aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
60s
max time network
64s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1536-66-0x0000000006450000-0x00000000067F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1776 voiceadequovl.exe
1536 voiceadequovl.exe
1132 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1776 voiceadequovl.exe
1776 voiceadequovl.exe
1776 voiceadequovl.exe
1776 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1776	voiceadequovl.exe
1536	voiceadequovl.exe
1132	voiceadequovl.exe

pid	process
1776	voiceadequovl.exe
1776	voiceadequovl.exe
1776	voiceadequovl.exe
1776	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1536 set thread context of 1132 1536 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1376 powershell.exe
896 powershell.exe

description	pid	process	target process
PID 1536 set thread context of 1132	1536	voiceadequovl.exe	voiceadequovl.exe

pid	process
1376	powershell.exe
896	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1536	voiceadequovl.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeIncreaseQuotaPrivilege	296	wmic.exe
Token: SeSecurityPrivilege	296	wmic.exe
Token: SeTakeOwnershipPrivilege	296	wmic.exe
Token: SeLoadDriverPrivilege	296	wmic.exe
Token: SeSystemProfilePrivilege	296	wmic.exe
Token: SeSystemtimePrivilege	296	wmic.exe
Token: SeProfSingleProcessPrivilege	296	wmic.exe
Token: SeIncBasePriorityPrivilege	296	wmic.exe
Token: SeCreatePagefilePrivilege	296	wmic.exe
Token: SeBackupPrivilege	296	wmic.exe
Token: SeRestorePrivilege	296	wmic.exe
Token: SeShutdownPrivilege	296	wmic.exe
Token: SeDebugPrivilege	296	wmic.exe
Token: SeSystemEnvironmentPrivilege	296	wmic.exe
Token: SeRemoteShutdownPrivilege	296	wmic.exe
Token: SeUndockPrivilege	296	wmic.exe
Token: SeManageVolumePrivilege	296	wmic.exe
Token: 33	296	wmic.exe
Token: 34	296	wmic.exe
Token: 35	296	wmic.exe
Token: SeIncreaseQuotaPrivilege	296	wmic.exe
Token: SeSecurityPrivilege	296	wmic.exe
Token: SeTakeOwnershipPrivilege	296	wmic.exe
Token: SeLoadDriverPrivilege	296	wmic.exe
Token: SeSystemProfilePrivilege	296	wmic.exe
Token: SeSystemtimePrivilege	296	wmic.exe
Token: SeProfSingleProcessPrivilege	296	wmic.exe
Token: SeIncBasePriorityPrivilege	296	wmic.exe
Token: SeCreatePagefilePrivilege	296	wmic.exe
Token: SeBackupPrivilege	296	wmic.exe
Token: SeRestorePrivilege	296	wmic.exe
Token: SeShutdownPrivilege	296	wmic.exe
Token: SeDebugPrivilege	296	wmic.exe
Token: SeSystemEnvironmentPrivilege	296	wmic.exe
Token: SeRemoteShutdownPrivilege	296	wmic.exe
Token: SeUndockPrivilege	296	wmic.exe
Token: SeManageVolumePrivilege	296	wmic.exe
Token: 33	296	wmic.exe
Token: 34	296	wmic.exe
Token: 35	296	wmic.exe
Token: SeIncreaseQuotaPrivilege	2016	WMIC.exe
Token: SeSecurityPrivilege	2016	WMIC.exe
Token: SeTakeOwnershipPrivilege	2016	WMIC.exe
Token: SeLoadDriverPrivilege	2016	WMIC.exe
Token: SeSystemProfilePrivilege	2016	WMIC.exe
Token: SeSystemtimePrivilege	2016	WMIC.exe
Token: SeProfSingleProcessPrivilege	2016	WMIC.exe
Token: SeIncBasePriorityPrivilege	2016	WMIC.exe
Token: SeCreatePagefilePrivilege	2016	WMIC.exe
Token: SeBackupPrivilege	2016	WMIC.exe
Token: SeRestorePrivilege	2016	WMIC.exe
Token: SeShutdownPrivilege	2016	WMIC.exe
Token: SeDebugPrivilege	2016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2016	WMIC.exe
Token: SeRemoteShutdownPrivilege	2016	WMIC.exe
Token: SeUndockPrivilege	2016	WMIC.exe
Token: SeManageVolumePrivilege	2016	WMIC.exe
Token: 33	2016	WMIC.exe
Token: 34	2016	WMIC.exe
Token: 35	2016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2016	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 1392 wrote to memory of 1776	1392	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1392 wrote to memory of 1776	1392	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1392 wrote to memory of 1776	1392	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1392 wrote to memory of 1776	1392	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1776 wrote to memory of 1536	1776	voiceadequovl.exe	voiceadequovl.exe
PID 1776 wrote to memory of 1536	1776	voiceadequovl.exe	voiceadequovl.exe
PID 1776 wrote to memory of 1536	1776	voiceadequovl.exe	voiceadequovl.exe
PID 1776 wrote to memory of 1536	1776	voiceadequovl.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1376	1536	voiceadequovl.exe	powershell.exe
PID 1536 wrote to memory of 1376	1536	voiceadequovl.exe	powershell.exe
PID 1536 wrote to memory of 1376	1536	voiceadequovl.exe	powershell.exe
PID 1536 wrote to memory of 1376	1536	voiceadequovl.exe	powershell.exe
PID 1536 wrote to memory of 584	1536	voiceadequovl.exe	cmd.exe
PID 1536 wrote to memory of 584	1536	voiceadequovl.exe	cmd.exe
PID 1536 wrote to memory of 584	1536	voiceadequovl.exe	cmd.exe
PID 1536 wrote to memory of 584	1536	voiceadequovl.exe	cmd.exe
PID 584 wrote to memory of 896	584	cmd.exe	powershell.exe
PID 584 wrote to memory of 896	584	cmd.exe	powershell.exe
PID 584 wrote to memory of 896	584	cmd.exe	powershell.exe
PID 584 wrote to memory of 896	584	cmd.exe	powershell.exe
PID 1536 wrote to memory of 1132	1536	voiceadequovl.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1132	1536	voiceadequovl.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1132	1536	voiceadequovl.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1132	1536	voiceadequovl.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1132	1536	voiceadequovl.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1132	1536	voiceadequovl.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1132	1536	voiceadequovl.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1132	1536	voiceadequovl.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1132	1536	voiceadequovl.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1132	1536	voiceadequovl.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1132	1536	voiceadequovl.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1132	1536	voiceadequovl.exe	voiceadequovl.exe
PID 1132 wrote to memory of 296	1132	voiceadequovl.exe	wmic.exe
PID 1132 wrote to memory of 296	1132	voiceadequovl.exe	wmic.exe
PID 1132 wrote to memory of 296	1132	voiceadequovl.exe	wmic.exe
PID 1132 wrote to memory of 296	1132	voiceadequovl.exe	wmic.exe
PID 1132 wrote to memory of 1672	1132	voiceadequovl.exe	cmd.exe
PID 1132 wrote to memory of 1672	1132	voiceadequovl.exe	cmd.exe
PID 1132 wrote to memory of 1672	1132	voiceadequovl.exe	cmd.exe
PID 1132 wrote to memory of 1672	1132	voiceadequovl.exe	cmd.exe
PID 1672 wrote to memory of 2016	1672	cmd.exe	WMIC.exe
PID 1672 wrote to memory of 2016	1672	cmd.exe	WMIC.exe
PID 1672 wrote to memory of 2016	1672	cmd.exe	WMIC.exe
PID 1672 wrote to memory of 2016	1672	cmd.exe	WMIC.exe
PID 1132 wrote to memory of 884	1132	voiceadequovl.exe	cmd.exe
PID 1132 wrote to memory of 884	1132	voiceadequovl.exe	cmd.exe
PID 1132 wrote to memory of 884	1132	voiceadequovl.exe	cmd.exe
PID 1132 wrote to memory of 884	1132	voiceadequovl.exe	cmd.exe
PID 884 wrote to memory of 1748	884	cmd.exe	WMIC.exe
PID 884 wrote to memory of 1748	884	cmd.exe	WMIC.exe
PID 884 wrote to memory of 1748	884	cmd.exe	WMIC.exe
PID 884 wrote to memory of 1748	884	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1376
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:884
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
247.9MB

MD5
d658aedd1cf2f6a4f027184bf8ba6bb8

SHA1
2903fa7d00b959747fe06393a6a0ab6850c2d485

SHA256
b3edddbf5f29c1a50a14d7473e7e70f64c17a948b6c2175a2ea9c582f2dcd55e

SHA512
2373a71743b7c53f98453d28ac80aa38cc3189b5255ee7539a6c727fdf69cc86dbce184aaed7a5c7c12033cbd9738158ea8578ad12a71d276ed110fd7b76a1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
243.4MB

MD5
8b433b2784316c8e828b6c1b508ea16a

SHA1
4965888d91290f6fd976f45d09a3070e4dbb1dfa

SHA256
11082a2b37d1fc37fef606300ea46e8015e182047ecbc195dc5630e4e8be10ee

SHA512
fdd47a2f0bcc7837f0033e7128db67a200231e2f15e0911051f5664904694b0486fa1081ff04677c8c86f9e944e6a87b6bbf67c6a6fc3bf03c307edc17dd15a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b666cc59d3d2b818dc1073824effda94

SHA1
a5d0867838580780d9a6e3de09e91a79c7d55927

SHA256
2b6c23a9b383ea12cdba25694a3fdc71387199b5227ef651b4cf2bca1eb88fca

SHA512
eb51a5333ab058293083f08a9b820c1a4d9974fd1b52e5ebdb58169bcbbb5e50813654178a809387becbe56c14524eca6fdc11b7d7e68b5cae4ef75d2d38a7cf

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
237.8MB

MD5
60aeaa15af666ba254621fd6ffe2e2fd

SHA1
f0df52b0cc301b532b36c821c7789bd132f81d1a

SHA256
3d72ae9135c875b2e8fa185896192b71508b5be86d050ee48b05d4a5f4fc9ef9

SHA512
56b99a27f5126abb8bbd70e3c61e40278c94d98c5aed6aa4ccb3d9746fddc670fa9c64b9a66329d6e0388c775574474234ec413b100d90b2ddf6748199bf81de

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
233.8MB

MD5
610271bfe4e955dc33b2dc43c6e04939

SHA1
4fbd9beb70838bec86c6d7f25117392cea771540

SHA256
08765e6552805cd2a8b96eec9f930098eb4f246ef8f124ef0ee7f58939a0ecbd

SHA512
096b5b13fd49de433f9f7eac06fa15a57c70326c5519f9100066dee0ffbcc49c3b6c1e62b80ab76056b66937191030e4470f4bb901c66753a284b87768aea2d5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
172.4MB

MD5
54232219b263daa2588100ee6badafb0

SHA1
44f738a24e398c3971d776f8c500db0bbe4d74db

SHA256
df1ed2fe1fc1f74709a4ef2294daaeab0f1fd845298cfe2bc3160a2026cf38f5

SHA512
be529a1da6d6910d3e22d84bfc3926414c82df69496a466ec7e3b19e621f028c2dbcd319cc9d86cb1b0bfc5c618d27d953c4c1b3a09fc9aaf9de2b83d1e727f9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
239.2MB

MD5
47afbff5ab9079838427a5b58e3bc2ee

SHA1
1ec2c535c3f1f72e73c8b93dcc65153377f638cf

SHA256
b833cc29e6034ff134dd92586f8bfa83377f13d8d044085b1bde1e5b6373706f

SHA512
cb4c3d0bb815689ef0dc123879b0a2376dbccb42a62338d8d2dce321c4b3bd223274999bb6aa7b9285e237a2448fced7adb03644b9a8470c38f67a48b6b5ce3c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
238.6MB

MD5
ac2a2251473e485556a13db9ddd0fed4

SHA1
55f215a23f29aff15648e8a9589f9d37d14daa97

SHA256
bf5390ba1f02dc3d82e6e73bf40c1ae49779b7e535e5dbe78f5cfb22dc96f986

SHA512
27abd6d171eb8865babaa3884e3da9eae1d20c8efde2c06cb351e5a31cf7c3b2b6c7d5d6eea37ccb99f3c157abc72530152e050cb8fcc057e515858cddbdf860

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
237.6MB

MD5
0e86ee20bddc39a11ac9add907f98c16

SHA1
d9c24805e7a5bd738c566790e0b4c20bde94fbd9

SHA256
fa0bbec3a7bef86b3ce647c528ec12bb7a0b32c0702a91335158fce2d7862898

SHA512
244a8392c3983d57d84280775e5c36fe8fdf7f2fed87fc74df25a9fe5bf8611e07c289bf9a4d6aef6cbf0cfff6740b1d09c22e3e890b9904fa832e80be2bc38b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
235.1MB

MD5
419aca0bf664a4d4fdc4489460faa54f

SHA1
494746b629a78b1a740a5f573f527a2e83664fa2

SHA256
e778c06eec315821c6d4482cd4a4c85d33b153ca91c4e53fedd281d57fce1cc5

SHA512
685c542ac2eb110af2b669416012e54e31ed34a5743550d8a5cd1850ddd36a22e9b2516b1d4f24fedb8b02ef7f5c227bd0374895fa155334b7cefed23efe0a2a

Download Submit
memory/296-95-0x0000000000000000-mapping.dmp

Download
memory/584-72-0x0000000000000000-mapping.dmp

Download
memory/884-98-0x0000000000000000-mapping.dmp

Download
memory/896-85-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/896-73-0x0000000000000000-mapping.dmp

Download
memory/1132-90-0x0000000000464C20-mapping.dmp

Download
memory/1132-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-100-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1376-71-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/1376-67-0x0000000000000000-mapping.dmp

Download
memory/1376-69-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/1376-70-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/1536-65-0x0000000000CB0000-0x0000000001424000-memory.dmp

Filesize
7.5MB

Download
memory/1536-66-0x0000000006450000-0x00000000067F0000-memory.dmp

Filesize
3.6MB

Download
memory/1536-76-0x0000000005470000-0x00000000055E2000-memory.dmp

Filesize
1.4MB

Download
memory/1536-62-0x0000000000000000-mapping.dmp

Download
memory/1672-96-0x0000000000000000-mapping.dmp

Download
memory/1748-99-0x0000000000000000-mapping.dmp

Download
memory/1776-54-0x0000000000000000-mapping.dmp

Download
memory/1776-56-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/2016-97-0x0000000000000000-mapping.dmp

Download