aurora | 3834b805ba68b1d8bbb041e6789d1cf564af626954d7d03b592b3dfc58522746

Analysis

max time kernel
182s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AURORA_STEALER.zip
Size

13.0MB
MD5

5fa1d8bed0a6cd19007923b7e0512075
SHA1

9fadb9f7f943bc61519cc6fba17e33723ee8b9d9
SHA256

3834b805ba68b1d8bbb041e6789d1cf564af626954d7d03b592b3dfc58522746
SHA512

f6731839bfc69434bede686ec44e1df83498b8572eaf55ad0e6805764b56344c10858333d181bb69b5c6d25d22089ce4d8049255c5f3a58920c10b2331c207ba
SSDEEP

393216:cFEaPdyKmdMrLUrekEAlgyGVG7rNfFujxUh7f6hiL0bQPF:AEahmTxlL9yxaosN

Score

10^/10

aurora redline discovery infostealer stealer

Malware Config

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Aurora family
aurora
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1636-22-0x0000000000500000-0x0000000000556000-memory.dmp	family_redline
behavioral1/memory/5092-46-0x0000000000D10000-0x0000000000D66000-memory.dmp	family_redline
behavioral1/memory/3620-58-0x0000000000A10000-0x0000000000A66000-memory.dmp	family_redline
behavioral1/memory/4544-71-0x00000000008F0000-0x0000000000946000-memory.dmp	family_redline
behavioral1/memory/2488-84-0x00000000009E0000-0x0000000000A36000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Aurora.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Aurora.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Aurora.exe

Executes dropped EXE 11 IoCs

pid	Process
2728	Aurora.exe
1636	build.exe
4052	Aurora 22.12.2022_.exe
5092	crack.exe
3620	crack.exe
4544	crack.exe
2488	crack.exe
4912	Aurora.exe
2756	Aurora 22.12.2022_.exe
2820	Aurora.exe
3944	Aurora 22.12.2022_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aurora.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aurora.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aurora.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crack.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Aurora 22.12.2022_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Aurora 22.12.2022_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Aurora 22.12.2022_.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4132	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	4132	7zFM.exe
Token: 35	4132	7zFM.exe
Token: SeSecurityPrivilege	4132	7zFM.exe
Token: SeSecurityPrivilege	4132	7zFM.exe
Token: SeSecurityPrivilege	4132	7zFM.exe
Token: SeSecurityPrivilege	4132	7zFM.exe
Token: SeSecurityPrivilege	4132	7zFM.exe
Token: SeSecurityPrivilege	4132	7zFM.exe
Token: SeSecurityPrivilege	4132	7zFM.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe
4132	7zFM.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 2728	4132	7zFM.exe	100
PID 4132 wrote to memory of 2728	4132	7zFM.exe	100
PID 4132 wrote to memory of 2728	4132	7zFM.exe	100
PID 2728 wrote to memory of 1636	2728	Aurora.exe	102
PID 2728 wrote to memory of 1636	2728	Aurora.exe	102
PID 2728 wrote to memory of 1636	2728	Aurora.exe	102
PID 2728 wrote to memory of 4052	2728	Aurora.exe	104
PID 2728 wrote to memory of 4052	2728	Aurora.exe	104
PID 4132 wrote to memory of 5092	4132	7zFM.exe	108
PID 4132 wrote to memory of 5092	4132	7zFM.exe	108
PID 4132 wrote to memory of 5092	4132	7zFM.exe	108
PID 4132 wrote to memory of 3620	4132	7zFM.exe	112
PID 4132 wrote to memory of 3620	4132	7zFM.exe	112
PID 4132 wrote to memory of 3620	4132	7zFM.exe	112
PID 4132 wrote to memory of 4544	4132	7zFM.exe	117
PID 4132 wrote to memory of 4544	4132	7zFM.exe	117
PID 4132 wrote to memory of 4544	4132	7zFM.exe	117
PID 4132 wrote to memory of 2488	4132	7zFM.exe	119
PID 4132 wrote to memory of 2488	4132	7zFM.exe	119
PID 4132 wrote to memory of 2488	4132	7zFM.exe	119
PID 4132 wrote to memory of 4912	4132	7zFM.exe	121
PID 4132 wrote to memory of 4912	4132	7zFM.exe	121
PID 4132 wrote to memory of 4912	4132	7zFM.exe	121
PID 4912 wrote to memory of 2756	4912	Aurora.exe	122
PID 4912 wrote to memory of 2756	4912	Aurora.exe	122
PID 4132 wrote to memory of 2820	4132	7zFM.exe	127
PID 4132 wrote to memory of 2820	4132	7zFM.exe	127
PID 4132 wrote to memory of 2820	4132	7zFM.exe	127
PID 2820 wrote to memory of 3944	2820	Aurora.exe	128
PID 2820 wrote to memory of 3944	2820	Aurora.exe	128

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Users\Admin\AppData\Local\Temp\7zO42038CA7\Aurora.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO42038CA7\Aurora.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1636
- - C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
    "C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
    3⤵
    - Executes dropped EXE
    PID:4052
- C:\Users\Admin\AppData\Local\Temp\7zO420B1509\crack.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO420B1509\crack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5092
- C:\Users\Admin\AppData\Local\Temp\7zO42019C09\crack.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO42019C09\crack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3620
- C:\Users\Admin\AppData\Local\Temp\7zO420B3729\crack.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO420B3729\crack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4544
- C:\Users\Admin\AppData\Local\Temp\7zO420CDC29\crack.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO420CDC29\crack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\7zO4208B139\Aurora.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4208B139\Aurora.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
    "C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
    3⤵
    - Executes dropped EXE
    PID:2756
- C:\Users\Admin\AppData\Local\Temp\7zO42060099\Aurora.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO42060099\Aurora.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
    "C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO42038CA7\Aurora.exe

Filesize
25.9MB

MD5
be0aabd5d53378099712611c6bc8b56c

SHA1
b4c03dc06e24b0d9ae3978f0e5b2ad96629abc3c

SHA256
b37537ab33af1470ef80f5b61c430802d97656aa07fd2533a1de62322ea52720

SHA512
e4709de3cc96e20880d3aa14339687201eda54ee0eeb111df11a702949f4b21ac2c088da0d3d5ead049294804ec5f8d2be27ab176b99f1110785b4d078b91639

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe

Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
506KB

MD5
e5fb57e8214483fd395bd431cb3d1c4b

SHA1
60e22fc9e0068c8156462f003760efdcac82766b

SHA256
e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684

SHA512
dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

Download Submit
memory/1636-22-0x0000000000500000-0x0000000000556000-memory.dmp

Filesize
344KB

Download
memory/1636-30-0x0000000005290000-0x00000000058A8000-memory.dmp

Filesize
6.1MB

Download
memory/1636-31-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1636-32-0x0000000004D80000-0x0000000004E8A000-memory.dmp

Filesize
1.0MB

Download
memory/1636-33-0x0000000004C00000-0x0000000004C3C000-memory.dmp

Filesize
240KB

Download
memory/1636-34-0x0000000004C70000-0x0000000004CBC000-memory.dmp

Filesize
304KB

Download
memory/2488-84-0x00000000009E0000-0x0000000000A36000-memory.dmp

Filesize
344KB

Download
memory/2728-28-0x0000000000400000-0x0000000001DF6000-memory.dmp

Filesize
26.0MB

Download
memory/2756-106-0x00007FF7FA800000-0x00007FF7FC10B000-memory.dmp

Filesize
25.0MB

Download
memory/2756-107-0x00007FF7FA800000-0x00007FF7FC10B000-memory.dmp

Filesize
25.0MB

Download
memory/2820-124-0x0000000000400000-0x0000000001DF6000-memory.dmp

Filesize
26.0MB

Download
memory/3620-58-0x0000000000A10000-0x0000000000A66000-memory.dmp

Filesize
344KB

Download
memory/3944-126-0x00007FF603770000-0x00007FF60507B000-memory.dmp

Filesize
25.0MB

Download
memory/4052-35-0x00007FF797240000-0x00007FF798B4B000-memory.dmp

Filesize
25.0MB

Download
memory/4544-71-0x00000000008F0000-0x0000000000946000-memory.dmp

Filesize
344KB

Download
memory/4912-104-0x0000000000400000-0x0000000001DF6000-memory.dmp

Filesize
26.0MB

Download
memory/5092-46-0x0000000000D10000-0x0000000000D66000-memory.dmp

Filesize
344KB

Download