aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
78s
max time network
82s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/560-66-0x0000000006550000-0x00000000068F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1692 voiceadequovl.exe
560 voiceadequovl.exe
1680 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1692 voiceadequovl.exe
1692 voiceadequovl.exe
1692 voiceadequovl.exe
1692 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1692	voiceadequovl.exe
560	voiceadequovl.exe
1680	voiceadequovl.exe

pid	process
1692	voiceadequovl.exe
1692	voiceadequovl.exe
1692	voiceadequovl.exe
1692	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 560 set thread context of 1680 560 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1448 powershell.exe
1872 powershell.exe

description	pid	process	target process
PID 560 set thread context of 1680	560	voiceadequovl.exe	voiceadequovl.exe

pid	process
1448	powershell.exe
1872	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	560	voiceadequovl.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeIncreaseQuotaPrivilege	1948	wmic.exe
Token: SeSecurityPrivilege	1948	wmic.exe
Token: SeTakeOwnershipPrivilege	1948	wmic.exe
Token: SeLoadDriverPrivilege	1948	wmic.exe
Token: SeSystemProfilePrivilege	1948	wmic.exe
Token: SeSystemtimePrivilege	1948	wmic.exe
Token: SeProfSingleProcessPrivilege	1948	wmic.exe
Token: SeIncBasePriorityPrivilege	1948	wmic.exe
Token: SeCreatePagefilePrivilege	1948	wmic.exe
Token: SeBackupPrivilege	1948	wmic.exe
Token: SeRestorePrivilege	1948	wmic.exe
Token: SeShutdownPrivilege	1948	wmic.exe
Token: SeDebugPrivilege	1948	wmic.exe
Token: SeSystemEnvironmentPrivilege	1948	wmic.exe
Token: SeRemoteShutdownPrivilege	1948	wmic.exe
Token: SeUndockPrivilege	1948	wmic.exe
Token: SeManageVolumePrivilege	1948	wmic.exe
Token: 33	1948	wmic.exe
Token: 34	1948	wmic.exe
Token: 35	1948	wmic.exe
Token: SeIncreaseQuotaPrivilege	1948	wmic.exe
Token: SeSecurityPrivilege	1948	wmic.exe
Token: SeTakeOwnershipPrivilege	1948	wmic.exe
Token: SeLoadDriverPrivilege	1948	wmic.exe
Token: SeSystemProfilePrivilege	1948	wmic.exe
Token: SeSystemtimePrivilege	1948	wmic.exe
Token: SeProfSingleProcessPrivilege	1948	wmic.exe
Token: SeIncBasePriorityPrivilege	1948	wmic.exe
Token: SeCreatePagefilePrivilege	1948	wmic.exe
Token: SeBackupPrivilege	1948	wmic.exe
Token: SeRestorePrivilege	1948	wmic.exe
Token: SeShutdownPrivilege	1948	wmic.exe
Token: SeDebugPrivilege	1948	wmic.exe
Token: SeSystemEnvironmentPrivilege	1948	wmic.exe
Token: SeRemoteShutdownPrivilege	1948	wmic.exe
Token: SeUndockPrivilege	1948	wmic.exe
Token: SeManageVolumePrivilege	1948	wmic.exe
Token: 33	1948	wmic.exe
Token: 34	1948	wmic.exe
Token: 35	1948	wmic.exe
Token: SeIncreaseQuotaPrivilege	1592	WMIC.exe
Token: SeSecurityPrivilege	1592	WMIC.exe
Token: SeTakeOwnershipPrivilege	1592	WMIC.exe
Token: SeLoadDriverPrivilege	1592	WMIC.exe
Token: SeSystemProfilePrivilege	1592	WMIC.exe
Token: SeSystemtimePrivilege	1592	WMIC.exe
Token: SeProfSingleProcessPrivilege	1592	WMIC.exe
Token: SeIncBasePriorityPrivilege	1592	WMIC.exe
Token: SeCreatePagefilePrivilege	1592	WMIC.exe
Token: SeBackupPrivilege	1592	WMIC.exe
Token: SeRestorePrivilege	1592	WMIC.exe
Token: SeShutdownPrivilege	1592	WMIC.exe
Token: SeDebugPrivilege	1592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1592	WMIC.exe
Token: SeRemoteShutdownPrivilege	1592	WMIC.exe
Token: SeUndockPrivilege	1592	WMIC.exe
Token: SeManageVolumePrivilege	1592	WMIC.exe
Token: 33	1592	WMIC.exe
Token: 34	1592	WMIC.exe
Token: 35	1592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1592	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 1900 wrote to memory of 1692	1900	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1900 wrote to memory of 1692	1900	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1900 wrote to memory of 1692	1900	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1900 wrote to memory of 1692	1900	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1692 wrote to memory of 560	1692	voiceadequovl.exe	voiceadequovl.exe
PID 1692 wrote to memory of 560	1692	voiceadequovl.exe	voiceadequovl.exe
PID 1692 wrote to memory of 560	1692	voiceadequovl.exe	voiceadequovl.exe
PID 1692 wrote to memory of 560	1692	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1448	560	voiceadequovl.exe	powershell.exe
PID 560 wrote to memory of 1448	560	voiceadequovl.exe	powershell.exe
PID 560 wrote to memory of 1448	560	voiceadequovl.exe	powershell.exe
PID 560 wrote to memory of 1448	560	voiceadequovl.exe	powershell.exe
PID 560 wrote to memory of 1616	560	voiceadequovl.exe	cmd.exe
PID 560 wrote to memory of 1616	560	voiceadequovl.exe	cmd.exe
PID 560 wrote to memory of 1616	560	voiceadequovl.exe	cmd.exe
PID 560 wrote to memory of 1616	560	voiceadequovl.exe	cmd.exe
PID 1616 wrote to memory of 1872	1616	cmd.exe	powershell.exe
PID 1616 wrote to memory of 1872	1616	cmd.exe	powershell.exe
PID 1616 wrote to memory of 1872	1616	cmd.exe	powershell.exe
PID 1616 wrote to memory of 1872	1616	cmd.exe	powershell.exe
PID 560 wrote to memory of 1680	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1680	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1680	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1680	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1680	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1680	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1680	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1680	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1680	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1680	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1680	560	voiceadequovl.exe	voiceadequovl.exe
PID 560 wrote to memory of 1680	560	voiceadequovl.exe	voiceadequovl.exe
PID 1680 wrote to memory of 1948	1680	voiceadequovl.exe	wmic.exe
PID 1680 wrote to memory of 1948	1680	voiceadequovl.exe	wmic.exe
PID 1680 wrote to memory of 1948	1680	voiceadequovl.exe	wmic.exe
PID 1680 wrote to memory of 1948	1680	voiceadequovl.exe	wmic.exe
PID 1680 wrote to memory of 556	1680	voiceadequovl.exe	cmd.exe
PID 1680 wrote to memory of 556	1680	voiceadequovl.exe	cmd.exe
PID 1680 wrote to memory of 556	1680	voiceadequovl.exe	cmd.exe
PID 1680 wrote to memory of 556	1680	voiceadequovl.exe	cmd.exe
PID 556 wrote to memory of 1592	556	cmd.exe	WMIC.exe
PID 556 wrote to memory of 1592	556	cmd.exe	WMIC.exe
PID 556 wrote to memory of 1592	556	cmd.exe	WMIC.exe
PID 556 wrote to memory of 1592	556	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1472	1680	voiceadequovl.exe	cmd.exe
PID 1680 wrote to memory of 1472	1680	voiceadequovl.exe	cmd.exe
PID 1680 wrote to memory of 1472	1680	voiceadequovl.exe	cmd.exe
PID 1680 wrote to memory of 1472	1680	voiceadequovl.exe	cmd.exe
PID 1472 wrote to memory of 936	1472	cmd.exe	WMIC.exe
PID 1472 wrote to memory of 936	1472	cmd.exe	WMIC.exe
PID 1472 wrote to memory of 936	1472	cmd.exe	WMIC.exe
PID 1472 wrote to memory of 936	1472	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1448
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:556
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
337.4MB

MD5
d634c04890231015fa4580e6fd06c1ae

SHA1
a8034ca18cf04c65260ec80c3564c7cd11122f61

SHA256
632e8bf922c56d37a24b870ba4dc70441b8527d549c05e242194e23049fa5187

SHA512
42ad1015966422c92fe7631e5ff27c34f316f4e40725e986aeeca02f6900d80c2be257c4c7b4fb4f1a0b086e6bf67f0f7b2979b81f442f7d2088e02375e10e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
335.1MB

MD5
696c33efe4caa5c575f18da22d57d54a

SHA1
264a15d7b5f6056d49992fa4dec8602838e21535

SHA256
61fad9e942b342e0d5650acce16106e29013b12608a7f7a548bff67785c148a0

SHA512
a2217bd04d89a89021c417fb5c0945c3a604a8d21e9a2bd71c4c55acf7ba0255f62e7aecefc93675ac59613adaa06d58b7458f221b2752322ecb0ee6b8afee1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3576b20588c82227f1153297c78df61f

SHA1
041121af964e68404c48bb2554565a707a8a6c07

SHA256
fbb94b9ca4b0a1582c88b4ab1f974f5e57620ddd07fbff5d10f3b72008548844

SHA512
3b883f979bd7c9dd9d99fb9e97271d5254cd6bfaa7c3366efb147c189f9e23a5c90fbf799f5cdf55defb514c6a4b139700650481367ddf683344e111fd819bdd

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
318.8MB

MD5
0a4eb2e21f37a44b10e79bc85690fab0

SHA1
eba3fc479f3f3636ba95985a39774747975f65d3

SHA256
86191112ceab75c3b3af081f6a3adb89835b6c14656414343d3d74e07cbadcf8

SHA512
2796991af00790bdc4de4df094f4c5771eed8b22067f6b52cbf4fb7c20b7e840874475b12d4448e571f98185022118845d959a68d8695d0684043d82195b7317

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
316.4MB

MD5
3d712133daa41e0cda5b4258fc9174bc

SHA1
722606f60e6e6c8b1ee00e8dfe0e05d695bcf2ad

SHA256
6df87b0ff4f2a63aed41192b3ef1da85827128831f766de1e6b5b294cbed6ec6

SHA512
e6cf958454c355561505381ea73dec35c772d497ef98b2dec464e5ccd6d7040e7bcfe3ef143203680a4653795a65f01b5a7ed3fbc0fbe0a07dbee386c34405b0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
197.6MB

MD5
2b05e7dc6240d5c5c412db34f7e6209e

SHA1
88db2dfc0a79fcab929fb30af472b742a791f80f

SHA256
a1396851c9cd61d1e0c11ba019d6891ab973cc76a2e4607dde2058bddb899a7a

SHA512
f7e58c2fb5a7a9070404e63b6eb130c8793e0cab5c17f222698a7bd9cffadb4a6e5f5b05007e03e30ddcd574a39f04843dc4bddfd90cc511e2ca244351709212

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
313.8MB

MD5
7423646cb5b6f49133a9a481175ed2a0

SHA1
7ff77566dd8cf68f3a6618c0c976bd982d5000d6

SHA256
d4f0741b1e97b3d4d660c3912a3c31cc80aa0695b19ab9380dab447f4bdfe422

SHA512
aff8dd67043ff88be74e21717b3ef36caddbadc29e35c8dd60caeb1b51ba192f74a119ab86e10a79fbd1dbde7e53f6854c6f4cc4358e060ad4db2ea635c247e0

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
317.7MB

MD5
be790a5d8fae3c6d09ae2c6c530ecb8a

SHA1
75bdb41aaf652522e8389cb6cae0da19b6f2a064

SHA256
a6b1f8cdc093009ee3af44e8c1ec0c230b6c1a966adfedae5f2e31522a8ef4ba

SHA512
b350471db87d4a75a0140acec91bf515d6f074186e4e8fe1bbc2b99c6e5d015c7d3b0ac796201591ec822cd5b749eed004e038c6ab8f0bca25fef9f802738916

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
319.2MB

MD5
0ebcad5be3b5b0bd95843b92ddf6f6f9

SHA1
a49b4e5a08e9a1f589cffac7d66b219e299be92f

SHA256
d6f1effb151dadae8dd4a64150a9220dd556f525f2776115865f1562f4f07a98

SHA512
a69fab16ad1b177e28e5985dd61465aaffef16e88ccd0ae85d25c3cbcd6a059d9cba0584994eff7a595cb02423736d26e8291ba5977648be00cca8884d067cc9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
318.0MB

MD5
1be15e35cb27720389bd9a2e61afc286

SHA1
ad4db3bbc258335f17d7a8fb41db3a5b00fbe4f7

SHA256
734db991cbc26bba669b0d31e0e72375eff0ade875081799e9da9bd4470c74e1

SHA512
e5c2fc1c6ae4303ff04375b959ee487bdad123c813e8e359ed8ec895066c0463cee094a88bc5a00576f7eac28ee278c6016202ab93f79576a88d12031655d443

Download Submit
memory/556-97-0x0000000000000000-mapping.dmp

Download
memory/560-62-0x0000000000000000-mapping.dmp

Download
memory/560-65-0x00000000013E0000-0x0000000001B54000-memory.dmp

Filesize
7.5MB

Download
memory/560-66-0x0000000006550000-0x00000000068F0000-memory.dmp

Filesize
3.6MB

Download
memory/560-73-0x00000000053A0000-0x0000000005512000-memory.dmp

Filesize
1.4MB

Download
memory/936-100-0x0000000000000000-mapping.dmp

Download
memory/1448-71-0x000000006F7A0000-0x000000006FD4B000-memory.dmp

Filesize
5.7MB

Download
memory/1448-70-0x000000006F7A0000-0x000000006FD4B000-memory.dmp

Filesize
5.7MB

Download
memory/1448-69-0x000000006F7A0000-0x000000006FD4B000-memory.dmp

Filesize
5.7MB

Download
memory/1448-67-0x0000000000000000-mapping.dmp

Download
memory/1472-99-0x0000000000000000-mapping.dmp

Download
memory/1592-98-0x0000000000000000-mapping.dmp

Download
memory/1616-72-0x0000000000000000-mapping.dmp

Download
memory/1680-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1680-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1680-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1680-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1680-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1680-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1680-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1680-90-0x0000000000464C20-mapping.dmp

Download
memory/1680-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1680-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1680-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1680-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1692-54-0x0000000000000000-mapping.dmp

Download
memory/1692-56-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1872-95-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

Filesize
5.7MB

Download
memory/1872-74-0x0000000000000000-mapping.dmp

Download
memory/1872-89-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-96-0x0000000000000000-mapping.dmp

Download