befce83ad2b8355c2f1224c622c1b5cd075f40c2f85c3408e5348e95f0d3f126

Analysis

max time kernel
61s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AvroraX/Avr0ra X.exe
Size

288.0MB
MD5

251c808240a41384f65c2af56c740d21
SHA1

64f542b87da5197a57e65357f651447aa1da79ba
SHA256

33e181951fd9239a070d24fce986c69a8195d85bbc6a01fb0da1d59240d03a8e
SHA512

3293fb758b0d2dff86bf0c00f3a4e5aa168047437870b389038d7745bd3a97cace23246abb8bfb03571a29b663b9c236545ef94655ad6c4e0fecc26edba1982b
SSDEEP

49152:1gP6CR/DNTvyVUnXZ23kIdsUyTCp1RL5ned:1g1hTvyGYUIdiCdm

Score

10^/10

collection discovery spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Announced.pif

description pid process target process

PID 4748 created 3408 4748 Announced.pif Explorer.EXE

description	pid	process	target process
PID 4748 created 3408	4748	Announced.pif	Explorer.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Avr0ra X.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Avr0ra X.exe

Executes dropped EXE 2 IoCs

Processes:

Announced.pifAnnounced.pif

pid process

4748 Announced.pif
1548 Announced.pif
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Announced.pif

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Announced.pif
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Announced.pif
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Announced.pif

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

66 ipinfo.io
67 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

Announced.pif

description pid process target process

PID 4748 set thread context of 1548 4748 Announced.pif Announced.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
66	ipinfo.io
67	ipinfo.io

description	pid	process	target process
PID 4748 set thread context of 1548	4748	Announced.pif	Announced.pif

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Announced.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Announced.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Announced.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4688 tasklist.exe
5008 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4996 PING.EXE

pid	process
4688	tasklist.exe
5008	tasklist.exe

pid	process
4996	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Announced.pifAnnounced.pif

pid	process
4748	Announced.pif
4748	Announced.pif
4748	Announced.pif
4748	Announced.pif
4748	Announced.pif
4748	Announced.pif
4748	Announced.pif
4748	Announced.pif
1548	Announced.pif
1548	Announced.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 4688 tasklist.exe
Token: SeDebugPrivilege 5008 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Announced.pif

pid process

4748 Announced.pif
4748 Announced.pif
4748 Announced.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Announced.pif

pid process

4748 Announced.pif
4748 Announced.pif
4748 Announced.pif

description	pid	process
Token: SeDebugPrivilege	4688	tasklist.exe
Token: SeDebugPrivilege	5008	tasklist.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Avr0ra X.execmd.exeAnnounced.pif

description	pid	process	target process
PID 1356 wrote to memory of 4328	1356	Avr0ra X.exe	cmd.exe
PID 1356 wrote to memory of 4328	1356	Avr0ra X.exe	cmd.exe
PID 1356 wrote to memory of 4328	1356	Avr0ra X.exe	cmd.exe
PID 4328 wrote to memory of 4688	4328	cmd.exe	tasklist.exe
PID 4328 wrote to memory of 4688	4328	cmd.exe	tasklist.exe
PID 4328 wrote to memory of 4688	4328	cmd.exe	tasklist.exe
PID 4328 wrote to memory of 3444	4328	cmd.exe	findstr.exe
PID 4328 wrote to memory of 3444	4328	cmd.exe	findstr.exe
PID 4328 wrote to memory of 3444	4328	cmd.exe	findstr.exe
PID 4328 wrote to memory of 5008	4328	cmd.exe	tasklist.exe
PID 4328 wrote to memory of 5008	4328	cmd.exe	tasklist.exe
PID 4328 wrote to memory of 5008	4328	cmd.exe	tasklist.exe
PID 4328 wrote to memory of 3544	4328	cmd.exe	findstr.exe
PID 4328 wrote to memory of 3544	4328	cmd.exe	findstr.exe
PID 4328 wrote to memory of 3544	4328	cmd.exe	findstr.exe
PID 4328 wrote to memory of 4876	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4876	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4876	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 3264	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 3264	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 3264	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4912	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4912	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4912	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4748	4328	cmd.exe	Announced.pif
PID 4328 wrote to memory of 4748	4328	cmd.exe	Announced.pif
PID 4328 wrote to memory of 4748	4328	cmd.exe	Announced.pif
PID 4328 wrote to memory of 4996	4328	cmd.exe	PING.EXE
PID 4328 wrote to memory of 4996	4328	cmd.exe	PING.EXE
PID 4328 wrote to memory of 4996	4328	cmd.exe	PING.EXE
PID 4748 wrote to memory of 1548	4748	Announced.pif	Announced.pif
PID 4748 wrote to memory of 1548	4748	Announced.pif	Announced.pif
PID 4748 wrote to memory of 1548	4748	Announced.pif	Announced.pif
PID 4748 wrote to memory of 1548	4748	Announced.pif	Announced.pif
PID 4748 wrote to memory of 1548	4748	Announced.pif	Announced.pif

outlook_office_path 1 IoCs

Processes:

Announced.pif

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Announced.pif

outlook_win_path 1 IoCs

Processes:

Announced.pif

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Announced.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\AvroraX\Avr0ra X.exe
"C:\Users\Admin\AppData\Local\Temp\AvroraX\Avr0ra X.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Regional Regional.bat & Regional.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:3444

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
cmd /c md 9
4⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Kernel + Compute + Shipping + Languages + Sl + Tricks 9\Announced.pif
4⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Reality + Pages + Mw + Portuguese + Io + Samoa + Tables + Happened + Hints 9\v
4⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\9\Announced.pif
9\Announced.pif 9\v
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:4996

C:\Users\Admin\AppData\Local\Temp\9\Announced.pif
C:\Users\Admin\AppData\Local\Temp\9\Announced.pif
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9\Announced.pif
Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9\v
Filesize
2.1MB

MD5
9e0f6c32324cbcdd9e8e92d4d409ea3e

SHA1
950ee11c52bf4d2c742155f224d2b6a2835ecbca

SHA256
468d75b4f0ffe21ee180a1a8c902c9bb449b13cf20652efbd881861e84112de1

SHA512
037256226b8bd62a2bd5da11c8c73831730022fac2e260cd77b1bce87ea3db5f55db3503bb85d181eec1b0321d7cf145b611cdfa79d50661c74cf71a1b73ad4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compute
Filesize
60KB

MD5
3a5ff6af1d2441b1112f7389dea53864

SHA1
e8af977f98409e4e6a19ab074c107be7684b707a

SHA256
0202fc50e60d8ab603928a1f91a044f82e56e7707af00964e96e3ea0fc036f8c

SHA512
bbb99ae111f400d753d264607882d371f3e3e901b2e3bf7768fa944cdbd8a509d5b7397ef54d43003880c99f95aaa388c2100ac489ddb6f70d7e1fcd5b4ec76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Happened
Filesize
214KB

MD5
b3df2380998af688133ccff742b8da47

SHA1
a52b594a757155b2bcc82b13fcb2676afdcf05b7

SHA256
018bb96034f4d48f4fd9817176760e84a514404534575e97bd1b8648ce8d3b16

SHA512
bd2bdcf73f532802b99b544a78e221738bc7f8b357b30fb3ffaee0239aa764b7176e2e46e595d6dc5f8f72aea9f6d97583450e961e97ea63295212393a5ca09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hints
Filesize
174KB

MD5
d77ac889d7143fa0a9a9c6e2124afc76

SHA1
6735543ad55cc462cd211c00aad1f362ef590ed0

SHA256
9799beafc2d36538867bb1a2e98c3ca915cf880e7037768b645e057d0ca8bae4

SHA512
d4e4f7b890956c9b7bb8f04e15e5d394ddbec421a1062bb3584eed5eb3b3ffa49d85150d1c8cf450b030ebb776eb9ac07a8c47215a8b554f407d6ab069eb528c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Io
Filesize
293KB

MD5
6ccd24e3ce9ce5b3543e001a7716586d

SHA1
eb8e8ae4e4e7931744894832d4fd64621367ca18

SHA256
98c40d10cdd1dee55bee0f77eca7952ac2cf6da29761a3249df8f2c4c76e7710

SHA512
b7176533434ec18984bbcfedf096a94c9b9ef74ebe6f35888a8b97fac58504840530ea33fb1141c3a03442e403fcc216977f859a0e7b929c2dfbdfa4db0966f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kernel
Filesize
226KB

MD5
d4a9f35a87b3c1f144979b81f0f6e940

SHA1
6eb3973f421430d82ad6224c42b5e25f148de9f9

SHA256
56ebaf19a4607fcd93adafd10eb29b96e7a27f66684b8d2f403bcc083205edd8

SHA512
39cf093e00544a4a0b17af541545ea0ddbfd54c2a5547feb92ce4ec3db758a78410769d93779c21981bdf063c1882a9206f78bda7303a68d0935693da6a9b3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Languages
Filesize
299KB

MD5
245c08c63726b84b93ce965d5b047f44

SHA1
8cfdbb75d1cd903f33d0a523b3256d6aa1d9a570

SHA256
bbda9e7001a6b9ffa10869717c8a6308c63696d1346850ae45e5c6075ce0cd00

SHA512
ee21e212259ba8d34afb297a6257e625906125c3c7e0c56bd36bd3893c101eb46ec1e75c57282cb44388c3c12408b8a064854807e9eca7450cb8bd54b1f97f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mw
Filesize
232KB

MD5
dd8d484797b0e4e41ed240132af971f8

SHA1
7edbe79a12654a67dd0b35c512a4605365f88222

SHA256
296ca947054318efe237872002af1ed204090b5a73ce0c44ec980ad7653447a9

SHA512
05e47bf8d4a35d7cbaf82bca775ade0d2d8fff6b23813840c85c0e501098fc71540eb2355efd7f5e10fce5b1811504e422521ac640bcfc18a3137e2d96c0de43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pages
Filesize
245KB

MD5
f5706fe54d3bf1dbf238e58347127711

SHA1
51b1eff53a4906433727e2b1a3f9d84c448781bd

SHA256
c3d00df3c1ae3bfdbc554c66187ed1db0ee7de62ce50cd835d84a9da134e7851

SHA512
294a1567e8c0c220bb8ef0beede318881962e1613df480d18d6a330fe9b0d94af1e9794b5a905bf33909e324eb303e8920e9acc036984ad8c852cd35b49f2e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Portuguese
Filesize
212KB

MD5
48d8b37c86e560f216bbf9b78605a36f

SHA1
6aa709cd6bbe84ee2bbc91465cbd8bdeef813677

SHA256
12009281faf386c26d64a52cd1be34c94eac54c9cb26e8f5508d94c0eca6abbc

SHA512
24a43ad571dc30724f0d0cacb9b671e03348e148a45c59e6c7eb1f63f608d3834956122484f295097f0d0ee1f5ab9b03e432478bccd342dc70afa7af0df574be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reality
Filesize
252KB

MD5
380707659baefecd84866f7c9d9ad35d

SHA1
250663b599a3a33870d3f4216a5805bcdeae411e

SHA256
2fc21a60cbec4631bf1e79ae6833fc277330cbd751629fbb45ff3977b072ac95

SHA512
9d4b2acc34a6e41a49126efddcba239e91bfdb537685c94e99119e0197671d1a96270a3f81eea961d9513f9a39a6b84aab5f1faac5ec0cdd6ebfed70fef04030

Download Submit
C:\Users\Admin\AppData\Local\Temp\Regional
Filesize
23KB

MD5
9335d5fd621e2b381c566fbf55fae0f6

SHA1
547b0fc34cad4c9f9d953124bdc59b7dbbb36f1f

SHA256
c296063c8f1d838bc7aa078da504e16b8d7ff35388665cba98df2396b6b6a7d1

SHA512
688470ed1e38c547d079b9ba3f4cfcf4a8c3edd5997d0252d19380b7119ba013312e72acafc03a01ec1adc52ecc511e53420180e9908245fe1086451f4a7c9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Samoa
Filesize
267KB

MD5
7746708946e844832b2efd0f48e8dbb0

SHA1
e8b968c1ce3f82a7c9fffb72f195656323d3f74f

SHA256
d5c95ef866cf3a107d4280b783c33225b61b85c0d7a7c1b7dc42ed8872c91646

SHA512
6c4c137710f751527c35095a087e287b555e1e868ea9093c611cc345694b974c3b99f902da9ff4bdb5c09ea24ae6b4539eb6032c8f2f7f43457b6e65636e3d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shipping
Filesize
179KB

MD5
2ecf4b99dbd78f781b01904c3d6f45ce

SHA1
751f4ab92e33e18c6cea3ce43dd297ba27fc4a0e

SHA256
220961d6bfaeacbde91416f50088a1534eb019aa0c1a4d418f70e3195b0eff60

SHA512
4fa8369816e77c4dd38eec4e390f943e0492bd528a81133875cfcb64b17fdde95831c826486913d4ff2f60c4dd3f54f507c267baca285572482f439d2596bac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sl
Filesize
132KB

MD5
08d5c3c76696d6c167164b28814fa90d

SHA1
5a905cde201d69f46e6008a2bd5322ed05c247d5

SHA256
06c757ab5808189746ef98b2e45223cbf36f94acbec3a31c2dd08ae8fc8d5058

SHA512
abbd7eda2b10e40315178b9c6ea5dc0dd530ebb8bb7d0087f0175ad1b480f2bf839b8e593baf5b1090df8f78134419ea498c8e4cf9aaa30a8be619b12f0f1c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tables
Filesize
212KB

MD5
20fa5c762523381091f0196bc512a8ba

SHA1
3c3e8ca49910a9622cfc8a457fa32d492414e6ee

SHA256
87ba65e6acdcd49be8f16c05d968f3045ec1fe54f2e21b27d94cc7713f9440b1

SHA512
ad6b5006db5ff8d56a875354961e163036d41ed5282a3b4b0a6a9148473da7e85d0c2fc23ee42032ba8932476eb8d80d1435a384a1dc16062afe4de9c8ee886c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tricks
Filesize
29KB

MD5
c49320ab95a85d1406f01b7d18f3c703

SHA1
029d47e4bec9fdf04d8eb843213b551998699ba1

SHA256
4c8655d51211e58268360affeb0ea49a62babe590dc5355e3249724720f33972

SHA512
b7ff206a936d5693b675e9f5ce1010d61114e44a9f71ab1b7e5ff0da32af9a4fceeadb110db4e12ba53b00bd9cd0b8c3dc086e615544354c20c829840ad79d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi7zLuRS3xA0U6\FFneSHU35yKfWeb Data
Filesize
92KB

MD5
e8f919eb3795f27658a2f95583bf36bb

SHA1
d8ae8815c9da6dec561e52abb66743d625cbddb9

SHA256
1ec1d367eac52ea5d2d16124748fa2d0d68818ad183ce3879701ca49a71e7672

SHA512
f91c06d0aa4075420dbf0a3d114e9f910d62640779c8d78f956cf76aa1db3afb34fc3c403ea27a6dcd10553b3dcd5ccdfa39b88a5f4b4a53b4a2b7973b075b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi7zLuRS3xA0U6\VdVuMpxmroRKWeb Data
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
memory/1548-44-0x00000000016A0000-0x00000000017E3000-memory.dmp

Filesize
1.3MB

Download
memory/1548-121-0x00000000016A0000-0x00000000017E3000-memory.dmp

Filesize
1.3MB

Download
memory/1548-41-0x00000000016A0000-0x00000000017E3000-memory.dmp

Filesize
1.3MB

Download
memory/1548-46-0x00000000016A0000-0x00000000017E3000-memory.dmp

Filesize
1.3MB

Download
memory/1548-47-0x00000000016A0000-0x00000000017E3000-memory.dmp

Filesize
1.3MB

Download
memory/1548-58-0x00000000016A0000-0x00000000017E3000-memory.dmp

Filesize
1.3MB

Download
memory/1548-59-0x00000000016A0000-0x00000000017E3000-memory.dmp

Filesize
1.3MB

Download
memory/1548-42-0x00000000016A0000-0x00000000017E3000-memory.dmp

Filesize
1.3MB

Download
memory/1548-105-0x00000000016A0000-0x00000000017E3000-memory.dmp

Filesize
1.3MB

Download
memory/1548-106-0x00000000016A0000-0x00000000017E3000-memory.dmp

Filesize
1.3MB

Download
memory/1548-122-0x00000000016A0000-0x00000000017E3000-memory.dmp

Filesize
1.3MB

Download
memory/1548-117-0x00000000016A0000-0x00000000017E3000-memory.dmp

Filesize
1.3MB

Download
memory/4748-39-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4748-37-0x0000000077E41000-0x0000000077F61000-memory.dmp

Filesize
1.1MB

Download