aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
89s
max time network
94s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/728-66-0x0000000006450000-0x00000000067F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1556 voiceadequovl.exe
728 voiceadequovl.exe
528 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1556 voiceadequovl.exe
1556 voiceadequovl.exe
1556 voiceadequovl.exe
1556 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1556	voiceadequovl.exe
728	voiceadequovl.exe
528	voiceadequovl.exe

pid	process
1556	voiceadequovl.exe
1556	voiceadequovl.exe
1556	voiceadequovl.exe
1556	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 728 set thread context of 528 728 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

940 powershell.exe
996 powershell.exe

description	pid	process	target process
PID 728 set thread context of 528	728	voiceadequovl.exe	voiceadequovl.exe

pid	process
940	powershell.exe
996	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	728	voiceadequovl.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeIncreaseQuotaPrivilege	316	wmic.exe
Token: SeSecurityPrivilege	316	wmic.exe
Token: SeTakeOwnershipPrivilege	316	wmic.exe
Token: SeLoadDriverPrivilege	316	wmic.exe
Token: SeSystemProfilePrivilege	316	wmic.exe
Token: SeSystemtimePrivilege	316	wmic.exe
Token: SeProfSingleProcessPrivilege	316	wmic.exe
Token: SeIncBasePriorityPrivilege	316	wmic.exe
Token: SeCreatePagefilePrivilege	316	wmic.exe
Token: SeBackupPrivilege	316	wmic.exe
Token: SeRestorePrivilege	316	wmic.exe
Token: SeShutdownPrivilege	316	wmic.exe
Token: SeDebugPrivilege	316	wmic.exe
Token: SeSystemEnvironmentPrivilege	316	wmic.exe
Token: SeRemoteShutdownPrivilege	316	wmic.exe
Token: SeUndockPrivilege	316	wmic.exe
Token: SeManageVolumePrivilege	316	wmic.exe
Token: 33	316	wmic.exe
Token: 34	316	wmic.exe
Token: 35	316	wmic.exe
Token: SeIncreaseQuotaPrivilege	316	wmic.exe
Token: SeSecurityPrivilege	316	wmic.exe
Token: SeTakeOwnershipPrivilege	316	wmic.exe
Token: SeLoadDriverPrivilege	316	wmic.exe
Token: SeSystemProfilePrivilege	316	wmic.exe
Token: SeSystemtimePrivilege	316	wmic.exe
Token: SeProfSingleProcessPrivilege	316	wmic.exe
Token: SeIncBasePriorityPrivilege	316	wmic.exe
Token: SeCreatePagefilePrivilege	316	wmic.exe
Token: SeBackupPrivilege	316	wmic.exe
Token: SeRestorePrivilege	316	wmic.exe
Token: SeShutdownPrivilege	316	wmic.exe
Token: SeDebugPrivilege	316	wmic.exe
Token: SeSystemEnvironmentPrivilege	316	wmic.exe
Token: SeRemoteShutdownPrivilege	316	wmic.exe
Token: SeUndockPrivilege	316	wmic.exe
Token: SeManageVolumePrivilege	316	wmic.exe
Token: 33	316	wmic.exe
Token: 34	316	wmic.exe
Token: 35	316	wmic.exe
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe
Token: SeSecurityPrivilege	1088	WMIC.exe
Token: SeTakeOwnershipPrivilege	1088	WMIC.exe
Token: SeLoadDriverPrivilege	1088	WMIC.exe
Token: SeSystemProfilePrivilege	1088	WMIC.exe
Token: SeSystemtimePrivilege	1088	WMIC.exe
Token: SeProfSingleProcessPrivilege	1088	WMIC.exe
Token: SeIncBasePriorityPrivilege	1088	WMIC.exe
Token: SeCreatePagefilePrivilege	1088	WMIC.exe
Token: SeBackupPrivilege	1088	WMIC.exe
Token: SeRestorePrivilege	1088	WMIC.exe
Token: SeShutdownPrivilege	1088	WMIC.exe
Token: SeDebugPrivilege	1088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1088	WMIC.exe
Token: SeRemoteShutdownPrivilege	1088	WMIC.exe
Token: SeUndockPrivilege	1088	WMIC.exe
Token: SeManageVolumePrivilege	1088	WMIC.exe
Token: 33	1088	WMIC.exe
Token: 34	1088	WMIC.exe
Token: 35	1088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 1268 wrote to memory of 1556	1268	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1268 wrote to memory of 1556	1268	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1268 wrote to memory of 1556	1268	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1268 wrote to memory of 1556	1268	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1556 wrote to memory of 728	1556	voiceadequovl.exe	voiceadequovl.exe
PID 1556 wrote to memory of 728	1556	voiceadequovl.exe	voiceadequovl.exe
PID 1556 wrote to memory of 728	1556	voiceadequovl.exe	voiceadequovl.exe
PID 1556 wrote to memory of 728	1556	voiceadequovl.exe	voiceadequovl.exe
PID 728 wrote to memory of 940	728	voiceadequovl.exe	powershell.exe
PID 728 wrote to memory of 940	728	voiceadequovl.exe	powershell.exe
PID 728 wrote to memory of 940	728	voiceadequovl.exe	powershell.exe
PID 728 wrote to memory of 940	728	voiceadequovl.exe	powershell.exe
PID 728 wrote to memory of 1856	728	voiceadequovl.exe	cmd.exe
PID 728 wrote to memory of 1856	728	voiceadequovl.exe	cmd.exe
PID 728 wrote to memory of 1856	728	voiceadequovl.exe	cmd.exe
PID 728 wrote to memory of 1856	728	voiceadequovl.exe	cmd.exe
PID 1856 wrote to memory of 996	1856	cmd.exe	powershell.exe
PID 1856 wrote to memory of 996	1856	cmd.exe	powershell.exe
PID 1856 wrote to memory of 996	1856	cmd.exe	powershell.exe
PID 1856 wrote to memory of 996	1856	cmd.exe	powershell.exe
PID 728 wrote to memory of 528	728	voiceadequovl.exe	voiceadequovl.exe
PID 728 wrote to memory of 528	728	voiceadequovl.exe	voiceadequovl.exe
PID 728 wrote to memory of 528	728	voiceadequovl.exe	voiceadequovl.exe
PID 728 wrote to memory of 528	728	voiceadequovl.exe	voiceadequovl.exe
PID 728 wrote to memory of 528	728	voiceadequovl.exe	voiceadequovl.exe
PID 728 wrote to memory of 528	728	voiceadequovl.exe	voiceadequovl.exe
PID 728 wrote to memory of 528	728	voiceadequovl.exe	voiceadequovl.exe
PID 728 wrote to memory of 528	728	voiceadequovl.exe	voiceadequovl.exe
PID 728 wrote to memory of 528	728	voiceadequovl.exe	voiceadequovl.exe
PID 728 wrote to memory of 528	728	voiceadequovl.exe	voiceadequovl.exe
PID 728 wrote to memory of 528	728	voiceadequovl.exe	voiceadequovl.exe
PID 728 wrote to memory of 528	728	voiceadequovl.exe	voiceadequovl.exe
PID 528 wrote to memory of 316	528	voiceadequovl.exe	wmic.exe
PID 528 wrote to memory of 316	528	voiceadequovl.exe	wmic.exe
PID 528 wrote to memory of 316	528	voiceadequovl.exe	wmic.exe
PID 528 wrote to memory of 316	528	voiceadequovl.exe	wmic.exe
PID 528 wrote to memory of 1364	528	voiceadequovl.exe	cmd.exe
PID 528 wrote to memory of 1364	528	voiceadequovl.exe	cmd.exe
PID 528 wrote to memory of 1364	528	voiceadequovl.exe	cmd.exe
PID 528 wrote to memory of 1364	528	voiceadequovl.exe	cmd.exe
PID 1364 wrote to memory of 1088	1364	cmd.exe	WMIC.exe
PID 1364 wrote to memory of 1088	1364	cmd.exe	WMIC.exe
PID 1364 wrote to memory of 1088	1364	cmd.exe	WMIC.exe
PID 1364 wrote to memory of 1088	1364	cmd.exe	WMIC.exe
PID 528 wrote to memory of 668	528	voiceadequovl.exe	cmd.exe
PID 528 wrote to memory of 668	528	voiceadequovl.exe	cmd.exe
PID 528 wrote to memory of 668	528	voiceadequovl.exe	cmd.exe
PID 528 wrote to memory of 668	528	voiceadequovl.exe	cmd.exe
PID 668 wrote to memory of 1580	668	cmd.exe	WMIC.exe
PID 668 wrote to memory of 1580	668	cmd.exe	WMIC.exe
PID 668 wrote to memory of 1580	668	cmd.exe	WMIC.exe
PID 668 wrote to memory of 1580	668	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:528
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:668
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
177.8MB

MD5
cff641ce3310c84b593cc41b29dfb8a1

SHA1
477899d15bb0d251ddfe1c54a23940bc28e5afce

SHA256
10838145a3e49ef837b8553dacf9cc608a9e45ef7e832f51e71495ed51a50cc3

SHA512
08a0514890577443cb5be5681ba28c8b6b4aa28784aae70b30f6fb1b0b2dade9c8a8731023cc5bdb0e08d8abbc19f8d3831ead710f705ad9049888413c0dc928

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
177.2MB

MD5
95cd909b676fb78eef25b5db212681ea

SHA1
02ff8a8b4361362dc3c8fd856de3802f24d5476f

SHA256
280208513fa9c78b79cb518188007c5baec361e6dd21bd0467571b6fd3b9c63a

SHA512
c724cdb0f3d83a4c4c9cdb680ee6ce5aa97b301a3d9e935737be139b685b43568852de682b6c402f7cd184603772cacc3710963383fcc42a1cbd67aa27a04861

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c983b636c59ca10e2a08fd61bfa1e713

SHA1
27ca7e8cebc050e0fbcfcc00e910ce230f2e413f

SHA256
a48472f995edd451c2b652363effe21c6f59d8a24f2b6a58895ccf9527824acd

SHA512
49661b76d6d3bd1a23b925823fe503a5ca5ce0e9885d9ff534607d487dbcc80ef976df037f8469505a0f413bcd087761cd344371b466837572d2210c07a71fdd

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
114.9MB

MD5
20779cfc2c8bfadb58d716bc5d049435

SHA1
a2e98381a3fce1287402eba717c88c35df9cb6fb

SHA256
72a1aa57a4e58a8266b9d2844545b3765b77dbae980bd30e98ebd45e41149f3a

SHA512
62390541a7b0a8f63d6dd214f48dfbf1a1244ad193a0d7471a3aae73f05325980af060c8883229c58f9d61a68a370ca1ed61a0f1e103d7c580527e80d3046aa8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
110.6MB

MD5
5cf04cbd3b7661ac85d4ff384bb896dd

SHA1
16b5dbef78cc15a5664e72fbef06b16b07017b05

SHA256
00badba5dc9504c64a428a256efc07230e1cd9b186d2b4e6d7f9e05aefea6489

SHA512
d41c01af006e6929cb86940fbe4a5d0ebff3ff127a3c220da432e5a3216d139dcaf941b7f381d814d0979635af1279f034ddc55b1c43ec1d421e767233bd5128

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
40.0MB

MD5
a84f8bb9823588c5dcd9a9cd4f32005b

SHA1
2d2f15522a9cd7761463daf33e8aad2ce1c87579

SHA256
9deaa7753f58b5fe0dfaebd84d2e4bd9c3c33fc2af41bb89ab53aceb7c44ef60

SHA512
bc1c6a3fa0c7658ea10aaee7ddfea8d4958a856cd2f83084e136262723e7b603d80372154bbcbf8c04d7849b85b328d6c8430001dea0021a6ac3fd5dc937da98

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
116.2MB

MD5
5d66e10518ec6b89e323200601faee32

SHA1
5022ba5b656d4a26f2ae8b9922156da63696d005

SHA256
c3b244b4bb74ce8d2439ab47299c6ca2700b56444c1d6c1001822d61d3d2fa24

SHA512
4443170460e29e40f2add83d2753c49f33af9eb3723cda0d7a6dc06773579df05872278c38738130758d97320fa3163152cbc7bc374290ea7a6ae7f04fad3400

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
101.9MB

MD5
22526777cfcba83f747d10736a10e616

SHA1
2f3ab87ee16d868df2a66c6949db6deacf533411

SHA256
1165118afa66981b41b45cd37d40e0a7c8c46a1fa9fe3a35da923c4e2cc91296

SHA512
933df063e81ee2fcd69dfd0a165e31573bd5012d86735458bd29eb07684def060386e4a0455bf97e85142966432e69f2a11985e88cf42b73f868dbe1a79c3054

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
114.1MB

MD5
7f742dba22ef95a840e341aa19b8f876

SHA1
66b5c391724151b54e87cb17083a83bf72292dd5

SHA256
4129b62685335d4ec269d3a17939e3be757548de15e3b407191332e82e2bc645

SHA512
35c3418801daccfba3a00189a0b3d68ea840cc3ce69a8be3491a32aacf626f171521f24315ae4dc8420726a1d03e620bcad2fb11a6dbdd00a08b4bcf1e930a48

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
110.1MB

MD5
c0fd1e9a62f1003c31f153c5bedcdcf4

SHA1
e98b21b845dc5ca7321111543c94d87fffa6d173

SHA256
199dfa9f7889b8352d62877c7d5c3c9517ad58ccdf92bf02b5553a658b83ebf4

SHA512
0bf48105431b2845050ef64279b5fbad8daddfc855a068db8fa3327d59c8606ac06552c5759c1265f331262d79bbe002260aac4e4aa46926b4baf41ded4fdde2

Download Submit
memory/316-96-0x0000000000000000-mapping.dmp

Download
memory/528-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/528-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/528-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/528-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/528-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/528-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/528-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/528-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/528-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/528-90-0x0000000000464C20-mapping.dmp

Download
memory/528-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/528-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/668-99-0x0000000000000000-mapping.dmp

Download
memory/728-62-0x0000000000000000-mapping.dmp

Download
memory/728-66-0x0000000006450000-0x00000000067F0000-memory.dmp

Filesize
3.6MB

Download
memory/728-73-0x00000000053B0000-0x0000000005522000-memory.dmp

Filesize
1.4MB

Download
memory/728-65-0x00000000011F0000-0x0000000001964000-memory.dmp

Filesize
7.5MB

Download
memory/940-69-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download
memory/940-71-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download
memory/940-70-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download
memory/940-67-0x0000000000000000-mapping.dmp

Download
memory/996-87-0x000000006F660000-0x000000006FC0B000-memory.dmp

Filesize
5.7MB

Download
memory/996-74-0x0000000000000000-mapping.dmp

Download
memory/996-95-0x000000006F660000-0x000000006FC0B000-memory.dmp

Filesize
5.7MB

Download
memory/1088-98-0x0000000000000000-mapping.dmp

Download
memory/1364-97-0x0000000000000000-mapping.dmp

Download
memory/1556-54-0x0000000000000000-mapping.dmp

Download
memory/1556-56-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1580-100-0x0000000000000000-mapping.dmp

Download
memory/1856-72-0x0000000000000000-mapping.dmp

Download