aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
85s
max time network
90s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/560-66-0x00000000064C0000-0x0000000006860000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1624 voiceadequovl.exe
560 voiceadequovl.exe
1460 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1624 voiceadequovl.exe
1624 voiceadequovl.exe
1624 voiceadequovl.exe
1624 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1624	voiceadequovl.exe
560	voiceadequovl.exe
1460	voiceadequovl.exe

pid	process
1624	voiceadequovl.exe
1624	voiceadequovl.exe
1624	voiceadequovl.exe
1624	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 560 set thread context of 1460 560 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1816 powershell.exe
1660 powershell.exe

description	pid	process	target process
PID 560 set thread context of 1460	560	voiceadequovl.exe	voiceadequovl.exe

pid	process
1816	powershell.exe
1660	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	560	voiceadequovl.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeIncreaseQuotaPrivilege	1304	wmic.exe
Token: SeSecurityPrivilege	1304	wmic.exe
Token: SeTakeOwnershipPrivilege	1304	wmic.exe
Token: SeLoadDriverPrivilege	1304	wmic.exe
Token: SeSystemProfilePrivilege	1304	wmic.exe
Token: SeSystemtimePrivilege	1304	wmic.exe
Token: SeProfSingleProcessPrivilege	1304	wmic.exe
Token: SeIncBasePriorityPrivilege	1304	wmic.exe
Token: SeCreatePagefilePrivilege	1304	wmic.exe
Token: SeBackupPrivilege	1304	wmic.exe
Token: SeRestorePrivilege	1304	wmic.exe
Token: SeShutdownPrivilege	1304	wmic.exe
Token: SeDebugPrivilege	1304	wmic.exe
Token: SeSystemEnvironmentPrivilege	1304	wmic.exe
Token: SeRemoteShutdownPrivilege	1304	wmic.exe
Token: SeUndockPrivilege	1304	wmic.exe
Token: SeManageVolumePrivilege	1304	wmic.exe
Token: 33	1304	wmic.exe
Token: 34	1304	wmic.exe
Token: 35	1304	wmic.exe
Token: SeIncreaseQuotaPrivilege	1304	wmic.exe
Token: SeSecurityPrivilege	1304	wmic.exe
Token: SeTakeOwnershipPrivilege	1304	wmic.exe
Token: SeLoadDriverPrivilege	1304	wmic.exe
Token: SeSystemProfilePrivilege	1304	wmic.exe
Token: SeSystemtimePrivilege	1304	wmic.exe
Token: SeProfSingleProcessPrivilege	1304	wmic.exe
Token: SeIncBasePriorityPrivilege	1304	wmic.exe
Token: SeCreatePagefilePrivilege	1304	wmic.exe
Token: SeBackupPrivilege	1304	wmic.exe
Token: SeRestorePrivilege	1304	wmic.exe
Token: SeShutdownPrivilege	1304	wmic.exe
Token: SeDebugPrivilege	1304	wmic.exe
Token: SeSystemEnvironmentPrivilege	1304	wmic.exe
Token: SeRemoteShutdownPrivilege	1304	wmic.exe
Token: SeUndockPrivilege	1304	wmic.exe
Token: SeManageVolumePrivilege	1304	wmic.exe
Token: 33	1304	wmic.exe
Token: 34	1304	wmic.exe
Token: 35	1304	wmic.exe
Token: SeIncreaseQuotaPrivilege	1572	WMIC.exe
Token: SeSecurityPrivilege	1572	WMIC.exe
Token: SeTakeOwnershipPrivilege	1572	WMIC.exe
Token: SeLoadDriverPrivilege	1572	WMIC.exe
Token: SeSystemProfilePrivilege	1572	WMIC.exe
Token: SeSystemtimePrivilege	1572	WMIC.exe
Token: SeProfSingleProcessPrivilege	1572	WMIC.exe
Token: SeIncBasePriorityPrivilege	1572	WMIC.exe
Token: SeCreatePagefilePrivilege	1572	WMIC.exe
Token: SeBackupPrivilege	1572	WMIC.exe
Token: SeRestorePrivilege	1572	WMIC.exe
Token: SeShutdownPrivilege	1572	WMIC.exe
Token: SeDebugPrivilege	1572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1572	WMIC.exe
Token: SeRemoteShutdownPrivilege	1572	WMIC.exe
Token: SeUndockPrivilege	1572	WMIC.exe
Token: SeManageVolumePrivilege	1572	WMIC.exe
Token: 33	1572	WMIC.exe
Token: 34	1572	WMIC.exe
Token: 35	1572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1572	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 1752 wrote to memory of 1624	1752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1752 wrote to memory of 1624	1752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1752 wrote to memory of 1624	1752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1752 wrote to memory of 1624	1752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1624 wrote to memory of 560	1624	voiceadequovl.exe	voiceadequovl.exe
PID 1624 wrote to memory of 560	1624	voiceadequovl.exe	voiceadequovl.exe
PID 1624 wrote to memory of 560	1624	voiceadequovl.exe	voiceadequovl.exe
PID 1624 wrote to memory of 560	1624	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1816	560	voiceadequovl.exe	powershell.exe
PID 560 wrote to memory of 1816	560	voiceadequovl.exe	powershell.exe
PID 560 wrote to memory of 1816	560	voiceadequovl.exe	powershell.exe
PID 560 wrote to memory of 1816	560	voiceadequovl.exe	powershell.exe
PID 560 wrote to memory of 604	560	voiceadequovl.exe	cmd.exe
PID 560 wrote to memory of 604	560	voiceadequovl.exe	cmd.exe
PID 560 wrote to memory of 604	560	voiceadequovl.exe	cmd.exe
PID 560 wrote to memory of 604	560	voiceadequovl.exe	cmd.exe
PID 604 wrote to memory of 1660	604	cmd.exe	powershell.exe
PID 604 wrote to memory of 1660	604	cmd.exe	powershell.exe
PID 604 wrote to memory of 1660	604	cmd.exe	powershell.exe
PID 604 wrote to memory of 1660	604	cmd.exe	powershell.exe
PID 560 wrote to memory of 1460	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1460	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1460	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1460	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1460	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1460	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1460	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1460	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1460	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1460	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1460	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1460	560	voiceadequovl.exe	voiceadequovl.exe
PID 1460 wrote to memory of 1304	1460	voiceadequovl.exe	wmic.exe
PID 1460 wrote to memory of 1304	1460	voiceadequovl.exe	wmic.exe
PID 1460 wrote to memory of 1304	1460	voiceadequovl.exe	wmic.exe
PID 1460 wrote to memory of 1304	1460	voiceadequovl.exe	wmic.exe
PID 1460 wrote to memory of 1952	1460	voiceadequovl.exe	cmd.exe
PID 1460 wrote to memory of 1952	1460	voiceadequovl.exe	cmd.exe
PID 1460 wrote to memory of 1952	1460	voiceadequovl.exe	cmd.exe
PID 1460 wrote to memory of 1952	1460	voiceadequovl.exe	cmd.exe
PID 1952 wrote to memory of 1572	1952	cmd.exe	WMIC.exe
PID 1952 wrote to memory of 1572	1952	cmd.exe	WMIC.exe
PID 1952 wrote to memory of 1572	1952	cmd.exe	WMIC.exe
PID 1952 wrote to memory of 1572	1952	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 1616	1460	voiceadequovl.exe	cmd.exe
PID 1460 wrote to memory of 1616	1460	voiceadequovl.exe	cmd.exe
PID 1460 wrote to memory of 1616	1460	voiceadequovl.exe	cmd.exe
PID 1460 wrote to memory of 1616	1460	voiceadequovl.exe	cmd.exe
PID 1616 wrote to memory of 1752	1616	cmd.exe	WMIC.exe
PID 1616 wrote to memory of 1752	1616	cmd.exe	WMIC.exe
PID 1616 wrote to memory of 1752	1616	cmd.exe	WMIC.exe
PID 1616 wrote to memory of 1752	1616	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
323.9MB

MD5
3f9cf7cddd39dc870eda4abc8b868ea2

SHA1
cda33029345b61cad305fa59eb05eeaecd6fb784

SHA256
bfedce4ae759ce15062dc63df96fe4abcaebb1c7210466af13b605d484f777ba

SHA512
50eaf8a3612ff7d6d5e258d6a7f6f28965e19fe959f9ce7a12634785cdc51a5b25dfe6224d24f75babaafc456c3a1df34d7940ab879b71094ced7a858376d521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
306.9MB

MD5
b142c0ec8f59ecf55c1b7f0b909d1559

SHA1
26fdcda56a7dd2a90febb8ae61c31265bba6f671

SHA256
34710c86619a1170edab49c37a63e07abe47dd0af98cfa83d6d2b3c7fcedad93

SHA512
0efbe874809756a344559e715feda1eb4b8907e6354ab183992099ed10e1dc44d57225018dfcc8377c97c5094c05594c10aa189abbf7525052d3f877669ec177

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8c40b2c6511566b22b45b22c494d8bff

SHA1
0590a8d7ed4753122c7fd75e1f826f99b6802707

SHA256
9ddc6b9a8ffb22f18cf032942bccf9a901c1a5fcb915be0f0cf11919643af666

SHA512
58af35acad569532ae5883c9edb780a7ef765d049cbb0fe2aa9641183f636a5c65e8e6023998b4bda7341a088f7e6ac917cf26829afd8333c327086ebc49a1f1

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
189.9MB

MD5
e2a6556fbdbed23e2e6bed7a8c155548

SHA1
becfa75d930bdce04412f5c46a59538531b7c29e

SHA256
2d5f6c69a22a849b1cc7a328d3f830c1440762f6af003fc57d365f56ebd63994

SHA512
a2d2f6f0c2d903fda57516bf434f1e9e4cbb05ce0b514e942fa0f2a59ea0a987cc050cb928a09d4e0dd591bc6efe1204526220d994d8334dd568d7d0c2e9eac0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
191.6MB

MD5
5e6a90b4728a107d3d3de0c2174b03ee

SHA1
7e3f10b543e10f6512d2669ccb58a96e3ae7f466

SHA256
a14567de9da7d7aa3b933c1ebcdff1422e6f60535c2d17f0e0b7ef846155457a

SHA512
cfd9981f3c3ead04c65042481b3117dada5274fb2217e2aa99fac9ecfbf6821d27bfea342ddc854bb151db3b29c023fc9a8cb7c2ab02eb13d496b3f356625f64

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
113.1MB

MD5
42f8eba5fb50c9768558f328c2dd7da1

SHA1
e1e65e3a9699e132dec30c681ce3e29c18f6eea9

SHA256
d2665029fea9f7d70aa5dc057b86f8d180007134778a62a788f99a85260083a6

SHA512
c6c2d6dea3caa5501dee5127002bedd30f8c45df6b91c279c210b1cdea39acc40c635ff0b6f2294de535b6bdbaffa85cc4b5b3ac01337241d67467d5e3fd9800

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
205.7MB

MD5
32468d99383fb1d714e1f46650dd0f4c

SHA1
2ad5db43165a2a9bf299a6a39b4e6b3e3b714d2a

SHA256
e3967cb72093d6a7f2f8a68748c87b677bc56d9e9bcfa105ae0038f369c08aa8

SHA512
1a37129fc45bd91646442df7bcd0fc87deaaebcf2cbb85f935ae884dac33fbd75dd801b6085d23d67c5330d3021d54cdde8db6650a260eebdcfa47f1acb3a1b3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
197.5MB

MD5
dff1b5061f877716b3dfb884513d02d0

SHA1
2d2407e5716a1634b8b7be9354180809eb4a3c7e

SHA256
447c0d8ded0fa472bad3dae9bd0d53a974fe1f580182b48be25134e2806b53de

SHA512
eb0bdad3802d85190dc52dcce4b4bc6ddd5320c36a0d239d55c4e07d2501d02a6167d37f15533448da5ecd07eb4fa42bf1dae45ec9f4ae7c60646b2e941f6542

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
196.6MB

MD5
220baf91910fe18d6b6427720d579139

SHA1
4aebe2d050226c98a6cd9c246bdef13e9c6c16e2

SHA256
5e1edd91410e8b59b58faec73e1fd0fc028502e6e3e6c25ab7cedb8284ef5619

SHA512
4c9defe265aa75b4e333fbfd0363b4e8a898a1d0512e4b7df30114be6e13ce045f0c3c77665e274d2be4b6e696d081edb190bae5b58a6efe813289de9c7c91b9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
198.6MB

MD5
b6512f5b32a367dfa2bd9bcbafb37ed4

SHA1
0b543f7c64f0e8a388456a079dedd94fdffc0640

SHA256
b8314dfdc76b514a84ed1ecd5a5659c0498c1ce8225eb6f46a35ab7cc3e068ff

SHA512
860b2db6c138755640d821afd9e8b731f4aad04f6ff4678f92e5305e27938a6deef4e91d81d2c933d5754f5e13fc4929451f5eaf64f50b12650164b5c40c2717

Download Submit
memory/560-62-0x0000000000000000-mapping.dmp

Download
memory/560-65-0x0000000000F40000-0x00000000016B4000-memory.dmp

Filesize
7.5MB

Download
memory/560-66-0x00000000064C0000-0x0000000006860000-memory.dmp

Filesize
3.6MB

Download
memory/560-77-0x00000000054A0000-0x0000000005612000-memory.dmp

Filesize
1.4MB

Download
memory/604-72-0x0000000000000000-mapping.dmp

Download
memory/1304-97-0x0000000000000000-mapping.dmp

Download
memory/1460-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1460-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1460-102-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1460-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1460-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1460-91-0x0000000000464C20-mapping.dmp

Download
memory/1460-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1460-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1460-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1460-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1460-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1460-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1572-99-0x0000000000000000-mapping.dmp

Download
memory/1616-100-0x0000000000000000-mapping.dmp

Download
memory/1624-54-0x0000000000000000-mapping.dmp

Download
memory/1624-56-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1660-73-0x0000000000000000-mapping.dmp

Download
memory/1660-76-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-78-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-96-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-101-0x0000000000000000-mapping.dmp

Download
memory/1816-70-0x000000006F210000-0x000000006F7BB000-memory.dmp

Filesize
5.7MB

Download
memory/1816-67-0x0000000000000000-mapping.dmp

Download
memory/1816-69-0x000000006F210000-0x000000006F7BB000-memory.dmp

Filesize
5.7MB

Download
memory/1816-71-0x000000006F210000-0x000000006F7BB000-memory.dmp

Filesize
5.7MB

Download
memory/1952-98-0x0000000000000000-mapping.dmp

Download