aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
75s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voiceadequovl.exevoiceadequovl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 4 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

4264 voiceadequovl.exe
1340 voiceadequovl.exe
2228 voiceadequovl.exe
400 voiceadequovl.exe

pid	process
4264	voiceadequovl.exe
1340	voiceadequovl.exe
2228	voiceadequovl.exe
400	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1340 set thread context of 400 1340 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exevoiceadequovl.exepowershell.exe

pid process

5056 powershell.exe
5056 powershell.exe
1340 voiceadequovl.exe
1340 voiceadequovl.exe
2184 powershell.exe
2184 powershell.exe

description	pid	process	target process
PID 1340 set thread context of 400	1340	voiceadequovl.exe	voiceadequovl.exe

pid	process
5056	powershell.exe
5056	powershell.exe
1340	voiceadequovl.exe
1340	voiceadequovl.exe
2184	powershell.exe
2184	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1340	voiceadequovl.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeIncreaseQuotaPrivilege	5100	wmic.exe
Token: SeSecurityPrivilege	5100	wmic.exe
Token: SeTakeOwnershipPrivilege	5100	wmic.exe
Token: SeLoadDriverPrivilege	5100	wmic.exe
Token: SeSystemProfilePrivilege	5100	wmic.exe
Token: SeSystemtimePrivilege	5100	wmic.exe
Token: SeProfSingleProcessPrivilege	5100	wmic.exe
Token: SeIncBasePriorityPrivilege	5100	wmic.exe
Token: SeCreatePagefilePrivilege	5100	wmic.exe
Token: SeBackupPrivilege	5100	wmic.exe
Token: SeRestorePrivilege	5100	wmic.exe
Token: SeShutdownPrivilege	5100	wmic.exe
Token: SeDebugPrivilege	5100	wmic.exe
Token: SeSystemEnvironmentPrivilege	5100	wmic.exe
Token: SeRemoteShutdownPrivilege	5100	wmic.exe
Token: SeUndockPrivilege	5100	wmic.exe
Token: SeManageVolumePrivilege	5100	wmic.exe
Token: 33	5100	wmic.exe
Token: 34	5100	wmic.exe
Token: 35	5100	wmic.exe
Token: 36	5100	wmic.exe
Token: SeIncreaseQuotaPrivilege	5100	wmic.exe
Token: SeSecurityPrivilege	5100	wmic.exe
Token: SeTakeOwnershipPrivilege	5100	wmic.exe
Token: SeLoadDriverPrivilege	5100	wmic.exe
Token: SeSystemProfilePrivilege	5100	wmic.exe
Token: SeSystemtimePrivilege	5100	wmic.exe
Token: SeProfSingleProcessPrivilege	5100	wmic.exe
Token: SeIncBasePriorityPrivilege	5100	wmic.exe
Token: SeCreatePagefilePrivilege	5100	wmic.exe
Token: SeBackupPrivilege	5100	wmic.exe
Token: SeRestorePrivilege	5100	wmic.exe
Token: SeShutdownPrivilege	5100	wmic.exe
Token: SeDebugPrivilege	5100	wmic.exe
Token: SeSystemEnvironmentPrivilege	5100	wmic.exe
Token: SeRemoteShutdownPrivilege	5100	wmic.exe
Token: SeUndockPrivilege	5100	wmic.exe
Token: SeManageVolumePrivilege	5100	wmic.exe
Token: 33	5100	wmic.exe
Token: 34	5100	wmic.exe
Token: 35	5100	wmic.exe
Token: 36	5100	wmic.exe
Token: SeIncreaseQuotaPrivilege	3800	WMIC.exe
Token: SeSecurityPrivilege	3800	WMIC.exe
Token: SeTakeOwnershipPrivilege	3800	WMIC.exe
Token: SeLoadDriverPrivilege	3800	WMIC.exe
Token: SeSystemProfilePrivilege	3800	WMIC.exe
Token: SeSystemtimePrivilege	3800	WMIC.exe
Token: SeProfSingleProcessPrivilege	3800	WMIC.exe
Token: SeIncBasePriorityPrivilege	3800	WMIC.exe
Token: SeCreatePagefilePrivilege	3800	WMIC.exe
Token: SeBackupPrivilege	3800	WMIC.exe
Token: SeRestorePrivilege	3800	WMIC.exe
Token: SeShutdownPrivilege	3800	WMIC.exe
Token: SeDebugPrivilege	3800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3800	WMIC.exe
Token: SeRemoteShutdownPrivilege	3800	WMIC.exe
Token: SeUndockPrivilege	3800	WMIC.exe
Token: SeManageVolumePrivilege	3800	WMIC.exe
Token: 33	3800	WMIC.exe
Token: 34	3800	WMIC.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 4216 wrote to memory of 4264	4216	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4216 wrote to memory of 4264	4216	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4216 wrote to memory of 4264	4216	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4264 wrote to memory of 1340	4264	voiceadequovl.exe	voiceadequovl.exe
PID 4264 wrote to memory of 1340	4264	voiceadequovl.exe	voiceadequovl.exe
PID 4264 wrote to memory of 1340	4264	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 5056	1340	voiceadequovl.exe	powershell.exe
PID 1340 wrote to memory of 5056	1340	voiceadequovl.exe	powershell.exe
PID 1340 wrote to memory of 5056	1340	voiceadequovl.exe	powershell.exe
PID 1340 wrote to memory of 3804	1340	voiceadequovl.exe	cmd.exe
PID 1340 wrote to memory of 3804	1340	voiceadequovl.exe	cmd.exe
PID 1340 wrote to memory of 3804	1340	voiceadequovl.exe	cmd.exe
PID 3804 wrote to memory of 2184	3804	cmd.exe	powershell.exe
PID 3804 wrote to memory of 2184	3804	cmd.exe	powershell.exe
PID 3804 wrote to memory of 2184	3804	cmd.exe	powershell.exe
PID 1340 wrote to memory of 2228	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 2228	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 2228	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 400	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 400	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 400	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 400	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 400	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 400	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 400	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 400	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 400	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 400	1340	voiceadequovl.exe	voiceadequovl.exe
PID 1340 wrote to memory of 400	1340	voiceadequovl.exe	voiceadequovl.exe
PID 400 wrote to memory of 5100	400	voiceadequovl.exe	wmic.exe
PID 400 wrote to memory of 5100	400	voiceadequovl.exe	wmic.exe
PID 400 wrote to memory of 5100	400	voiceadequovl.exe	wmic.exe
PID 400 wrote to memory of 580	400	voiceadequovl.exe	cmd.exe
PID 400 wrote to memory of 580	400	voiceadequovl.exe	cmd.exe
PID 400 wrote to memory of 580	400	voiceadequovl.exe	cmd.exe
PID 580 wrote to memory of 3800	580	cmd.exe	WMIC.exe
PID 580 wrote to memory of 3800	580	cmd.exe	WMIC.exe
PID 580 wrote to memory of 3800	580	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:2228

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:3836

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:4948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
0a17f096546385df3c09ab7b323a5974

SHA1
919f11eff329ff849c0cb5277f6d40bf470d0fc7

SHA256
bd93ce4455de76d6a11e0a7bf07422f201485afd4ec1d142a6da9ab7e9ba1fc7

SHA512
8bc89b571c5c543cf03588689949f4b1614b727237638bf8b96d61f5ae92ef44b20cfb3e2e1dd1b56fdf0e0daab425ab35fe3a00e132d4546e819a4c13a8f0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
171.8MB

MD5
edaccf0f5fe46665a08f46416be2c512

SHA1
768334d2a5c9ccc554e20593e6bf3a00a19bf346

SHA256
d405b95511bc5498b98a4fbe07becfc061c2d5a819a28f123ec561c5ac9982bc

SHA512
14ce030e0898cc824f765bcbd98656596ec5e3f91b1100b5fbfb7199cef39ab67d349a101be40ab5baba5e79a2a5a61270374bff72d7ea6f42bededf0b10a9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
140.7MB

MD5
b3e8f2a6ffe842eea3571b6c2fe7052b

SHA1
3cba9e2831806ee00e10c39033b171e4bc53240f

SHA256
791b6cedc0a50d2190776b7a6e27bb8b454d66037d26799f3af910245636b86e

SHA512
29cae014af667b06d7539855c527e7b0b0b686ae3498d636399205b99dde858bc4ac79114d22a52ebadeb2453d491e4f8aa287ffa77e80afb4e1a41cbff776c0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
123.8MB

MD5
580731ff034e277d56b421ba4c15ea48

SHA1
e68d09553c49c4e9b5704592b8c6eae274416c7c

SHA256
bbec475243e96d82e8bbd07278ad8ea74a25c017afbc8df9537ac47e69f9668b

SHA512
3287c20f6695458b8047e7070a84e04e3699881a7b6caa22f76a8c917831f4afaef1335ac60a389462e8706375b62ffc914e26cb467a246a5e44497830ae590c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
114.5MB

MD5
f959065f68d94e586c0a4c7337f1a392

SHA1
b5b0e17880936095f2028e613be8a01d77570dac

SHA256
fc49f1d19fad37467335f959e878cdd2eba5bc76b9121006ae00b753704a9617

SHA512
98b3af35cd6d26fd00baa30a63b545aca5ec43e5ec560e5be7841a1f5e4154a5fe4f59dd10dc495824d7da2cfb985349c80c68107c925c7305995174405f49a2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
68.6MB

MD5
426d40be03968e6fdd30d7281338b275

SHA1
52cb1472fe40cd2528aa96680f9d02b833a2f729

SHA256
49bbf2d1415b022dc9d04fd073653ecc3ff06e2c3286a923be721c9c6a936a93

SHA512
64e3d30d4a6363354ab30b18a5788064c43331f0f9e5dc58a4ee6f68156ea69cb01097361b77b7f1953bcad64af5f0d5757043a83b6c5f527c266ea90428b467

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
67.2MB

MD5
4a5fb4b46751ce473e50a40f7e53cc13

SHA1
8b4e670a689e17435c44d988a8a02d7b7d41c093

SHA256
66dfab22330f16aac24ac6183aa90e2a698efc2da4b27c60a065a88ee7540357

SHA512
9d215aa918a16fc426d0fa44458b19eb8511304aa0863e437fd548f02b30e337cc074f3f660aa5ea7277cebb348d4e9db9fc3cbfbcc2c4ff4d2d98cc7c6b8555

Download Submit
memory/400-174-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/400-159-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/400-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/400-154-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/400-153-0x0000000000000000-mapping.dmp

Download
memory/580-166-0x0000000000000000-mapping.dmp

Download
memory/1340-138-0x0000000000E10000-0x0000000001584000-memory.dmp

Filesize
7.5MB

Download
memory/1340-139-0x00000000074D0000-0x00000000074F2000-memory.dmp

Filesize
136KB

Download
memory/1340-135-0x0000000000000000-mapping.dmp

Download
memory/2184-164-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/2184-163-0x00000000754F0000-0x000000007553C000-memory.dmp

Filesize
304KB

Download
memory/2184-173-0x00000000070F0000-0x00000000070F8000-memory.dmp

Filesize
32KB

Download
memory/2184-172-0x0000000007110000-0x000000000712A000-memory.dmp

Filesize
104KB

Download
memory/2184-171-0x0000000005A40000-0x0000000005A4E000-memory.dmp

Filesize
56KB

Download
memory/2184-168-0x00000000071B0000-0x0000000007246000-memory.dmp

Filesize
600KB

Download
memory/2184-149-0x0000000000000000-mapping.dmp

Download
memory/2184-165-0x0000000006F60000-0x0000000006F6A000-memory.dmp

Filesize
40KB

Download
memory/2184-161-0x0000000006BB0000-0x0000000006BE2000-memory.dmp

Filesize
200KB

Download
memory/2228-151-0x0000000000000000-mapping.dmp

Download
memory/3800-167-0x0000000000000000-mapping.dmp

Download
memory/3804-148-0x0000000000000000-mapping.dmp

Download
memory/3836-169-0x0000000000000000-mapping.dmp

Download
memory/4264-132-0x0000000000000000-mapping.dmp

Download
memory/4948-170-0x0000000000000000-mapping.dmp

Download
memory/5056-145-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/5056-144-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/5056-141-0x0000000003240000-0x0000000003276000-memory.dmp

Filesize
216KB

Download
memory/5056-143-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/5056-146-0x0000000007E30000-0x00000000084AA000-memory.dmp

Filesize
6.5MB

Download
memory/5056-147-0x0000000006CF0000-0x0000000006D0A000-memory.dmp

Filesize
104KB

Download
memory/5056-142-0x00000000059C0000-0x0000000005FE8000-memory.dmp

Filesize
6.2MB

Download
memory/5056-140-0x0000000000000000-mapping.dmp

Download
memory/5100-162-0x0000000000000000-mapping.dmp

Download