aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
63s
max time network
68s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 01:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/952-66-0x0000000006400000-0x00000000067A0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 4 IoCs

pid	Process
1976	voiceadequovl.exe
952	voiceadequovl.exe
876	voiceadequovl.exe
676	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1976	voiceadequovl.exe
1976	voiceadequovl.exe
1976	voiceadequovl.exe
1976	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 952 set thread context of 676	952	voiceadequovl.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
644	powershell.exe
1000	powershell.exe
952	voiceadequovl.exe
952	voiceadequovl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	voiceadequovl.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeIncreaseQuotaPrivilege	1608	wmic.exe
Token: SeSecurityPrivilege	1608	wmic.exe
Token: SeTakeOwnershipPrivilege	1608	wmic.exe
Token: SeLoadDriverPrivilege	1608	wmic.exe
Token: SeSystemProfilePrivilege	1608	wmic.exe
Token: SeSystemtimePrivilege	1608	wmic.exe
Token: SeProfSingleProcessPrivilege	1608	wmic.exe
Token: SeIncBasePriorityPrivilege	1608	wmic.exe
Token: SeCreatePagefilePrivilege	1608	wmic.exe
Token: SeBackupPrivilege	1608	wmic.exe
Token: SeRestorePrivilege	1608	wmic.exe
Token: SeShutdownPrivilege	1608	wmic.exe
Token: SeDebugPrivilege	1608	wmic.exe
Token: SeSystemEnvironmentPrivilege	1608	wmic.exe
Token: SeRemoteShutdownPrivilege	1608	wmic.exe
Token: SeUndockPrivilege	1608	wmic.exe
Token: SeManageVolumePrivilege	1608	wmic.exe
Token: 33	1608	wmic.exe
Token: 34	1608	wmic.exe
Token: 35	1608	wmic.exe
Token: SeIncreaseQuotaPrivilege	1608	wmic.exe
Token: SeSecurityPrivilege	1608	wmic.exe
Token: SeTakeOwnershipPrivilege	1608	wmic.exe
Token: SeLoadDriverPrivilege	1608	wmic.exe
Token: SeSystemProfilePrivilege	1608	wmic.exe
Token: SeSystemtimePrivilege	1608	wmic.exe
Token: SeProfSingleProcessPrivilege	1608	wmic.exe
Token: SeIncBasePriorityPrivilege	1608	wmic.exe
Token: SeCreatePagefilePrivilege	1608	wmic.exe
Token: SeBackupPrivilege	1608	wmic.exe
Token: SeRestorePrivilege	1608	wmic.exe
Token: SeShutdownPrivilege	1608	wmic.exe
Token: SeDebugPrivilege	1608	wmic.exe
Token: SeSystemEnvironmentPrivilege	1608	wmic.exe
Token: SeRemoteShutdownPrivilege	1608	wmic.exe
Token: SeUndockPrivilege	1608	wmic.exe
Token: SeManageVolumePrivilege	1608	wmic.exe
Token: 33	1608	wmic.exe
Token: 34	1608	wmic.exe
Token: 35	1608	wmic.exe
Token: SeIncreaseQuotaPrivilege	1988	WMIC.exe
Token: SeSecurityPrivilege	1988	WMIC.exe
Token: SeTakeOwnershipPrivilege	1988	WMIC.exe
Token: SeLoadDriverPrivilege	1988	WMIC.exe
Token: SeSystemProfilePrivilege	1988	WMIC.exe
Token: SeSystemtimePrivilege	1988	WMIC.exe
Token: SeProfSingleProcessPrivilege	1988	WMIC.exe
Token: SeIncBasePriorityPrivilege	1988	WMIC.exe
Token: SeCreatePagefilePrivilege	1988	WMIC.exe
Token: SeBackupPrivilege	1988	WMIC.exe
Token: SeRestorePrivilege	1988	WMIC.exe
Token: SeShutdownPrivilege	1988	WMIC.exe
Token: SeDebugPrivilege	1988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1988	WMIC.exe
Token: SeRemoteShutdownPrivilege	1988	WMIC.exe
Token: SeUndockPrivilege	1988	WMIC.exe
Token: SeManageVolumePrivilege	1988	WMIC.exe
Token: 33	1988	WMIC.exe
Token: 34	1988	WMIC.exe
Token: 35	1988	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1988	WMIC.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1976	1980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1980 wrote to memory of 1976	1980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1980 wrote to memory of 1976	1980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1980 wrote to memory of 1976	1980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1976 wrote to memory of 952	1976	voiceadequovl.exe	29
PID 1976 wrote to memory of 952	1976	voiceadequovl.exe	29
PID 1976 wrote to memory of 952	1976	voiceadequovl.exe	29
PID 1976 wrote to memory of 952	1976	voiceadequovl.exe	29
PID 952 wrote to memory of 644	952	voiceadequovl.exe	30
PID 952 wrote to memory of 644	952	voiceadequovl.exe	30
PID 952 wrote to memory of 644	952	voiceadequovl.exe	30
PID 952 wrote to memory of 644	952	voiceadequovl.exe	30
PID 952 wrote to memory of 1164	952	voiceadequovl.exe	32
PID 952 wrote to memory of 1164	952	voiceadequovl.exe	32
PID 952 wrote to memory of 1164	952	voiceadequovl.exe	32
PID 952 wrote to memory of 1164	952	voiceadequovl.exe	32
PID 1164 wrote to memory of 1000	1164	cmd.exe	34
PID 1164 wrote to memory of 1000	1164	cmd.exe	34
PID 1164 wrote to memory of 1000	1164	cmd.exe	34
PID 1164 wrote to memory of 1000	1164	cmd.exe	34
PID 952 wrote to memory of 876	952	voiceadequovl.exe	35
PID 952 wrote to memory of 876	952	voiceadequovl.exe	35
PID 952 wrote to memory of 876	952	voiceadequovl.exe	35
PID 952 wrote to memory of 876	952	voiceadequovl.exe	35
PID 952 wrote to memory of 676	952	voiceadequovl.exe	36
PID 952 wrote to memory of 676	952	voiceadequovl.exe	36
PID 952 wrote to memory of 676	952	voiceadequovl.exe	36
PID 952 wrote to memory of 676	952	voiceadequovl.exe	36
PID 952 wrote to memory of 676	952	voiceadequovl.exe	36
PID 952 wrote to memory of 676	952	voiceadequovl.exe	36
PID 952 wrote to memory of 676	952	voiceadequovl.exe	36
PID 952 wrote to memory of 676	952	voiceadequovl.exe	36
PID 952 wrote to memory of 676	952	voiceadequovl.exe	36
PID 952 wrote to memory of 676	952	voiceadequovl.exe	36
PID 952 wrote to memory of 676	952	voiceadequovl.exe	36
PID 952 wrote to memory of 676	952	voiceadequovl.exe	36
PID 676 wrote to memory of 1608	676	voiceadequovl.exe	37
PID 676 wrote to memory of 1608	676	voiceadequovl.exe	37
PID 676 wrote to memory of 1608	676	voiceadequovl.exe	37
PID 676 wrote to memory of 1608	676	voiceadequovl.exe	37
PID 676 wrote to memory of 1616	676	voiceadequovl.exe	40
PID 676 wrote to memory of 1616	676	voiceadequovl.exe	40
PID 676 wrote to memory of 1616	676	voiceadequovl.exe	40
PID 676 wrote to memory of 1616	676	voiceadequovl.exe	40
PID 1616 wrote to memory of 1988	1616	cmd.exe	41
PID 1616 wrote to memory of 1988	1616	cmd.exe	41
PID 1616 wrote to memory of 1988	1616	cmd.exe	41
PID 1616 wrote to memory of 1988	1616	cmd.exe	41
PID 676 wrote to memory of 548	676	voiceadequovl.exe	43
PID 676 wrote to memory of 548	676	voiceadequovl.exe	43
PID 676 wrote to memory of 548	676	voiceadequovl.exe	43
PID 676 wrote to memory of 548	676	voiceadequovl.exe	43
PID 548 wrote to memory of 1404	548	cmd.exe	45
PID 548 wrote to memory of 1404	548	cmd.exe	45
PID 548 wrote to memory of 1404	548	cmd.exe	45
PID 548 wrote to memory of 1404	548	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:876
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:676
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:548
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
189.1MB

MD5
c92ea5ada7cc381421257060dfd5f939

SHA1
0c04aa06f9c12205cf5674a832ab314232f51213

SHA256
bce4b278da0fbf74a11bfc843565d883db121ce43245ffe66cefa5267f8a6e33

SHA512
a03df35bb932ec55fe0b789dc3a276e35f1924890f304ed806fd93b9b6514198271d9de769c22ce019031a1910e45aa12f3d3b3007efef2a65ff71d2d7fd0be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
182.7MB

MD5
4923018646ac9022415c686e6a193ab6

SHA1
52faae14b3f9773a85299e4c688510499d86ea4b

SHA256
c670691b358d7636d58eae7808981a6e7749416248f7e1dcbee03cb8408da903

SHA512
ffec4a4ea9f2dcc0742c64568de448d716ca8f3ee61ec86be4fc6dc517baf0b407e984ab8c9063b5f90ba68b86ba3bf8c21d262db18188488e990730f8fc1cdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5ea85399185aa7cfd2099dcd1da7323a

SHA1
5870162b373c8b366c4f4f112714c81ac3871f6d

SHA256
73c33383a8b38e0dc765a27f44d79be4641847ba1d8c5d23b96225708a3adff2

SHA512
eb00a70129e7cee236f7fd378a5f475c9430baa238ac1f96e0862971f1545fc4de67175cc33beae7757887e17fd997499adb5fb95fd0368085043a6e58242932

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
169.4MB

MD5
3ca39525fdb5dc847fdbe657407c0560

SHA1
ed972156bff176f96041ab371abfcd9640eb0202

SHA256
d5a45ab3766441d442b03fb42df46fd6d3dcab1796514df505305926b6e5059b

SHA512
cc6cd1338366209e9faee28ebc24b3320196212d28a8afe706ea276ff251c4327074999e5a49059dd7f5ed49b6e41e8dfa9da53dad1185485ae94dea330df7e1

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
171.1MB

MD5
bd5761c412afd8864ff252f638197f9c

SHA1
449e4176f5837331fc84052139015e6c3e91eaff

SHA256
2d5b9e6e2faa4f678d221254e03894136f87360eefea3e125bc2f29653c58055

SHA512
a4eca8cc83e4879fd38826480259f26b68dc90b3a78a01897830d1765b335b6b002aaec5a503f5786089c53427eaa2e10c8f84dcd402de04d6ea8b85341ec7ee

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
124.6MB

MD5
1a9b3776897cd4e464de9468f53b3e4c

SHA1
5d3a36c4554276a02ff12edae6d666aea6ba86ea

SHA256
c0d1ea6784e99218490d7b740c0ee54a8de06b68e6972a64e21361f68caccd1d

SHA512
e50dadbcbeddd9c19f6d239a4b8a6990910d9f964690ab5b190114296aa46524aa8b981d7f68c738e48799cdff9b2c803d0f122115231008ad25d10251db9bcb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
123.1MB

MD5
7370289ecde96e39c9e8f2768a31f4be

SHA1
9a260a5c377ebaa9ad40101c304f69527b273bee

SHA256
9a3f64b1023701a4c19e6de62cbfcc3f241fce9a5910b3f7d60332692fa60adf

SHA512
28bd7d6b16278ea83198ce0db9f50fd7a9b42e435b2f4470c9415e8a105d937187236b6180250138ab589a39ff0325b6c637e6e8a7666c93dc52974fceb0a29f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
171.8MB

MD5
ab878526d2e0a1803a47b4ec67b4b83f

SHA1
7c35cf20bf579f652e2f9ffb1ad7e930a10d340b

SHA256
f10cf23829c390d85bbc393b471ed4f972dfdfa2e6ab9d5a034d4b22df735534

SHA512
ba64b7c9441e146606cf28ecc3ab4f3d013d3dc790a718cd11df408a04a8e59bc5b62a9d69b9fb0292f12502941e459e20a94e3f65d6c23b726487218f56d95e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
171.4MB

MD5
78203ed60e133d9d923b43251df6a1e2

SHA1
d4a775aa703311e0c9a2c67a1fa092a49d5b852d

SHA256
91121bb13a55d069f4af817d3886cec5f5084ff208b64612302ddd94a23e82cb

SHA512
13162360b433ec98d26d10730ff91250256c7ad01d3d64b5a9b2da649ab5cea4fa823b8634dd10b5fbd32d5db145f5011d134f15b8311f284af2c1194a9952d6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
173.2MB

MD5
f544e70384bbf644f83d39174df1191d

SHA1
fc9d421564a9d5c902f67bc81fccd572e146f677

SHA256
8795bd99d9c438390e662869bbae251ef4d8af07e84d7902b9925145edd9a400

SHA512
acff08e388df86a6a4436c6723184344e58d8e8a46f2feb2d9d122ffcbc8073c47fe1f379e1dfc6caf2b003e52102f12e0743422e9a58a2457a372ea4c17b0f7

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
171.9MB

MD5
61fb477b210b3bf0b25d4d5dd77af6cb

SHA1
ecbb7989e3d9ccbc81045837f756440b8e24efa2

SHA256
9369d6b7457c6c25f28ff479b3fef5675dd05b967c95fdb8ad00ccfe58a26049

SHA512
1b55ae05a2bb0a55e352e0284b00fb1e22e785628a8b3475a42aa159b89e7038e59b8127698a2bd0564fb6bb05e1df17d15843795ef5744953b379199b0d2f1f

Download Submit
memory/644-71-0x000000006FD70000-0x000000007031B000-memory.dmp

Filesize
5.7MB

Download
memory/644-69-0x000000006FD70000-0x000000007031B000-memory.dmp

Filesize
5.7MB

Download
memory/644-70-0x000000006FD70000-0x000000007031B000-memory.dmp

Filesize
5.7MB

Download
memory/676-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/676-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/676-102-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/676-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/676-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/676-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/676-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/676-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/676-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/676-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/676-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/952-65-0x0000000000AB0000-0x0000000001224000-memory.dmp

Filesize
7.5MB

Download
memory/952-66-0x0000000006400000-0x00000000067A0000-memory.dmp

Filesize
3.6MB

Download
memory/952-74-0x00000000054B0000-0x0000000005622000-memory.dmp

Filesize
1.4MB

Download
memory/1000-95-0x000000006FD30000-0x00000000702DB000-memory.dmp

Filesize
5.7MB

Download
memory/1000-87-0x000000006FD30000-0x00000000702DB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-56-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download