purelogstealer | 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

Analysis

max time kernel
159s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
Size

419KB
MD5

8a716466aa6f2d425ec09770626e8e54
SHA1

62fb757ea5098651331f91c1664db9fe46b21879
SHA256

585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815
SHA512

54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940
SSDEEP

6144:QTCsE3O4yuS5O0RBOInaCa6G6ypdf4Bf7e/DnjBeq04fVXOUvE0CGsSE9BLM:2E3O5uOO0mInnGZCTS84fZLtw

Score

10^/10

purelogstealer xworm rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

5.182.87.154:7000

Mutex

VMFidhoqn75fm5lJ

Attributes

Install_directory
%Temp%
install_file
mdnsresp.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/820-15-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/4696-7-0x0000000005A90000-0x0000000005AD8000-memory.dmp	family_purelog_stealer

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdnsresp.lnk	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4696 set thread context of 820	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1116	powershell.exe
1116	powershell.exe
3880	powershell.exe
3880	powershell.exe
3880	powershell.exe
1116	powershell.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe
316	powershell.exe
316	powershell.exe
316	powershell.exe
1496	powershell.exe
1496	powershell.exe
1496	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
Token: SeDebugPrivilege	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 1116	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	108
PID 4696 wrote to memory of 1116	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	108
PID 4696 wrote to memory of 1116	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	108
PID 4696 wrote to memory of 820	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	110
PID 4696 wrote to memory of 820	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	110
PID 4696 wrote to memory of 820	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	110
PID 4696 wrote to memory of 820	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	110
PID 4696 wrote to memory of 820	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	110
PID 4696 wrote to memory of 820	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	110
PID 4696 wrote to memory of 820	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	110
PID 4696 wrote to memory of 820	4696	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	110
PID 820 wrote to memory of 3880	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	112
PID 820 wrote to memory of 3880	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	112
PID 820 wrote to memory of 3880	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	112
PID 820 wrote to memory of 1312	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	119
PID 820 wrote to memory of 1312	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	119
PID 820 wrote to memory of 1312	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	119
PID 820 wrote to memory of 316	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	121
PID 820 wrote to memory of 316	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	121
PID 820 wrote to memory of 316	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	121
PID 820 wrote to memory of 1496	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	124
PID 820 wrote to memory of 1496	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	124
PID 820 wrote to memory of 1496	820	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	124

C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
"C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANQA4ADUAZAAxAGYAYgA0AGYAMgA4ADgAOQA3ADQAYgA2ADgAMwBjADUAYQBiAGYAYgAxADAAYwA5ADcAZAA3AGQAMgBhAGUAMwBmADUAOQBjADIAYgBjAGYAZAA3ADgAYgBhADIANwAyAGUAMwBiAGUAMgBjAGQANwA4ADEANQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAANQA4ADUAZAAxAGYAYgA0AGYAMgA4ADgAOQA3ADQAYgA2ADgAMwBjADUAYQBiAGYAYgAxADAAYwA5ADcAZAA3AGQAMgBhAGUAMwBmADUAOQBjADIAYgBjAGYAZAA3ADgAYgBhADIANwAyAGUAMwBiAGUAMgBjAGQANwA4ADEANQAuAGUAeABlADsA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
  C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3660 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe.log

Filesize
1KB

MD5
8c2da65103d6b46d8cf610b118210cf0

SHA1
9db4638340bb74f2af3161cc2c9c0b8b32e6ab65

SHA256
0e48e2efd419951e0eb9a8d942493cfdf5540d1d19ff9dae6f145fb3ebcbeeac

SHA512
3cf5a125276e264cd8478f2b92d3848fb68b96d46eb4a39e650d09df02068c274881a1c314cdfbfdcb452672fb70dd8becf3ffe9562d39919d9c4d6b07fbb614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
eb15a5a98c7fd7f25df79e37aeaa2a5b

SHA1
5dfda5669e505730ad2b17a951389bff0ba7fa61

SHA256
d136f8e1de0947f445c073d098f7a52de7a16293765e4395ddb0842e1aee5fbc

SHA512
6bfc674a8575ef39a7bc2da4bf8a583b95faa2676422dfb771444035441ff17ac3bd678a1e18c6c5224cbfcfe8c4b8f52a82b47f09b15145ee9f0dfb3a904c14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
287437cb4393a9926f2fd43befd20a33

SHA1
a6fdb6a46f5ed67c138c53f1ad39f22b74b75c24

SHA256
43ec606afdbf50dba71d95cc4dcb880800d75791fdd1f52c68774d2bcd9a4880

SHA512
ddddf93648e594fd95e826fa590c171a40739e9d5669c6926c3d1b231dff3d14280db3e9b80ecea880373531d49a14dff564e917040e3c2753881317b4b8b5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
25b173e1578c18d3c806efe76898895b

SHA1
0b14a8950c17b1c05516dd4d09acbaab9511c41e

SHA256
5f3b208f513de016de8938776b8980949bd090612c52ed6e92c5814add4652d7

SHA512
bbea8cbd6469562ae8f8a546160a7895a8586ebced19fec663d574e340433d83607e40fd93bd49a8c1afe00cc20c9a59d34ef32624525bc4e6790d6c09de5a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqd24uls.qlv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/316-122-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/820-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/820-50-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/820-19-0x0000000004E70000-0x0000000004F0C000-memory.dmp

Filesize
624KB

Download
memory/820-18-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1116-91-0x0000000007490000-0x0000000007498000-memory.dmp

Filesize
32KB

Download
memory/1116-49-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1116-14-0x0000000002940000-0x0000000002976000-memory.dmp

Filesize
216KB

Download
memory/1116-12-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1116-57-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1116-82-0x00000000078F0000-0x0000000007F6A000-memory.dmp

Filesize
6.5MB

Download
memory/1116-55-0x0000000006030000-0x000000000607C000-memory.dmp

Filesize
304KB

Download
memory/1116-84-0x00000000072F0000-0x00000000072FA000-memory.dmp

Filesize
40KB

Download
memory/1116-21-0x0000000005220000-0x0000000005848000-memory.dmp

Filesize
6.2MB

Download
memory/1116-86-0x00000000074F0000-0x0000000007501000-memory.dmp

Filesize
68KB

Download
memory/1116-87-0x00000000065A0000-0x00000000065AE000-memory.dmp

Filesize
56KB

Download
memory/1116-88-0x00000000065B0000-0x00000000065C4000-memory.dmp

Filesize
80KB

Download
memory/1116-101-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1116-26-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/1116-13-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1116-92-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1116-38-0x00000000059A0000-0x0000000005CF4000-memory.dmp

Filesize
3.3MB

Download
memory/1116-41-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1116-48-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1116-60-0x0000000070E00000-0x0000000070E4C000-memory.dmp

Filesize
304KB

Download
memory/1116-90-0x00000000074A0000-0x00000000074BA000-memory.dmp

Filesize
104KB

Download
memory/1312-103-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1312-104-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/1312-105-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/1312-111-0x00000000057A0000-0x0000000005AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1312-117-0x0000000006230000-0x000000000627C000-memory.dmp

Filesize
304KB

Download
memory/1312-119-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/1312-121-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3880-27-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/3880-23-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3880-63-0x0000000070E00000-0x0000000070E4C000-memory.dmp

Filesize
304KB

Download
memory/3880-59-0x0000000006CA0000-0x0000000006CD2000-memory.dmp

Filesize
200KB

Download
memory/3880-80-0x0000000006C80000-0x0000000006C9E000-memory.dmp

Filesize
120KB

Download
memory/3880-81-0x0000000007920000-0x00000000079C3000-memory.dmp

Filesize
652KB

Download
memory/3880-56-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3880-83-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/3880-54-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/3880-85-0x0000000007D00000-0x0000000007D96000-memory.dmp

Filesize
600KB

Download
memory/3880-53-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3880-52-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3880-51-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3880-89-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3880-22-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3880-58-0x000000007F990000-0x000000007F9A0000-memory.dmp

Filesize
64KB

Download
memory/3880-24-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3880-25-0x0000000005E70000-0x0000000005E92000-memory.dmp

Filesize
136KB

Download
memory/3880-100-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4696-4-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/4696-5-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download
memory/4696-8-0x0000000005AE0000-0x0000000005B10000-memory.dmp

Filesize
192KB

Download
memory/4696-0-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4696-7-0x0000000005A90000-0x0000000005AD8000-memory.dmp

Filesize
288KB

Download
memory/4696-20-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4696-6-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4696-9-0x0000000005B10000-0x0000000005B40000-memory.dmp

Filesize
192KB

Download
memory/4696-10-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download
memory/4696-11-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/4696-3-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/4696-2-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/4696-1-0x0000000000DE0000-0x0000000000E50000-memory.dmp

Filesize
448KB

Download