aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
81s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voiceadequovl.exevoiceadequovl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 4 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

2784 voiceadequovl.exe
3644 voiceadequovl.exe
3556 voiceadequovl.exe
1312 voiceadequovl.exe

pid	process
2784	voiceadequovl.exe
3644	voiceadequovl.exe
3556	voiceadequovl.exe
1312	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 3644 set thread context of 1312 3644 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exevoiceadequovl.exepowershell.exe

pid process

5032 powershell.exe
5032 powershell.exe
3644 voiceadequovl.exe
3644 voiceadequovl.exe
1292 powershell.exe
1292 powershell.exe

description	pid	process	target process
PID 3644 set thread context of 1312	3644	voiceadequovl.exe	voiceadequovl.exe

pid	process
5032	powershell.exe
5032	powershell.exe
3644	voiceadequovl.exe
3644	voiceadequovl.exe
1292	powershell.exe
1292	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3644	voiceadequovl.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeIncreaseQuotaPrivilege	536	wmic.exe
Token: SeSecurityPrivilege	536	wmic.exe
Token: SeTakeOwnershipPrivilege	536	wmic.exe
Token: SeLoadDriverPrivilege	536	wmic.exe
Token: SeSystemProfilePrivilege	536	wmic.exe
Token: SeSystemtimePrivilege	536	wmic.exe
Token: SeProfSingleProcessPrivilege	536	wmic.exe
Token: SeIncBasePriorityPrivilege	536	wmic.exe
Token: SeCreatePagefilePrivilege	536	wmic.exe
Token: SeBackupPrivilege	536	wmic.exe
Token: SeRestorePrivilege	536	wmic.exe
Token: SeShutdownPrivilege	536	wmic.exe
Token: SeDebugPrivilege	536	wmic.exe
Token: SeSystemEnvironmentPrivilege	536	wmic.exe
Token: SeRemoteShutdownPrivilege	536	wmic.exe
Token: SeUndockPrivilege	536	wmic.exe
Token: SeManageVolumePrivilege	536	wmic.exe
Token: 33	536	wmic.exe
Token: 34	536	wmic.exe
Token: 35	536	wmic.exe
Token: 36	536	wmic.exe
Token: SeIncreaseQuotaPrivilege	536	wmic.exe
Token: SeSecurityPrivilege	536	wmic.exe
Token: SeTakeOwnershipPrivilege	536	wmic.exe
Token: SeLoadDriverPrivilege	536	wmic.exe
Token: SeSystemProfilePrivilege	536	wmic.exe
Token: SeSystemtimePrivilege	536	wmic.exe
Token: SeProfSingleProcessPrivilege	536	wmic.exe
Token: SeIncBasePriorityPrivilege	536	wmic.exe
Token: SeCreatePagefilePrivilege	536	wmic.exe
Token: SeBackupPrivilege	536	wmic.exe
Token: SeRestorePrivilege	536	wmic.exe
Token: SeShutdownPrivilege	536	wmic.exe
Token: SeDebugPrivilege	536	wmic.exe
Token: SeSystemEnvironmentPrivilege	536	wmic.exe
Token: SeRemoteShutdownPrivilege	536	wmic.exe
Token: SeUndockPrivilege	536	wmic.exe
Token: SeManageVolumePrivilege	536	wmic.exe
Token: 33	536	wmic.exe
Token: 34	536	wmic.exe
Token: 35	536	wmic.exe
Token: 36	536	wmic.exe
Token: SeIncreaseQuotaPrivilege	3256	WMIC.exe
Token: SeSecurityPrivilege	3256	WMIC.exe
Token: SeTakeOwnershipPrivilege	3256	WMIC.exe
Token: SeLoadDriverPrivilege	3256	WMIC.exe
Token: SeSystemProfilePrivilege	3256	WMIC.exe
Token: SeSystemtimePrivilege	3256	WMIC.exe
Token: SeProfSingleProcessPrivilege	3256	WMIC.exe
Token: SeIncBasePriorityPrivilege	3256	WMIC.exe
Token: SeCreatePagefilePrivilege	3256	WMIC.exe
Token: SeBackupPrivilege	3256	WMIC.exe
Token: SeRestorePrivilege	3256	WMIC.exe
Token: SeShutdownPrivilege	3256	WMIC.exe
Token: SeDebugPrivilege	3256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3256	WMIC.exe
Token: SeRemoteShutdownPrivilege	3256	WMIC.exe
Token: SeUndockPrivilege	3256	WMIC.exe
Token: SeManageVolumePrivilege	3256	WMIC.exe
Token: 33	3256	WMIC.exe
Token: 34	3256	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 4324 wrote to memory of 2784	4324	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4324 wrote to memory of 2784	4324	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4324 wrote to memory of 2784	4324	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2784 wrote to memory of 3644	2784	voiceadequovl.exe	voiceadequovl.exe
PID 2784 wrote to memory of 3644	2784	voiceadequovl.exe	voiceadequovl.exe
PID 2784 wrote to memory of 3644	2784	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 5032	3644	voiceadequovl.exe	powershell.exe
PID 3644 wrote to memory of 5032	3644	voiceadequovl.exe	powershell.exe
PID 3644 wrote to memory of 5032	3644	voiceadequovl.exe	powershell.exe
PID 3644 wrote to memory of 3084	3644	voiceadequovl.exe	cmd.exe
PID 3644 wrote to memory of 3084	3644	voiceadequovl.exe	cmd.exe
PID 3644 wrote to memory of 3084	3644	voiceadequovl.exe	cmd.exe
PID 3084 wrote to memory of 1292	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 1292	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 1292	3084	cmd.exe	powershell.exe
PID 3644 wrote to memory of 3556	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 3556	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 3556	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 1312	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 1312	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 1312	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 1312	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 1312	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 1312	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 1312	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 1312	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 1312	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 1312	3644	voiceadequovl.exe	voiceadequovl.exe
PID 3644 wrote to memory of 1312	3644	voiceadequovl.exe	voiceadequovl.exe
PID 1312 wrote to memory of 536	1312	voiceadequovl.exe	wmic.exe
PID 1312 wrote to memory of 536	1312	voiceadequovl.exe	wmic.exe
PID 1312 wrote to memory of 536	1312	voiceadequovl.exe	wmic.exe
PID 1312 wrote to memory of 2144	1312	voiceadequovl.exe	cmd.exe
PID 1312 wrote to memory of 2144	1312	voiceadequovl.exe	cmd.exe
PID 1312 wrote to memory of 2144	1312	voiceadequovl.exe	cmd.exe
PID 2144 wrote to memory of 3256	2144	cmd.exe	WMIC.exe
PID 2144 wrote to memory of 3256	2144	cmd.exe	WMIC.exe
PID 2144 wrote to memory of 3256	2144	cmd.exe	WMIC.exe
PID 1312 wrote to memory of 2480	1312	voiceadequovl.exe	cmd.exe
PID 1312 wrote to memory of 2480	1312	voiceadequovl.exe	cmd.exe
PID 1312 wrote to memory of 2480	1312	voiceadequovl.exe	cmd.exe
PID 2480 wrote to memory of 1388	2480	cmd.exe	WMIC.exe
PID 2480 wrote to memory of 1388	2480	cmd.exe	WMIC.exe
PID 2480 wrote to memory of 1388	2480	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5032
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3084
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:3556
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2480

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
1⤵
PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
52832a63cb90950e63e5eb7d1f782f0a

SHA1
bde748e12eb3c0a39c3bf23815f7ccc0a5c33eb5

SHA256
e603f0bce1101ffcb037416eca4f547ff00ffd1651e9c64f1c647a5a700d1d38

SHA512
076ca71b8b941fc9a1b322a9ad2f35cf50fc85221849fc27083777d1d4147991934f576dbe44d1e59027dc5bda95c7813698c78937a47fb55f8c932679a17287

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
362.5MB

MD5
276e79cef98b9fc1de20c8d97f62050f

SHA1
dd2e60913d6cb64daead8311768de9bfcbea3686

SHA256
5721262fa4194766a2b67ff8afdcc101a0efcfba30c8fa7cbf5e962db8c207cf

SHA512
74ecb03a3dbc2dbf64d94b01840f827cfed0fec89b30d73f27f47d593a7dc3082e32d7fa1c93b6434d2ce134398317e0a7a245f8c32b5d041f115ad2f2dcbe98

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
311.5MB

MD5
d2c8b31be30bef73f06e38c8fc3734e9

SHA1
d96cc767dc15cb1a689c053c5789969620680a44

SHA256
cd8efd73c7dd252d940ee670073e860d2d38b6eb41b406ccd95295e21d7e6ba2

SHA512
7b38e9ab64670866421d874e582176fcc50da74e63873412b7420c7e8de757e0724032958663ca48d9e1a7e32ac867871cdffe94244291634ef6a9ca36024fee

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
315.7MB

MD5
11aa8dfb89d58458024ab822205edc8a

SHA1
83303fed1f973a377c39c60e33068724fdc2fba5

SHA256
5067935c068f03fd311e929a61462f07954487885cddabd781dc36e1c3e86001

SHA512
c0f6cc15fa1945fb483fdd9d261b9b3b5c025bb31b6d18b582693633a9937f0d4834f57641e6af8b36306bc602d477b8c6eaeec684824b398cf4653b27c46a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
122.7MB

MD5
360ac631c98d7879468b4b0441d7c34f

SHA1
6f31673a937e191737b5ec165db8e84f5ef3f698

SHA256
46040c65ed6052e772d4e18bc4e561dc4863e7f9092f50d77e53e40dfe670b1f

SHA512
72b082ed9837b778631bd97b905e5f48c76c736126bdd107eed7c1339b3a1b947373c798390bad03b4e6272b769594f605e14518d4bda14c2ec5f8600366f540

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
122.5MB

MD5
4fa849d225b00499e1676feefb5f9418

SHA1
f5e152ef7508a8fdb98872ed04f18b7cebcc3526

SHA256
6e5130503ef63e6c3b5d2fb9a4e59cdb15ab651bc6c6a8d68cb56165623256eb

SHA512
6c9a1aca72a47b14e7540cba22d76fa31f6f0c21d03ca78419316bf3747634b90aca7a4148b844aa148c36220c7c2a37b7e302b71e49029907dca0ab18ad3f99

Download Submit
memory/536-161-0x0000000000000000-mapping.dmp

Download
memory/1292-162-0x0000000006130000-0x0000000006162000-memory.dmp

Filesize
200KB

Download
memory/1292-163-0x0000000073E00000-0x0000000073E4C000-memory.dmp

Filesize
304KB

Download
memory/1292-173-0x00000000070A0000-0x00000000070A8000-memory.dmp

Filesize
32KB

Download
memory/1292-172-0x00000000070C0000-0x00000000070DA000-memory.dmp

Filesize
104KB

Download
memory/1292-171-0x00000000059F0000-0x00000000059FE000-memory.dmp

Filesize
56KB

Download
memory/1292-164-0x0000000006110000-0x000000000612E000-memory.dmp

Filesize
120KB

Download
memory/1292-149-0x0000000000000000-mapping.dmp

Download
memory/1292-165-0x0000000006F30000-0x0000000006F3A000-memory.dmp

Filesize
40KB

Download
memory/1292-166-0x0000000007160000-0x00000000071F6000-memory.dmp

Filesize
600KB

Download
memory/1312-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1312-174-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1312-153-0x0000000000000000-mapping.dmp

Download
memory/1312-158-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1312-154-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1388-170-0x0000000000000000-mapping.dmp

Download
memory/2144-167-0x0000000000000000-mapping.dmp

Download
memory/2480-169-0x0000000000000000-mapping.dmp

Download
memory/2784-132-0x0000000000000000-mapping.dmp

Download
memory/3084-148-0x0000000000000000-mapping.dmp

Download
memory/3256-168-0x0000000000000000-mapping.dmp

Download
memory/3556-151-0x0000000000000000-mapping.dmp

Download
memory/3644-138-0x0000000000F80000-0x00000000016F4000-memory.dmp

Filesize
7.5MB

Download
memory/3644-135-0x0000000000000000-mapping.dmp

Download
memory/3644-139-0x0000000007650000-0x0000000007672000-memory.dmp

Filesize
136KB

Download
memory/5032-142-0x0000000004EA0000-0x00000000054C8000-memory.dmp

Filesize
6.2MB

Download
memory/5032-140-0x0000000000000000-mapping.dmp

Download
memory/5032-141-0x00000000026C0000-0x00000000026F6000-memory.dmp

Filesize
216KB

Download
memory/5032-147-0x0000000006190000-0x00000000061AA000-memory.dmp

Filesize
104KB

Download
memory/5032-146-0x00000000072F0000-0x000000000796A000-memory.dmp

Filesize
6.5MB

Download
memory/5032-145-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

Filesize
120KB

Download
memory/5032-144-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/5032-143-0x0000000004D70000-0x0000000004DD6000-memory.dmp

Filesize
408KB

Download