aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1724-66-0x0000000006410000-0x00000000067B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1628 voiceadequovl.exe
1724 voiceadequovl.exe
1376 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1628 voiceadequovl.exe
1628 voiceadequovl.exe
1628 voiceadequovl.exe
1628 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1628	voiceadequovl.exe
1724	voiceadequovl.exe
1376	voiceadequovl.exe

pid	process
1628	voiceadequovl.exe
1628	voiceadequovl.exe
1628	voiceadequovl.exe
1628	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1724 set thread context of 1376 1724 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1728 powershell.exe
1288 powershell.exe

description	pid	process	target process
PID 1724 set thread context of 1376	1724	voiceadequovl.exe	voiceadequovl.exe

pid	process
1728	powershell.exe
1288	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1724	voiceadequovl.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeIncreaseQuotaPrivilege	308	wmic.exe
Token: SeSecurityPrivilege	308	wmic.exe
Token: SeTakeOwnershipPrivilege	308	wmic.exe
Token: SeLoadDriverPrivilege	308	wmic.exe
Token: SeSystemProfilePrivilege	308	wmic.exe
Token: SeSystemtimePrivilege	308	wmic.exe
Token: SeProfSingleProcessPrivilege	308	wmic.exe
Token: SeIncBasePriorityPrivilege	308	wmic.exe
Token: SeCreatePagefilePrivilege	308	wmic.exe
Token: SeBackupPrivilege	308	wmic.exe
Token: SeRestorePrivilege	308	wmic.exe
Token: SeShutdownPrivilege	308	wmic.exe
Token: SeDebugPrivilege	308	wmic.exe
Token: SeSystemEnvironmentPrivilege	308	wmic.exe
Token: SeRemoteShutdownPrivilege	308	wmic.exe
Token: SeUndockPrivilege	308	wmic.exe
Token: SeManageVolumePrivilege	308	wmic.exe
Token: 33	308	wmic.exe
Token: 34	308	wmic.exe
Token: 35	308	wmic.exe
Token: SeIncreaseQuotaPrivilege	308	wmic.exe
Token: SeSecurityPrivilege	308	wmic.exe
Token: SeTakeOwnershipPrivilege	308	wmic.exe
Token: SeLoadDriverPrivilege	308	wmic.exe
Token: SeSystemProfilePrivilege	308	wmic.exe
Token: SeSystemtimePrivilege	308	wmic.exe
Token: SeProfSingleProcessPrivilege	308	wmic.exe
Token: SeIncBasePriorityPrivilege	308	wmic.exe
Token: SeCreatePagefilePrivilege	308	wmic.exe
Token: SeBackupPrivilege	308	wmic.exe
Token: SeRestorePrivilege	308	wmic.exe
Token: SeShutdownPrivilege	308	wmic.exe
Token: SeDebugPrivilege	308	wmic.exe
Token: SeSystemEnvironmentPrivilege	308	wmic.exe
Token: SeRemoteShutdownPrivilege	308	wmic.exe
Token: SeUndockPrivilege	308	wmic.exe
Token: SeManageVolumePrivilege	308	wmic.exe
Token: 33	308	wmic.exe
Token: 34	308	wmic.exe
Token: 35	308	wmic.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeSecurityPrivilege	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	1612	WMIC.exe
Token: SeLoadDriverPrivilege	1612	WMIC.exe
Token: SeSystemProfilePrivilege	1612	WMIC.exe
Token: SeSystemtimePrivilege	1612	WMIC.exe
Token: SeProfSingleProcessPrivilege	1612	WMIC.exe
Token: SeIncBasePriorityPrivilege	1612	WMIC.exe
Token: SeCreatePagefilePrivilege	1612	WMIC.exe
Token: SeBackupPrivilege	1612	WMIC.exe
Token: SeRestorePrivilege	1612	WMIC.exe
Token: SeShutdownPrivilege	1612	WMIC.exe
Token: SeDebugPrivilege	1612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1612	WMIC.exe
Token: SeRemoteShutdownPrivilege	1612	WMIC.exe
Token: SeUndockPrivilege	1612	WMIC.exe
Token: SeManageVolumePrivilege	1612	WMIC.exe
Token: 33	1612	WMIC.exe
Token: 34	1612	WMIC.exe
Token: 35	1612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 1504 wrote to memory of 1628	1504	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1628	1504	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1628	1504	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1628	1504	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1628 wrote to memory of 1724	1628	voiceadequovl.exe	voiceadequovl.exe
PID 1628 wrote to memory of 1724	1628	voiceadequovl.exe	voiceadequovl.exe
PID 1628 wrote to memory of 1724	1628	voiceadequovl.exe	voiceadequovl.exe
PID 1628 wrote to memory of 1724	1628	voiceadequovl.exe	voiceadequovl.exe
PID 1724 wrote to memory of 1728	1724	voiceadequovl.exe	powershell.exe
PID 1724 wrote to memory of 1728	1724	voiceadequovl.exe	powershell.exe
PID 1724 wrote to memory of 1728	1724	voiceadequovl.exe	powershell.exe
PID 1724 wrote to memory of 1728	1724	voiceadequovl.exe	powershell.exe
PID 1724 wrote to memory of 1516	1724	voiceadequovl.exe	cmd.exe
PID 1724 wrote to memory of 1516	1724	voiceadequovl.exe	cmd.exe
PID 1724 wrote to memory of 1516	1724	voiceadequovl.exe	cmd.exe
PID 1724 wrote to memory of 1516	1724	voiceadequovl.exe	cmd.exe
PID 1516 wrote to memory of 1288	1516	cmd.exe	powershell.exe
PID 1516 wrote to memory of 1288	1516	cmd.exe	powershell.exe
PID 1516 wrote to memory of 1288	1516	cmd.exe	powershell.exe
PID 1516 wrote to memory of 1288	1516	cmd.exe	powershell.exe
PID 1724 wrote to memory of 1376	1724	voiceadequovl.exe	voiceadequovl.exe
PID 1724 wrote to memory of 1376	1724	voiceadequovl.exe	voiceadequovl.exe
PID 1724 wrote to memory of 1376	1724	voiceadequovl.exe	voiceadequovl.exe
PID 1724 wrote to memory of 1376	1724	voiceadequovl.exe	voiceadequovl.exe
PID 1724 wrote to memory of 1376	1724	voiceadequovl.exe	voiceadequovl.exe
PID 1724 wrote to memory of 1376	1724	voiceadequovl.exe	voiceadequovl.exe
PID 1724 wrote to memory of 1376	1724	voiceadequovl.exe	voiceadequovl.exe
PID 1724 wrote to memory of 1376	1724	voiceadequovl.exe	voiceadequovl.exe
PID 1724 wrote to memory of 1376	1724	voiceadequovl.exe	voiceadequovl.exe
PID 1724 wrote to memory of 1376	1724	voiceadequovl.exe	voiceadequovl.exe
PID 1724 wrote to memory of 1376	1724	voiceadequovl.exe	voiceadequovl.exe
PID 1724 wrote to memory of 1376	1724	voiceadequovl.exe	voiceadequovl.exe
PID 1376 wrote to memory of 308	1376	voiceadequovl.exe	wmic.exe
PID 1376 wrote to memory of 308	1376	voiceadequovl.exe	wmic.exe
PID 1376 wrote to memory of 308	1376	voiceadequovl.exe	wmic.exe
PID 1376 wrote to memory of 308	1376	voiceadequovl.exe	wmic.exe
PID 1376 wrote to memory of 1188	1376	voiceadequovl.exe	cmd.exe
PID 1376 wrote to memory of 1188	1376	voiceadequovl.exe	cmd.exe
PID 1376 wrote to memory of 1188	1376	voiceadequovl.exe	cmd.exe
PID 1376 wrote to memory of 1188	1376	voiceadequovl.exe	cmd.exe
PID 1188 wrote to memory of 1612	1188	cmd.exe	WMIC.exe
PID 1188 wrote to memory of 1612	1188	cmd.exe	WMIC.exe
PID 1188 wrote to memory of 1612	1188	cmd.exe	WMIC.exe
PID 1188 wrote to memory of 1612	1188	cmd.exe	WMIC.exe
PID 1376 wrote to memory of 1576	1376	voiceadequovl.exe	cmd.exe
PID 1376 wrote to memory of 1576	1376	voiceadequovl.exe	cmd.exe
PID 1376 wrote to memory of 1576	1376	voiceadequovl.exe	cmd.exe
PID 1376 wrote to memory of 1576	1376	voiceadequovl.exe	cmd.exe
PID 1576 wrote to memory of 1044	1576	cmd.exe	WMIC.exe
PID 1576 wrote to memory of 1044	1576	cmd.exe	WMIC.exe
PID 1576 wrote to memory of 1044	1576	cmd.exe	WMIC.exe
PID 1576 wrote to memory of 1044	1576	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1188
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0138d6e39abb68546b665e78d3729ce0

SHA1
ceba3649692d2477315f99ed7351c74566e8b2f2

SHA256
1201e8c2a835a43edd64cc10dad13eeace4c4d2a18f6d5acc0a5fa0ebfa8bd77

SHA512
55fc49801b0ed52cf55dc3365380ddc554eee6a678b0fc83ee0a94b50164c29fa979704a348b3c28f6ec3623c02b15594883c3449fda3b306c2d479f6a66a7e4

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
183.9MB

MD5
bbe19b2044cf1fed4f77bb3d81ce6750

SHA1
3df56f54d4a995de67150cec2dc3c62b610d4188

SHA256
f9563e82f79a65b4f3bfffa5fb3c80daf25dbe91330013a61991dfc7c5658c91

SHA512
acb6b56feac1e8ab8ee73295fa01367741da58adba44fe764510412f0af3b2f0a1e2de3c0a2164384be06592fc5eff41cce2f820860337b406346594dd73e1a2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
164.8MB

MD5
feda4b23ab4d096dea0c4e6d81419ef5

SHA1
57cbf2d5ae2d3247082aee1f3223fe82d63ab831

SHA256
4ab030232ea34a825f493424d0daa15f1cd6d20ee7431154dac038c97f975f56

SHA512
e64cab3f894f17bfbec32c718ec742c9fb3053a40429b3b1a5862215419104b58b95945720064190a012b8d88d5f4f11745ef5d53d68dda33768bb2456d1fc62

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
64.4MB

MD5
71120716131d64ee1152c020e30b0ecd

SHA1
8bbd09b6b5d38b4f0ec86a5ba1183f64a987e8c4

SHA256
6ec090257e3a9d38eb1f8fce3b13efa8c278d7907848594319213b1e6d08017a

SHA512
7f5452a6401a04123ba681338f99132fb256e456cd3475cc20eab2d0d0c5c0bb2f410d8c80264d013e65768e99d1c2ea12a68053ff669824b9a969fe5ec80f4a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
184.5MB

MD5
ef4f6c583f90771d29976c6d06016da4

SHA1
d281979c046409579cc825873ff9ed5464081e19

SHA256
c713ffcbac2658f0c68737004768e7ab8a4b7eba5b3a9dcdfb6f7bc75175b847

SHA512
3455ff94fdafefa03f36c34c7b92f35db402f6bd3219f56fe93dbc896fc5191cde155425c447d59905fc132b5c4ba92bda2b9f6a784e07fec5e6c6674e4e4b68

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
163.6MB

MD5
74d468014a1d5c120d3d31e58a565b7a

SHA1
fabe331ef5ee8388fee11b4f16e7899e1795c0c2

SHA256
f0c3d2458af953f1315a37b08f62f950265e4dbd979c87af518e25297279cd35

SHA512
8bbce2dd67cad5113f639d4c15e2e3c9e94d7374511038299219a800be22bd179074d1e2fee0ae5eb2f9a5850d29739ff4c32716e790d4402110b07920df8381

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
183.6MB

MD5
2c509e6b258f3fc8afe1f81fde87760c

SHA1
c9fbec2965354376f1c10daa1322702f5841d36e

SHA256
e3afebf5f0ca62c1066b26cac85435e7e77d4440c0dec8cbd0145c3550cdf7d7

SHA512
0bd1e10ec77ab35b2437c07b8be72fe371e18f5f311f1f93ea4a8af334d57e323e8d64ced14fff2748c6b49eedc4af77c947c724b4ba4eff12f574fb66fdce29

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
186.1MB

MD5
88e72b5ae3a2946a1e63110e9191d0d8

SHA1
62b475fc3c66877d5b4cf75b2230daeae56f63d0

SHA256
1270fcea065e425dc51d715c4d82dde764430c9ac39bd505ce81b646b9f3ae5d

SHA512
8f05cef2b3d347c193c13fc9d5831b078f1910dad9fb78d6f1a506ecaa76e8d7829d1c5cf3672796420d71ce21722a5cc1cb0cd0cf2b891b544885d75a0e226e

Download Submit
memory/308-96-0x0000000000000000-mapping.dmp

Download
memory/1044-100-0x0000000000000000-mapping.dmp

Download
memory/1188-97-0x0000000000000000-mapping.dmp

Download
memory/1288-93-0x000000006FE10000-0x00000000703BB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-74-0x0000000000000000-mapping.dmp

Download
memory/1288-95-0x000000006FE10000-0x00000000703BB000-memory.dmp

Filesize
5.7MB

Download
memory/1376-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1376-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1376-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1376-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1376-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1376-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1376-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1376-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1376-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1376-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1376-89-0x0000000000464C20-mapping.dmp

Download
memory/1376-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1516-72-0x0000000000000000-mapping.dmp

Download
memory/1576-99-0x0000000000000000-mapping.dmp

Download
memory/1612-98-0x0000000000000000-mapping.dmp

Download
memory/1628-56-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1628-54-0x0000000000000000-mapping.dmp

Download
memory/1724-65-0x0000000000ED0000-0x0000000001644000-memory.dmp

Filesize
7.5MB

Download
memory/1724-66-0x0000000006410000-0x00000000067B0000-memory.dmp

Filesize
3.6MB

Download
memory/1724-62-0x0000000000000000-mapping.dmp

Download
memory/1724-73-0x00000000053D0000-0x0000000005542000-memory.dmp

Filesize
1.4MB

Download
memory/1728-67-0x0000000000000000-mapping.dmp

Download
memory/1728-69-0x000000006FE50000-0x00000000703FB000-memory.dmp

Filesize
5.7MB

Download
memory/1728-71-0x000000006FE50000-0x00000000703FB000-memory.dmp

Filesize
5.7MB

Download
memory/1728-70-0x000000006FE50000-0x00000000703FB000-memory.dmp

Filesize
5.7MB

Download