f7e9661dc3b0a005cfa29b6ebc49c479db618d33a62f7ab4f02b1cd145a2d

SHA512
d3d2caa43603c38ef91b3c35118580c560fd6160bf783461da19181def583da8c07676ba105023b20fcab463270d5423a1a7ad09d3434ef4910ad11d0706f5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
298.0MB

MD5
9af019d0645fe9ab2eb2dd318c1ab133

SHA1
217ba53ed9688e58616b239f833d1393e1852fea

SHA256
02ae0394a16ee334100214740eef6e1a6c9b1dbc74248afadcb03bf2870f3715

SHA512
b9758e1a343f5dff76c0a7c65fe4fbc89af87db4c8a639e7645e0bfaa403fa9e1228f335ba39617041d2137137e229b66d97efe49ded69de249ef79475fbe6ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c9251191c879356612153c479777d80b

SHA1
5a6b474ebd9bd7f14825f99cd44b9203d246db8f

SHA256
25396b08cb2775881948a3e669f35763701df308476b96a04a4fcabfb07f2e77

SHA512
bd2afcb07018a5d73615c66d86c7f9382826f22c209650f12fcaa107b03a210b90ef324a0eb752a1733fe749abf8e4bac975bec61015fb878570a571082fbfe2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
214.6MB

MD5
4a235f12e32cd742f4376af5ff8fa4c6

SHA1
409a87c679e78a5496f1d9bec6a516b0008b0ca2

SHA256
86de43a0da31e63645e3d8a36aa529069a900d69850df1020b898296db743f93

SHA512
00acb628fc132d54f6ee4b726634dab0223b76d2c73242b0807dbdbaf9de52c79baf04e048707845abf0623ac05fd7b8baa6d3f32ca2eff0e85e3e5a9a82a119

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
214.8MB

MD5
c53d1df62d94a13c37d646dc8fb5adf3

SHA1
1145d5f441fb5e01451dca4581161f42961d991c

SHA256
8f3bfdf1e3ec47415b00f8617c67dce3a566aac17063ed7d9346191762847f41

SHA512
e8286856c415c89f71daaedcf2f85daf262411cf4239a31d80040fa74c4a7d35dfdce9fc19e8ed9fa3f8ceae29a60604f9fabaf93793d26e1433e2948f8b5380

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
92.4MB

MD5
fbfeb8fd1870cc469758992304997905

SHA1
46f3de1065a1a2814776aefd717ace6d72d0cad6

SHA256
6f41c701ba2586694d86ad36d1fd3ec84b2bac34305ccc0c65ec855dd2d64f4e

SHA512
9986383bddcc1a62e2cdcf4c7dddc0dcb1da7144455affd444e60c667ba602c0b99910367242620537cff30551eddb306adb7f18d23dae2e099e9977cda6c4c0

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
220.5MB

MD5
7df068c2019f36e5489adf7fd3c106da

SHA1
4a93a917ace89b4929a74cc39ae0c5d2deeae252

SHA256
07364d5d4c6c9fc3a52d815a50b6592be969ac44e435854a985f066f30aabf24

SHA512
2476130749af9d20dcf22daeadef2d65395a2e26eb41b9219d115b4fd2e508cea9cbffc3553e4d1511eadef07983b3ea9b2610958130ff5743b4e025f9eb787a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
209.9MB

MD5
f6150fe0afebfb19ffa2c88156eebfa5

SHA1
3b4dd114ca7559e86ba735a744eb4e3bf640aa67

SHA256
27c02eb6d485933f1b76bc2c6563fb701d9036e2063811c1de4ce2eaeed25df0

SHA512
13a3f2363d9f645d8eab4394249eb99ac18f4751cbcb102e6adc24a6b862cbb218daec9c207ab9a93e3eb466ba057fb1bd3a5fcd4abb9f8817ef0f4e33e7b996

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
220.2MB

MD5
b33d24eb9449bf5df882aedad62d2f5d

SHA1
49b7699654a48c18bcccff96fdcd18d023cc0dc8

SHA256
5c29862b5da907ee177c925f9d6a6fcf008940566591692015ffef699455d253

SHA512
572cac80179e160af1938c1f8c777cc4da50f3cf5d645ec82920811fff51f6761ae9a32d1285db002722ee04174b2e90a6f4d5af269ad4be334b7073234de84a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
216.8MB

MD5
0648de61c9bac1bad8ca928b73d62789

SHA1
3d8c6768f56d7bfadfcea863981401bdb1290053

SHA256
f08abeecf7d599d7b12d449235688b94af254e9fd7459ed65a8ee910d5831560

SHA512
0b7c3a007c709ecdc47c141afe5a118d89b895f6c682f9f344acbe6e78b6724965af385cdc4cff418baa91052b14d743a4a9ff7f71bce65b299d3ed987498183

Download Submit
memory/516-70-0x000000006F330000-0x000000006F8DB000-memory.dmp

Filesize
5.7MB

Download
memory/516-71-0x000000006F330000-0x000000006F8DB000-memory.dmp

Filesize
5.7MB

Download
memory/516-67-0x0000000000000000-mapping.dmp

Download
memory/516-69-0x000000006F330000-0x000000006F8DB000-memory.dmp

Filesize
5.7MB

Download
memory/576-72-0x0000000000000000-mapping.dmp

Download
memory/588-97-0x0000000000000000-mapping.dmp

Download
memory/904-99-0x0000000000000000-mapping.dmp

Download
memory/948-56-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/948-54-0x0000000000000000-mapping.dmp

Download
memory/952-101-0x0000000000000000-mapping.dmp

Download
memory/1176-98-0x0000000000000000-mapping.dmp

Download
memory/1184-100-0x0000000000000000-mapping.dmp

Download
memory/1380-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1380-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1380-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1380-102-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1380-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1380-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1380-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1380-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1380-90-0x0000000000464C20-mapping.dmp

Download
memory/1380-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1380-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1380-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1380-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1424-65-0x0000000000EB0000-0x0000000001624000-memory.dmp

Filesize
7.5MB

Download
memory/1424-62-0x0000000000000000-mapping.dmp

Download
memory/1424-66-0x0000000006620000-0x00000000069C0000-memory.dmp

Filesize
3.6MB

Download
memory/1424-74-0x0000000005490000-0x0000000005602000-memory.dmp

Filesize
1.4MB

Download
memory/1668-73-0x0000000000000000-mapping.dmp

Download
memory/1668-94-0x000000006F2F0000-0x000000006F89B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-83-0x000000006F2F0000-0x000000006F89B000-memory.dmp

Filesize
5.7MB

Download