aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
85s
max time network
89s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1308-66-0x0000000006310000-0x00000000066B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

672 voiceadequovl.exe
1308 voiceadequovl.exe
1648 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

672 voiceadequovl.exe
672 voiceadequovl.exe
672 voiceadequovl.exe
672 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
672	voiceadequovl.exe
1308	voiceadequovl.exe
1648	voiceadequovl.exe

pid	process
672	voiceadequovl.exe
672	voiceadequovl.exe
672	voiceadequovl.exe
672	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1308 set thread context of 1648 1308 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1752 powershell.exe
996 powershell.exe

description	pid	process	target process
PID 1308 set thread context of 1648	1308	voiceadequovl.exe	voiceadequovl.exe

pid	process
1752	powershell.exe
996	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1308	voiceadequovl.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeIncreaseQuotaPrivilege	1540	wmic.exe
Token: SeSecurityPrivilege	1540	wmic.exe
Token: SeTakeOwnershipPrivilege	1540	wmic.exe
Token: SeLoadDriverPrivilege	1540	wmic.exe
Token: SeSystemProfilePrivilege	1540	wmic.exe
Token: SeSystemtimePrivilege	1540	wmic.exe
Token: SeProfSingleProcessPrivilege	1540	wmic.exe
Token: SeIncBasePriorityPrivilege	1540	wmic.exe
Token: SeCreatePagefilePrivilege	1540	wmic.exe
Token: SeBackupPrivilege	1540	wmic.exe
Token: SeRestorePrivilege	1540	wmic.exe
Token: SeShutdownPrivilege	1540	wmic.exe
Token: SeDebugPrivilege	1540	wmic.exe
Token: SeSystemEnvironmentPrivilege	1540	wmic.exe
Token: SeRemoteShutdownPrivilege	1540	wmic.exe
Token: SeUndockPrivilege	1540	wmic.exe
Token: SeManageVolumePrivilege	1540	wmic.exe
Token: 33	1540	wmic.exe
Token: 34	1540	wmic.exe
Token: 35	1540	wmic.exe
Token: SeIncreaseQuotaPrivilege	1540	wmic.exe
Token: SeSecurityPrivilege	1540	wmic.exe
Token: SeTakeOwnershipPrivilege	1540	wmic.exe
Token: SeLoadDriverPrivilege	1540	wmic.exe
Token: SeSystemProfilePrivilege	1540	wmic.exe
Token: SeSystemtimePrivilege	1540	wmic.exe
Token: SeProfSingleProcessPrivilege	1540	wmic.exe
Token: SeIncBasePriorityPrivilege	1540	wmic.exe
Token: SeCreatePagefilePrivilege	1540	wmic.exe
Token: SeBackupPrivilege	1540	wmic.exe
Token: SeRestorePrivilege	1540	wmic.exe
Token: SeShutdownPrivilege	1540	wmic.exe
Token: SeDebugPrivilege	1540	wmic.exe
Token: SeSystemEnvironmentPrivilege	1540	wmic.exe
Token: SeRemoteShutdownPrivilege	1540	wmic.exe
Token: SeUndockPrivilege	1540	wmic.exe
Token: SeManageVolumePrivilege	1540	wmic.exe
Token: 33	1540	wmic.exe
Token: 34	1540	wmic.exe
Token: 35	1540	wmic.exe
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe
Token: SeSecurityPrivilege	1088	WMIC.exe
Token: SeTakeOwnershipPrivilege	1088	WMIC.exe
Token: SeLoadDriverPrivilege	1088	WMIC.exe
Token: SeSystemProfilePrivilege	1088	WMIC.exe
Token: SeSystemtimePrivilege	1088	WMIC.exe
Token: SeProfSingleProcessPrivilege	1088	WMIC.exe
Token: SeIncBasePriorityPrivilege	1088	WMIC.exe
Token: SeCreatePagefilePrivilege	1088	WMIC.exe
Token: SeBackupPrivilege	1088	WMIC.exe
Token: SeRestorePrivilege	1088	WMIC.exe
Token: SeShutdownPrivilege	1088	WMIC.exe
Token: SeDebugPrivilege	1088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1088	WMIC.exe
Token: SeRemoteShutdownPrivilege	1088	WMIC.exe
Token: SeUndockPrivilege	1088	WMIC.exe
Token: SeManageVolumePrivilege	1088	WMIC.exe
Token: 33	1088	WMIC.exe
Token: 34	1088	WMIC.exe
Token: 35	1088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 1236 wrote to memory of 672	1236	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1236 wrote to memory of 672	1236	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1236 wrote to memory of 672	1236	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1236 wrote to memory of 672	1236	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 672 wrote to memory of 1308	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 1308	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 1308	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 1308	672	voiceadequovl.exe	voiceadequovl.exe
PID 1308 wrote to memory of 1752	1308	voiceadequovl.exe	powershell.exe
PID 1308 wrote to memory of 1752	1308	voiceadequovl.exe	powershell.exe
PID 1308 wrote to memory of 1752	1308	voiceadequovl.exe	powershell.exe
PID 1308 wrote to memory of 1752	1308	voiceadequovl.exe	powershell.exe
PID 1308 wrote to memory of 1856	1308	voiceadequovl.exe	cmd.exe
PID 1308 wrote to memory of 1856	1308	voiceadequovl.exe	cmd.exe
PID 1308 wrote to memory of 1856	1308	voiceadequovl.exe	cmd.exe
PID 1308 wrote to memory of 1856	1308	voiceadequovl.exe	cmd.exe
PID 1856 wrote to memory of 996	1856	cmd.exe	powershell.exe
PID 1856 wrote to memory of 996	1856	cmd.exe	powershell.exe
PID 1856 wrote to memory of 996	1856	cmd.exe	powershell.exe
PID 1856 wrote to memory of 996	1856	cmd.exe	powershell.exe
PID 1308 wrote to memory of 1648	1308	voiceadequovl.exe	voiceadequovl.exe
PID 1308 wrote to memory of 1648	1308	voiceadequovl.exe	voiceadequovl.exe
PID 1308 wrote to memory of 1648	1308	voiceadequovl.exe	voiceadequovl.exe
PID 1308 wrote to memory of 1648	1308	voiceadequovl.exe	voiceadequovl.exe
PID 1308 wrote to memory of 1648	1308	voiceadequovl.exe	voiceadequovl.exe
PID 1308 wrote to memory of 1648	1308	voiceadequovl.exe	voiceadequovl.exe
PID 1308 wrote to memory of 1648	1308	voiceadequovl.exe	voiceadequovl.exe
PID 1308 wrote to memory of 1648	1308	voiceadequovl.exe	voiceadequovl.exe
PID 1308 wrote to memory of 1648	1308	voiceadequovl.exe	voiceadequovl.exe
PID 1308 wrote to memory of 1648	1308	voiceadequovl.exe	voiceadequovl.exe
PID 1308 wrote to memory of 1648	1308	voiceadequovl.exe	voiceadequovl.exe
PID 1308 wrote to memory of 1648	1308	voiceadequovl.exe	voiceadequovl.exe
PID 1648 wrote to memory of 1540	1648	voiceadequovl.exe	wmic.exe
PID 1648 wrote to memory of 1540	1648	voiceadequovl.exe	wmic.exe
PID 1648 wrote to memory of 1540	1648	voiceadequovl.exe	wmic.exe
PID 1648 wrote to memory of 1540	1648	voiceadequovl.exe	wmic.exe
PID 1648 wrote to memory of 1364	1648	voiceadequovl.exe	cmd.exe
PID 1648 wrote to memory of 1364	1648	voiceadequovl.exe	cmd.exe
PID 1648 wrote to memory of 1364	1648	voiceadequovl.exe	cmd.exe
PID 1648 wrote to memory of 1364	1648	voiceadequovl.exe	cmd.exe
PID 1364 wrote to memory of 1088	1364	cmd.exe	WMIC.exe
PID 1364 wrote to memory of 1088	1364	cmd.exe	WMIC.exe
PID 1364 wrote to memory of 1088	1364	cmd.exe	WMIC.exe
PID 1364 wrote to memory of 1088	1364	cmd.exe	WMIC.exe
PID 1648 wrote to memory of 364	1648	voiceadequovl.exe	cmd.exe
PID 1648 wrote to memory of 364	1648	voiceadequovl.exe	cmd.exe
PID 1648 wrote to memory of 364	1648	voiceadequovl.exe	cmd.exe
PID 1648 wrote to memory of 364	1648	voiceadequovl.exe	cmd.exe
PID 364 wrote to memory of 1284	364	cmd.exe	WMIC.exe
PID 364 wrote to memory of 1284	364	cmd.exe	WMIC.exe
PID 364 wrote to memory of 1284	364	cmd.exe	WMIC.exe
PID 364 wrote to memory of 1284	364	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
137.3MB

MD5
e444d74e90a591074fc8edb957525c97

SHA1
88390d1a953d964a21e7adc24b58bc197c7ec7f3

SHA256
55c6b9f8e91402ee6554194ebdd87deddab55be55a03ff1d4794499fd3efb93d

SHA512
63f0db5de81f7a84c1722cb695b920c4a3bb62c488c39138b618ba9d5fb431bf78e0837044ee5b5b86cc06b7aa2e710b6d22c6df7d09f7ab7cf331d1d4d3b3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
137.8MB

MD5
13115942e0b047cc2e32a26ff8ab1319

SHA1
1af626f56b28329e467df12b6decc13a49705dab

SHA256
489a9148faca7f7772785c40e900fc3957073d18921cf1230b51d5cee6ce7e95

SHA512
63fc4524d76eb893523806b9361409bfc7b640ef2f7c478e0540b5d772a1599e754bcca81fb1bce4ee5944eb0988e00e7229e8c7b117f9a0847fcbff5505c952

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
67c396fdb8639cc8ba1e1e756fb31c06

SHA1
71eadf6e0412e4f7d39e6b86ca58a44b78ef96a4

SHA256
052960f31448f93c368b7d8afe06b4a6c9d65e09117c50365315ecbb744deb83

SHA512
835bea56a1a65eed4b83176fca0538979df061cb8c4fdbc8501be2e18f28a3a0b6fee4d5fdb1fbaa85f7cfc190bf29bc0157f72b366c6ae53bf8a39813128080

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
117.6MB

MD5
09eccf943a1bc7882adbf7f93530d210

SHA1
3d5e7029ab21389acea861abe9a619b77fb48972

SHA256
80e6c245d517c219a7212e1b52b106b721f2d68c6d773a4ba82e8b39d7d36826

SHA512
759d552aeb82eae50f6b691753e0f6456100b9149ff6ee3438911ca3c85d5b1a07f4db2a23724f695adff8f317eadf49c7128e52fbbe78dbf988b32c15923be5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
120.6MB

MD5
94dd6b60cd666dc1350b102380cc44fb

SHA1
66229a8965bcd37d186450c9180ef33792cc6953

SHA256
c0fed800e7490e98929d7882223ffe8eb1be6d1d37157623edcfc1d6f4676739

SHA512
3c970cd9f672b2749f65a20bb73d5d9c00b7ea6449911fc2b95a6d378bb3d05b30d8c6e255fd89afae5c832ea0d1dda392f6534c2a7b5c1e0cd666fb7e44b5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
66.2MB

MD5
e5bb75e1bf1e1ea607fa2eca9f71d44a

SHA1
3a4a14296042d215760826bf697e548ece01d256

SHA256
a0b8432c6d867721a5904e0f337c76c355249a0c37dd331c2ba6036050eb9c17

SHA512
6957921917c94fa9c0fc4677755b1c246f465e924b5a084ac60c8bc517e3c9b5610e1b07c2149ededf5121ec5f2003bac97c24a430c8eeb318bc893f86c558eb

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
120.5MB

MD5
c6be758319bf76f71c15e856b77b792f

SHA1
73b8051d270e484762392b803bdc149a2590892a

SHA256
c7a4538659cdcabc3ccefe0505001c0337efca0abfd2ca623bfca5d5acb77739

SHA512
36c3f22a81a8083998252f7a48a21b876c0c20f356065255c0f8deb03fba7f7606a1d821d9b1e3d6587b85c2909fe74585ce9efa34093abdd1da85a8b152ff27

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
117.6MB

MD5
6366d1f60f8658e3b5894eea61aa464e

SHA1
da2f2763ca2b975fcfdda63b5eeda4301d2b6e8b

SHA256
d1e66a8a722d2416534f69d8a655939bfbee206c6fb743f4423d15914b489893

SHA512
1595b472298664c2b1ccbcec3d90e5d1aef3cd4624a8c46003b93482b41fd5aa0bfe159a0153211a85c33a09d0da140167f0f04d6397122443a5c375b97e44f8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
119.9MB

MD5
c61e8b33fb94cfefd73b4ac0b8907cbd

SHA1
2f4ff9dc4d2fb47329a2a344d1f993f301216d0f

SHA256
48b5f11faf08100d18f8a601e4abba38e0e99b5db6af0bc0874639d0618ffc13

SHA512
457f35064efb99b3431012b8974c23b028ed02c257a3fe20442d5ff03d7f63ca4b2bfc7452f205f1dff1c5360330089f1535a679205137fd6e6b0c6cf6212f03

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
119.6MB

MD5
65e77e7b6966bda0502eaec92b3fc880

SHA1
8b8029c483e9a021c307df8437448e5d7ba2ea78

SHA256
842b46eba4acc4653015f8c446ae11c325a3722712979be6e476c68faa9c5497

SHA512
6d3fdd446f3ffe63a2ca93966ffda716d2441d9a338cc6578a35b43276fd8e71642211950a683c59d0d3daa9366e1fc117b5d861bc06606f17dd13d1ffe0cd49

Download Submit
memory/364-99-0x0000000000000000-mapping.dmp

Download
memory/672-56-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/672-54-0x0000000000000000-mapping.dmp

Download
memory/996-73-0x0000000000000000-mapping.dmp

Download
memory/996-94-0x000000006F660000-0x000000006FC0B000-memory.dmp

Filesize
5.7MB

Download
memory/996-93-0x000000006F660000-0x000000006FC0B000-memory.dmp

Filesize
5.7MB

Download
memory/1088-98-0x0000000000000000-mapping.dmp

Download
memory/1284-100-0x0000000000000000-mapping.dmp

Download
memory/1308-74-0x0000000005420000-0x0000000005592000-memory.dmp

Filesize
1.4MB

Download
memory/1308-62-0x0000000000000000-mapping.dmp

Download
memory/1308-65-0x0000000000CB0000-0x0000000001424000-memory.dmp

Filesize
7.5MB

Download
memory/1308-66-0x0000000006310000-0x00000000066B0000-memory.dmp

Filesize
3.6MB

Download
memory/1364-97-0x0000000000000000-mapping.dmp

Download
memory/1540-96-0x0000000000000000-mapping.dmp

Download
memory/1648-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1648-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1648-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1648-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1648-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1648-89-0x0000000000464C20-mapping.dmp

Download
memory/1648-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1648-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1648-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1648-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1648-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1648-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1752-70-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-71-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-69-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-67-0x0000000000000000-mapping.dmp

Download
memory/1856-72-0x0000000000000000-mapping.dmp

Download