aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
82s
max time network
85s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 01:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/844-66-0x0000000006530000-0x00000000068D0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 5 IoCs

pid	Process
1116	voiceadequovl.exe
844	voiceadequovl.exe
848	voiceadequovl.exe
2000	voiceadequovl.exe
2004	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1116	voiceadequovl.exe
1116	voiceadequovl.exe
1116	voiceadequovl.exe
1116	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 844 set thread context of 2004	844	voiceadequovl.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1928	powershell.exe
844	voiceadequovl.exe
844	voiceadequovl.exe
844	voiceadequovl.exe
844	voiceadequovl.exe
1696	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	voiceadequovl.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeIncreaseQuotaPrivilege	1728	wmic.exe
Token: SeSecurityPrivilege	1728	wmic.exe
Token: SeTakeOwnershipPrivilege	1728	wmic.exe
Token: SeLoadDriverPrivilege	1728	wmic.exe
Token: SeSystemProfilePrivilege	1728	wmic.exe
Token: SeSystemtimePrivilege	1728	wmic.exe
Token: SeProfSingleProcessPrivilege	1728	wmic.exe
Token: SeIncBasePriorityPrivilege	1728	wmic.exe
Token: SeCreatePagefilePrivilege	1728	wmic.exe
Token: SeBackupPrivilege	1728	wmic.exe
Token: SeRestorePrivilege	1728	wmic.exe
Token: SeShutdownPrivilege	1728	wmic.exe
Token: SeDebugPrivilege	1728	wmic.exe
Token: SeSystemEnvironmentPrivilege	1728	wmic.exe
Token: SeRemoteShutdownPrivilege	1728	wmic.exe
Token: SeUndockPrivilege	1728	wmic.exe
Token: SeManageVolumePrivilege	1728	wmic.exe
Token: 33	1728	wmic.exe
Token: 34	1728	wmic.exe
Token: 35	1728	wmic.exe
Token: SeIncreaseQuotaPrivilege	1728	wmic.exe
Token: SeSecurityPrivilege	1728	wmic.exe
Token: SeTakeOwnershipPrivilege	1728	wmic.exe
Token: SeLoadDriverPrivilege	1728	wmic.exe
Token: SeSystemProfilePrivilege	1728	wmic.exe
Token: SeSystemtimePrivilege	1728	wmic.exe
Token: SeProfSingleProcessPrivilege	1728	wmic.exe
Token: SeIncBasePriorityPrivilege	1728	wmic.exe
Token: SeCreatePagefilePrivilege	1728	wmic.exe
Token: SeBackupPrivilege	1728	wmic.exe
Token: SeRestorePrivilege	1728	wmic.exe
Token: SeShutdownPrivilege	1728	wmic.exe
Token: SeDebugPrivilege	1728	wmic.exe
Token: SeSystemEnvironmentPrivilege	1728	wmic.exe
Token: SeRemoteShutdownPrivilege	1728	wmic.exe
Token: SeUndockPrivilege	1728	wmic.exe
Token: SeManageVolumePrivilege	1728	wmic.exe
Token: 33	1728	wmic.exe
Token: 34	1728	wmic.exe
Token: 35	1728	wmic.exe
Token: SeIncreaseQuotaPrivilege	1392	WMIC.exe
Token: SeSecurityPrivilege	1392	WMIC.exe
Token: SeTakeOwnershipPrivilege	1392	WMIC.exe
Token: SeLoadDriverPrivilege	1392	WMIC.exe
Token: SeSystemProfilePrivilege	1392	WMIC.exe
Token: SeSystemtimePrivilege	1392	WMIC.exe
Token: SeProfSingleProcessPrivilege	1392	WMIC.exe
Token: SeIncBasePriorityPrivilege	1392	WMIC.exe
Token: SeCreatePagefilePrivilege	1392	WMIC.exe
Token: SeBackupPrivilege	1392	WMIC.exe
Token: SeRestorePrivilege	1392	WMIC.exe
Token: SeShutdownPrivilege	1392	WMIC.exe
Token: SeDebugPrivilege	1392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1392	WMIC.exe
Token: SeRemoteShutdownPrivilege	1392	WMIC.exe
Token: SeUndockPrivilege	1392	WMIC.exe
Token: SeManageVolumePrivilege	1392	WMIC.exe
Token: 33	1392	WMIC.exe
Token: 34	1392	WMIC.exe
Token: 35	1392	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1392	WMIC.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1116	1476	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1476 wrote to memory of 1116	1476	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1476 wrote to memory of 1116	1476	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1476 wrote to memory of 1116	1476	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1116 wrote to memory of 844	1116	voiceadequovl.exe	28
PID 1116 wrote to memory of 844	1116	voiceadequovl.exe	28
PID 1116 wrote to memory of 844	1116	voiceadequovl.exe	28
PID 1116 wrote to memory of 844	1116	voiceadequovl.exe	28
PID 844 wrote to memory of 1928	844	voiceadequovl.exe	30
PID 844 wrote to memory of 1928	844	voiceadequovl.exe	30
PID 844 wrote to memory of 1928	844	voiceadequovl.exe	30
PID 844 wrote to memory of 1928	844	voiceadequovl.exe	30
PID 844 wrote to memory of 1488	844	voiceadequovl.exe	32
PID 844 wrote to memory of 1488	844	voiceadequovl.exe	32
PID 844 wrote to memory of 1488	844	voiceadequovl.exe	32
PID 844 wrote to memory of 1488	844	voiceadequovl.exe	32
PID 1488 wrote to memory of 1696	1488	cmd.exe	33
PID 1488 wrote to memory of 1696	1488	cmd.exe	33
PID 1488 wrote to memory of 1696	1488	cmd.exe	33
PID 1488 wrote to memory of 1696	1488	cmd.exe	33
PID 844 wrote to memory of 848	844	voiceadequovl.exe	34
PID 844 wrote to memory of 848	844	voiceadequovl.exe	34
PID 844 wrote to memory of 848	844	voiceadequovl.exe	34
PID 844 wrote to memory of 848	844	voiceadequovl.exe	34
PID 844 wrote to memory of 2000	844	voiceadequovl.exe	35
PID 844 wrote to memory of 2000	844	voiceadequovl.exe	35
PID 844 wrote to memory of 2000	844	voiceadequovl.exe	35
PID 844 wrote to memory of 2000	844	voiceadequovl.exe	35
PID 844 wrote to memory of 2004	844	voiceadequovl.exe	36
PID 844 wrote to memory of 2004	844	voiceadequovl.exe	36
PID 844 wrote to memory of 2004	844	voiceadequovl.exe	36
PID 844 wrote to memory of 2004	844	voiceadequovl.exe	36
PID 844 wrote to memory of 2004	844	voiceadequovl.exe	36
PID 844 wrote to memory of 2004	844	voiceadequovl.exe	36
PID 844 wrote to memory of 2004	844	voiceadequovl.exe	36
PID 844 wrote to memory of 2004	844	voiceadequovl.exe	36
PID 844 wrote to memory of 2004	844	voiceadequovl.exe	36
PID 844 wrote to memory of 2004	844	voiceadequovl.exe	36
PID 844 wrote to memory of 2004	844	voiceadequovl.exe	36
PID 844 wrote to memory of 2004	844	voiceadequovl.exe	36
PID 2004 wrote to memory of 1728	2004	voiceadequovl.exe	37
PID 2004 wrote to memory of 1728	2004	voiceadequovl.exe	37
PID 2004 wrote to memory of 1728	2004	voiceadequovl.exe	37
PID 2004 wrote to memory of 1728	2004	voiceadequovl.exe	37
PID 2004 wrote to memory of 1632	2004	voiceadequovl.exe	41
PID 2004 wrote to memory of 1632	2004	voiceadequovl.exe	41
PID 2004 wrote to memory of 1632	2004	voiceadequovl.exe	41
PID 2004 wrote to memory of 1632	2004	voiceadequovl.exe	41
PID 1632 wrote to memory of 1392	1632	cmd.exe	42
PID 1632 wrote to memory of 1392	1632	cmd.exe	42
PID 1632 wrote to memory of 1392	1632	cmd.exe	42
PID 1632 wrote to memory of 1392	1632	cmd.exe	42
PID 2004 wrote to memory of 600	2004	voiceadequovl.exe	43
PID 2004 wrote to memory of 600	2004	voiceadequovl.exe	43
PID 2004 wrote to memory of 600	2004	voiceadequovl.exe	43
PID 2004 wrote to memory of 600	2004	voiceadequovl.exe	43
PID 600 wrote to memory of 972	600	cmd.exe	44
PID 600 wrote to memory of 972	600	cmd.exe	44
PID 600 wrote to memory of 972	600	cmd.exe	44
PID 600 wrote to memory of 972	600	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:848
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:2000
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:600
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
153.2MB

MD5
b06eef8073b538b3ffbb4e0449543679

SHA1
f9a26ba4a3a70129a59ed987974000a259e85de7

SHA256
58e620fdd040f5beeb3e7957f7e13ea1bb59b82ac7d342a3e54b14e06fe93711

SHA512
c37deb916f1ad92c92e9329d3602634f47bb45e04e1fd055901c290bdb0872c64ea0a1162030b42a980b32a0e80b93cae50589c2ae89bf414485b952bbdbc66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
147.4MB

MD5
b721578df9fd4a9870a3459899a18937

SHA1
ac02abba2b08a634b12629a58fc1d2c4155d54fc

SHA256
bcc35eb5f01ca2ec1b814dea3858d714fc79eb8bf98446aa23418d96390896f9

SHA512
948194a5e028218ade6b0aa4b4e2af1626d9069013c8124cf8453e612168d3f62c950066ec90e592eb3dd8de655da60f51e934c335db4f6869e933d5cae1bbdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8980c3d5b7b6e2db43705c6e71bba6ea

SHA1
0cc73600b9a3d72ff161d3eca7cd0732132520d0

SHA256
cbb711ed57de090ba80b3a110cfeed38426cc19d8337d97ada2492cdff19e315

SHA512
0649f9d766e7ff30d71df9aea0181492343b33b8c7a2802454293d56c63b06e576555f7276b5c3f64a1a673bbe2d4bcacb4f540935a7a916aac6fa71921e2ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
131.5MB

MD5
078d38ab5a9abe6a18d3dc85c9eaa880

SHA1
3126d939c54236eb68e275223f5a5fea23ca416f

SHA256
9ad8abcce9651badc5072079a72d48f377cd47d13f64b25d71f97de94f8137ad

SHA512
9841d0629a95aeb7b9484a9015b9afe2e9b56802328f9b462703e1001ef68135c42a4bcdc98c2ae8eb07bcbccb69a36b1a9a8df7a1dff1fc7456fd2e9b695145

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
130.6MB

MD5
dd4b34a81baf678afc02c5c2b6c25f93

SHA1
2b0b3593871e59c4be410dcb0d3d46a60a8c437a

SHA256
7546f1f125b6b445d089e40f993db397061e6fda896e3b6dafbfacffebabe1b9

SHA512
d5ff9f2d8c4fae50bf1e216e5fc9260280322fec9aaa75c8de35cc0f7035d2356f1caec6ddfbd04fa8edc574432c0d71ee9ff2d926b9c6d2d0b0848f879125d5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
78.2MB

MD5
8f21292e8cb366367307ca5224531f9d

SHA1
68fa06595f1c1fc15ea0d19bcb638492d02a63e4

SHA256
9604b4d90dbfd93192e57f630eb00508a2d021b2a8cb5f014df72e96bca97529

SHA512
56d50e711d45247a320ee07da6c9196badedc7e28380371677ce604a324f20e28dc9cc11c7d71432756183810ff9b69df1eee2ce529387cc706eae7c1645ca17

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
74.9MB

MD5
233db0587cdb6504abf968636bf0c53f

SHA1
638ffa592a61450aa424c1d9a211b7c311a0a4af

SHA256
882274c2c6b71649127ac9df39994c85786fdc08d3fa37500c8f505ecd203323

SHA512
21c8eebf16ac9903833708acbee7b92aa2a79ab5f938bf7cc46a2ed7d4a2d75c8c1b606a919577ae7482917d2eab0f1e5ea59c1440284953d95e3ca34d66f0c3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
78.2MB

MD5
3e30848a86a0d253c4cb56f63a41631b

SHA1
121e00c2f20920a9a0f03f5c22be5de515e320c4

SHA256
b56d01c611955507156cc1f0f4f5a15df57d29f6902f353a94cbff7c78665f83

SHA512
67e3086a686da6cd9fc6c323c045bf8fbb90da354680664ee05ae511dddb674d5ff70b2a3f62cfe91ce1010e6731bf48d4f5bed1d09b2bea524443ad51b2a97f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
130.1MB

MD5
8a7fa28725c67b9f823c6d890349645b

SHA1
480b5086050a01090eb77f093e210ce1434b5724

SHA256
a6901ccfdfd66bae0d5a14d7a2f96c5c71d47c3d635a219fa8b4636839dab27d

SHA512
68ba5e55017f420e8b5809aa7ee3caf45d80c2f133ea23b5937390629c10113d7d91151bdd4ae1952c4ff7b84c5706d271eb5e73a46b1d1562166b9adb03b966

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
133.0MB

MD5
0f86bda98c031511f0e85faaebeace6d

SHA1
f1f34fd130a316be13b214005954c433eeed60ee

SHA256
9e6c905336f5ec89f9f8c6c0c12d1f46deb23bf48732b01ebf6ef29d39e668c1

SHA512
fa8ada2cf155f6f7702a2ae12a690657d1d3d61795f2f9a50cc51442ea18f53c719a23a5fab9a60dba935eb2a91b5cda96464e209a0743093dd2ecf54665ccfb

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
134.9MB

MD5
0e57d576eb4843b87e397b2d45d54a6d

SHA1
cde05fb912faddf822f12409bcf2aff4ed3337d1

SHA256
6b07db3bbeb0d01de173de31f014e8d1e296c74c3e873bea0db145fe5911e8ac

SHA512
8f4280054454f10bf49e3a37f2514d3605220b207a8476d6745512d557e1802a857806700a1f773b98623b98e244ff803eb510067731d8eb278d19ad2989ed77

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
133.1MB

MD5
0ecafda6c7fd7f8320c2bc9bd420af3b

SHA1
f0c2619a360bc66097b22ddacf29088e77f11484

SHA256
8e4408acd52014bcf211521a99998a33a16f55adcbeec3e2463f160aad8809f4

SHA512
1824f59f2c6f99f926eba9b840c974c3b87276fc38c23c2145950a67561517d452ff3c902c070fa9ed59f9f5f160f52e3643f02e4a4d435e91a8e6cf95d647e7

Download Submit
memory/844-73-0x0000000005470000-0x00000000055E2000-memory.dmp

Filesize
1.4MB

Download
memory/844-65-0x00000000013E0000-0x0000000001B54000-memory.dmp

Filesize
7.5MB

Download
memory/844-66-0x0000000006530000-0x00000000068D0000-memory.dmp

Filesize
3.6MB

Download
memory/1116-56-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1696-98-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-95-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-69-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-70-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-71-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2004-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2004-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2004-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2004-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2004-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2004-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2004-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2004-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2004-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2004-103-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2004-104-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download