aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
61s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voiceadequovl.exevoiceadequovl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 5 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

3472 voiceadequovl.exe
3360 voiceadequovl.exe
1536 voiceadequovl.exe
4956 voiceadequovl.exe
4536 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3472	voiceadequovl.exe
3360	voiceadequovl.exe
1536	voiceadequovl.exe
4956	voiceadequovl.exe
4536	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 3360 set thread context of 4536 3360 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3360 set thread context of 4536	3360	voiceadequovl.exe	voiceadequovl.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exevoiceadequovl.exe

pid	process
3768	powershell.exe
3768	powershell.exe
4564	powershell.exe
3360	voiceadequovl.exe
3360	voiceadequovl.exe
3360	voiceadequovl.exe
3360	voiceadequovl.exe
4564	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3360	voiceadequovl.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeIncreaseQuotaPrivilege	3776	wmic.exe
Token: SeSecurityPrivilege	3776	wmic.exe
Token: SeTakeOwnershipPrivilege	3776	wmic.exe
Token: SeLoadDriverPrivilege	3776	wmic.exe
Token: SeSystemProfilePrivilege	3776	wmic.exe
Token: SeSystemtimePrivilege	3776	wmic.exe
Token: SeProfSingleProcessPrivilege	3776	wmic.exe
Token: SeIncBasePriorityPrivilege	3776	wmic.exe
Token: SeCreatePagefilePrivilege	3776	wmic.exe
Token: SeBackupPrivilege	3776	wmic.exe
Token: SeRestorePrivilege	3776	wmic.exe
Token: SeShutdownPrivilege	3776	wmic.exe
Token: SeDebugPrivilege	3776	wmic.exe
Token: SeSystemEnvironmentPrivilege	3776	wmic.exe
Token: SeRemoteShutdownPrivilege	3776	wmic.exe
Token: SeUndockPrivilege	3776	wmic.exe
Token: SeManageVolumePrivilege	3776	wmic.exe
Token: 33	3776	wmic.exe
Token: 34	3776	wmic.exe
Token: 35	3776	wmic.exe
Token: 36	3776	wmic.exe
Token: SeIncreaseQuotaPrivilege	3776	wmic.exe
Token: SeSecurityPrivilege	3776	wmic.exe
Token: SeTakeOwnershipPrivilege	3776	wmic.exe
Token: SeLoadDriverPrivilege	3776	wmic.exe
Token: SeSystemProfilePrivilege	3776	wmic.exe
Token: SeSystemtimePrivilege	3776	wmic.exe
Token: SeProfSingleProcessPrivilege	3776	wmic.exe
Token: SeIncBasePriorityPrivilege	3776	wmic.exe
Token: SeCreatePagefilePrivilege	3776	wmic.exe
Token: SeBackupPrivilege	3776	wmic.exe
Token: SeRestorePrivilege	3776	wmic.exe
Token: SeShutdownPrivilege	3776	wmic.exe
Token: SeDebugPrivilege	3776	wmic.exe
Token: SeSystemEnvironmentPrivilege	3776	wmic.exe
Token: SeRemoteShutdownPrivilege	3776	wmic.exe
Token: SeUndockPrivilege	3776	wmic.exe
Token: SeManageVolumePrivilege	3776	wmic.exe
Token: 33	3776	wmic.exe
Token: 34	3776	wmic.exe
Token: 35	3776	wmic.exe
Token: 36	3776	wmic.exe
Token: SeIncreaseQuotaPrivilege	4548	WMIC.exe
Token: SeSecurityPrivilege	4548	WMIC.exe
Token: SeTakeOwnershipPrivilege	4548	WMIC.exe
Token: SeLoadDriverPrivilege	4548	WMIC.exe
Token: SeSystemProfilePrivilege	4548	WMIC.exe
Token: SeSystemtimePrivilege	4548	WMIC.exe
Token: SeProfSingleProcessPrivilege	4548	WMIC.exe
Token: SeIncBasePriorityPrivilege	4548	WMIC.exe
Token: SeCreatePagefilePrivilege	4548	WMIC.exe
Token: SeBackupPrivilege	4548	WMIC.exe
Token: SeRestorePrivilege	4548	WMIC.exe
Token: SeShutdownPrivilege	4548	WMIC.exe
Token: SeDebugPrivilege	4548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4548	WMIC.exe
Token: SeRemoteShutdownPrivilege	4548	WMIC.exe
Token: SeUndockPrivilege	4548	WMIC.exe
Token: SeManageVolumePrivilege	4548	WMIC.exe
Token: 33	4548	WMIC.exe
Token: 34	4548	WMIC.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 2300 wrote to memory of 3472	2300	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2300 wrote to memory of 3472	2300	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2300 wrote to memory of 3472	2300	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 3472 wrote to memory of 3360	3472	voiceadequovl.exe	voiceadequovl.exe
PID 3472 wrote to memory of 3360	3472	voiceadequovl.exe	voiceadequovl.exe
PID 3472 wrote to memory of 3360	3472	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 3768	3360	voiceadequovl.exe	powershell.exe
PID 3360 wrote to memory of 3768	3360	voiceadequovl.exe	powershell.exe
PID 3360 wrote to memory of 3768	3360	voiceadequovl.exe	powershell.exe
PID 3360 wrote to memory of 4968	3360	voiceadequovl.exe	cmd.exe
PID 3360 wrote to memory of 4968	3360	voiceadequovl.exe	cmd.exe
PID 3360 wrote to memory of 4968	3360	voiceadequovl.exe	cmd.exe
PID 4968 wrote to memory of 4564	4968	cmd.exe	powershell.exe
PID 4968 wrote to memory of 4564	4968	cmd.exe	powershell.exe
PID 4968 wrote to memory of 4564	4968	cmd.exe	powershell.exe
PID 3360 wrote to memory of 1536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 1536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 1536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4956	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4956	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4956	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 3360 wrote to memory of 4536	3360	voiceadequovl.exe	voiceadequovl.exe
PID 4536 wrote to memory of 3776	4536	voiceadequovl.exe	wmic.exe
PID 4536 wrote to memory of 3776	4536	voiceadequovl.exe	wmic.exe
PID 4536 wrote to memory of 3776	4536	voiceadequovl.exe	wmic.exe
PID 4536 wrote to memory of 3356	4536	voiceadequovl.exe	cmd.exe
PID 4536 wrote to memory of 3356	4536	voiceadequovl.exe	cmd.exe
PID 4536 wrote to memory of 3356	4536	voiceadequovl.exe	cmd.exe
PID 3356 wrote to memory of 4548	3356	cmd.exe	WMIC.exe
PID 3356 wrote to memory of 4548	3356	cmd.exe	WMIC.exe
PID 3356 wrote to memory of 4548	3356	cmd.exe	WMIC.exe
PID 4536 wrote to memory of 828	4536	voiceadequovl.exe	cmd.exe
PID 4536 wrote to memory of 828	4536	voiceadequovl.exe	cmd.exe
PID 4536 wrote to memory of 828	4536	voiceadequovl.exe	cmd.exe
PID 828 wrote to memory of 4884	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 4884	828	cmd.exe	WMIC.exe
PID 828 wrote to memory of 4884	828	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1536

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:4956

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e4565a407deeb8eb8ab97fd4bf03b89d

SHA1
9cd8bb9df44052a8c2622f11c62defa201897a4b

SHA256
a233cbcdc9b1ddcbcefb30463fbad7c617b1418b341ffdf50ec8b2ee1307224e

SHA512
6d853b85afda6075b10a1af89dca21eae5e749e0f9c0f85db07e955f3f0ff22583dfa694e0b1174bfddc753c26ee15eda3737f0aaececf0d3356cc907bfdd69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
270.5MB

MD5
38e2f0e837ed1073eabb0bb2e4d8522d

SHA1
d3ffecf867abbde6417d8b4fac7c73074262890b

SHA256
bf13a5122130844a8884fdfa13e66201af168fa3c9af2707cb3f859448c725ca

SHA512
fd0e2fff420c138fd83da01d38c5aaf77c4e75c3413e0579c66c1349884235e80843135354fa775e44de0e3209546fc3b23d99953a8707d455ed5a27ef0e3c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
274.3MB

MD5
030d25972cdc70c77659e0199250a3bb

SHA1
88933bb0a8eb1c45b19a56df18f045bf9394877f

SHA256
7255ac279dac4048ddab7c2d345369a4d2e140dd14405910d5f5375f0d67ec8a

SHA512
2a3cd7d8f2d63b07e4c81e48e7587ca3273e4890257fe422af57f12fe6ab69b6becb1cbd73d36a27522debf0857450bf2a1f3337fd6cd8d03cd79637e91e1ed6

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
265.9MB

MD5
1e752412ce36efad6d4998ac66cc8757

SHA1
9c3d12ae990d1c7c29ce2ea137730f1ef6e8553d

SHA256
f8d312600b4d741e6b42629bd9e7682e0e9278e36b5d32b642204e9c774dcbd0

SHA512
9a6e6f26937617fb53012c9a201679145f83aac4676e070f78df09b6ff4cbb8496c32de90ac2ba9e7ebcb911c77c9bd99c45dac28a8ba52fdcd85f0effe11b5d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
263.0MB

MD5
46812ed4b22121d22690a936afc2b268

SHA1
7ba070a3e6c69a289754a8a4dc2ab6eab009ceb7

SHA256
a85a3cbda09d3d485cfb0967d45e3ecd8e575394f274aa10377dde07fdf1f4a4

SHA512
ea0b845071713158561d42dccc9178ebff519049d1c042e2e257958169d13f6f90024e767e8dc4eeab821183949fddedac15951ecf1d6fd603b1f153a076a219

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
183.2MB

MD5
214f62d903b883da780b0239563f52aa

SHA1
72e3e558bde95d38a005416581a1ec89db0a34b2

SHA256
63a6ac4e72a5a61623c1ff958dd59f16ec820109bf85ea3910468cb6d8ada129

SHA512
b6190fc2ec65be50279e6e41d52213b0755de5c9365c9915656952243417f8b1c2d39780126b7e14ac35f4edc0102f4aff028f9b25eb9c130b45a6c51df4ccb4

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
184.8MB

MD5
010e97d9b79b4bfa6b16e78075afa0e6

SHA1
fe1b97287b237784ab3f0d99f184911dccb04d51

SHA256
7873f856f8f4f94cf4c4bef89be40a76620f0849e1f118d75c80b265c6a11888

SHA512
fb3bdd08962675346e8200344b62ae6ef448c1620e0c4fdcdaaccc2a92b38597f2f4ab8a0f8c6e18c64e6c2bac694db526dcf1abd47c50b6787cab6fffeaee03

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
197.3MB

MD5
507d75510baf312db93ea3915df2f406

SHA1
7f65a7ebb317a9ce1d555b0ae62ef7fcd256aa2a

SHA256
acb1a9edda48fef2b439240fe9f6200214ea42493bf4013602480a43418eb01d

SHA512
bb7b36d4d53ae97a397ccf8f217afdc1f4742896ee45ce283a30d4518349ab6390efdd8759888760721542b0175f475a879fcf4fefcae3e0eb76882dd33661c8

Download Submit
memory/828-171-0x0000000000000000-mapping.dmp

Download
memory/1536-151-0x0000000000000000-mapping.dmp

Download
memory/3356-168-0x0000000000000000-mapping.dmp

Download
memory/3360-138-0x0000000000C40000-0x00000000013B4000-memory.dmp

Filesize
7.5MB

Download
memory/3360-139-0x00000000071C0000-0x00000000071E2000-memory.dmp

Filesize
136KB

Download
memory/3360-135-0x0000000000000000-mapping.dmp

Download
memory/3472-132-0x0000000000000000-mapping.dmp

Download
memory/3768-143-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/3768-144-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/3768-141-0x0000000002AF0000-0x0000000002B26000-memory.dmp

Filesize
216KB

Download
memory/3768-147-0x00000000065C0000-0x00000000065DA000-memory.dmp

Filesize
104KB

Download
memory/3768-140-0x0000000000000000-mapping.dmp

Download
memory/3768-146-0x0000000007930000-0x0000000007FAA000-memory.dmp

Filesize
6.5MB

Download
memory/3768-142-0x0000000005470000-0x0000000005A98000-memory.dmp

Filesize
6.2MB

Download
memory/3768-145-0x00000000060E0000-0x00000000060FE000-memory.dmp

Filesize
120KB

Download
memory/3776-165-0x0000000000000000-mapping.dmp

Download
memory/4536-159-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4536-156-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4536-161-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4536-155-0x0000000000000000-mapping.dmp

Download
memory/4536-176-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4548-170-0x0000000000000000-mapping.dmp

Download
memory/4564-163-0x0000000006AA0000-0x0000000006AD2000-memory.dmp

Filesize
200KB

Download
memory/4564-166-0x0000000006060000-0x000000000607E000-memory.dmp

Filesize
120KB

Download
memory/4564-167-0x0000000006E60000-0x0000000006E6A000-memory.dmp

Filesize
40KB

Download
memory/4564-164-0x0000000075AD0000-0x0000000075B1C000-memory.dmp

Filesize
304KB

Download
memory/4564-169-0x00000000070B0000-0x0000000007146000-memory.dmp

Filesize
600KB

Download
memory/4564-149-0x0000000000000000-mapping.dmp

Download
memory/4564-173-0x0000000005920000-0x000000000592E000-memory.dmp

Filesize
56KB

Download
memory/4564-174-0x0000000007010000-0x000000000702A000-memory.dmp

Filesize
104KB

Download
memory/4564-175-0x0000000006FF0000-0x0000000006FF8000-memory.dmp

Filesize
32KB

Download
memory/4884-172-0x0000000000000000-mapping.dmp

Download
memory/4956-153-0x0000000000000000-mapping.dmp

Download
memory/4968-148-0x0000000000000000-mapping.dmp

Download