bitrat | 1df11ec4ef8cfeda563e1103d5e0cdc4ed10601b37e0ea9f93be82433ab68c72

Analysis

max time kernel
148s
max time network
148s
platform
windows10_x64
resource
win10-en-20211208
submitted
07-01-2022 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order_2190034_January.exe
Size

785KB
MD5

751cfacd6de472704d072d56cd27769e
SHA1

733fd283e27fedb060e4b841f4737a28ba126600
SHA256

1df11ec4ef8cfeda563e1103d5e0cdc4ed10601b37e0ea9f93be82433ab68c72
SHA512

b036ad1a18b920fe56686d6a8b699286dc646bf992823617b73b1f7bae7197ffe1ebc80999a861cab92bf97fcb6855cdcef061d8bf5a27631179b467ffec2d39

Score

10^/10

bitrat evasion persistence suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

severdops.ddns.net:3071

Attributes

communication_password
29ef52e7563626a96cea7f4b4085c124
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

c39y8wmgrNQPnHN3.exe

pid process

4404 c39y8wmgrNQPnHN3.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4996-182-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral2/memory/4996-189-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral2/memory/4996-202-0x0000000000400000-0x00000000007E5000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

c39y8wmgrNQPnHN3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	c39y8wmgrNQPnHN3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	c39y8wmgrNQPnHN3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\GLOSSERSECC\svchost.exe = "0"	c39y8wmgrNQPnHN3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\c39y8wmgrNQPnHN3.exe = "0"	c39y8wmgrNQPnHN3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c39y8wmgrNQPnHN3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\MURRINEADC = "C:\\Windows\\Microsoft.NET\\Framework\\GLOSSERSECC\\svchost.exe"	c39y8wmgrNQPnHN3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

vbc.exe

pid process

4996 vbc.exe
4996 vbc.exe
4996 vbc.exe
4996 vbc.exe
4996 vbc.exe

pid	process
4996	vbc.exe
4996	vbc.exe
4996	vbc.exe
4996	vbc.exe
4996	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Order_2190034_January.exec39y8wmgrNQPnHN3.exe

description	pid	process	target process
PID 3584 set thread context of 4512	3584	Order_2190034_January.exe	Order_2190034_January.exe
PID 4404 set thread context of 4996	4404	c39y8wmgrNQPnHN3.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

c39y8wmgrNQPnHN3.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\GLOSSERSECC\svchost.exe c39y8wmgrNQPnHN3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\GLOSSERSECC\svchost.exe	c39y8wmgrNQPnHN3.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

c39y8wmgrNQPnHN3.exepowershell.exepowershell.exepowershell.exe

pid	process
4404	c39y8wmgrNQPnHN3.exe
4404	c39y8wmgrNQPnHN3.exe
4404	c39y8wmgrNQPnHN3.exe
4404	c39y8wmgrNQPnHN3.exe
1268	powershell.exe
1036	powershell.exe
1476	powershell.exe
1476	powershell.exe
1268	powershell.exe
1036	powershell.exe
4404	c39y8wmgrNQPnHN3.exe
4404	c39y8wmgrNQPnHN3.exe
4404	c39y8wmgrNQPnHN3.exe
4404	c39y8wmgrNQPnHN3.exe
4404	c39y8wmgrNQPnHN3.exe
4404	c39y8wmgrNQPnHN3.exe
4404	c39y8wmgrNQPnHN3.exe
4404	c39y8wmgrNQPnHN3.exe
1036	powershell.exe
1268	powershell.exe
1476	powershell.exe
4404	c39y8wmgrNQPnHN3.exe
4404	c39y8wmgrNQPnHN3.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

c39y8wmgrNQPnHN3.exepowershell.exepowershell.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4404	c39y8wmgrNQPnHN3.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeShutdownPrivilege	4996	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exe

pid process

4996 vbc.exe
4996 vbc.exe

pid	process
4996	vbc.exe
4996	vbc.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

Order_2190034_January.exeOrder_2190034_January.exec39y8wmgrNQPnHN3.exe

description	pid	process	target process
PID 3584 wrote to memory of 4512	3584	Order_2190034_January.exe	Order_2190034_January.exe
PID 3584 wrote to memory of 4512	3584	Order_2190034_January.exe	Order_2190034_January.exe
PID 3584 wrote to memory of 4512	3584	Order_2190034_January.exe	Order_2190034_January.exe
PID 3584 wrote to memory of 4512	3584	Order_2190034_January.exe	Order_2190034_January.exe
PID 3584 wrote to memory of 4512	3584	Order_2190034_January.exe	Order_2190034_January.exe
PID 3584 wrote to memory of 4512	3584	Order_2190034_January.exe	Order_2190034_January.exe
PID 3584 wrote to memory of 4512	3584	Order_2190034_January.exe	Order_2190034_January.exe
PID 3584 wrote to memory of 4512	3584	Order_2190034_January.exe	Order_2190034_January.exe
PID 3584 wrote to memory of 4512	3584	Order_2190034_January.exe	Order_2190034_January.exe
PID 3584 wrote to memory of 4512	3584	Order_2190034_January.exe	Order_2190034_January.exe
PID 3584 wrote to memory of 4512	3584	Order_2190034_January.exe	Order_2190034_January.exe
PID 4512 wrote to memory of 4404	4512	Order_2190034_January.exe	c39y8wmgrNQPnHN3.exe
PID 4512 wrote to memory of 4404	4512	Order_2190034_January.exe	c39y8wmgrNQPnHN3.exe
PID 4512 wrote to memory of 4404	4512	Order_2190034_January.exe	c39y8wmgrNQPnHN3.exe
PID 4404 wrote to memory of 1036	4404	c39y8wmgrNQPnHN3.exe	powershell.exe
PID 4404 wrote to memory of 1036	4404	c39y8wmgrNQPnHN3.exe	powershell.exe
PID 4404 wrote to memory of 1036	4404	c39y8wmgrNQPnHN3.exe	powershell.exe
PID 4404 wrote to memory of 1268	4404	c39y8wmgrNQPnHN3.exe	powershell.exe
PID 4404 wrote to memory of 1268	4404	c39y8wmgrNQPnHN3.exe	powershell.exe
PID 4404 wrote to memory of 1268	4404	c39y8wmgrNQPnHN3.exe	powershell.exe
PID 4404 wrote to memory of 1476	4404	c39y8wmgrNQPnHN3.exe	powershell.exe
PID 4404 wrote to memory of 1476	4404	c39y8wmgrNQPnHN3.exe	powershell.exe
PID 4404 wrote to memory of 1476	4404	c39y8wmgrNQPnHN3.exe	powershell.exe
PID 4404 wrote to memory of 4932	4404	c39y8wmgrNQPnHN3.exe	mscorsvw.exe
PID 4404 wrote to memory of 4932	4404	c39y8wmgrNQPnHN3.exe	mscorsvw.exe
PID 4404 wrote to memory of 4932	4404	c39y8wmgrNQPnHN3.exe	mscorsvw.exe
PID 4404 wrote to memory of 4968	4404	c39y8wmgrNQPnHN3.exe	aspnet_regiis.exe
PID 4404 wrote to memory of 4968	4404	c39y8wmgrNQPnHN3.exe	aspnet_regiis.exe
PID 4404 wrote to memory of 4968	4404	c39y8wmgrNQPnHN3.exe	aspnet_regiis.exe
PID 4404 wrote to memory of 4996	4404	c39y8wmgrNQPnHN3.exe	vbc.exe
PID 4404 wrote to memory of 4996	4404	c39y8wmgrNQPnHN3.exe	vbc.exe
PID 4404 wrote to memory of 4996	4404	c39y8wmgrNQPnHN3.exe	vbc.exe
PID 4404 wrote to memory of 4996	4404	c39y8wmgrNQPnHN3.exe	vbc.exe
PID 4404 wrote to memory of 4996	4404	c39y8wmgrNQPnHN3.exe	vbc.exe
PID 4404 wrote to memory of 4996	4404	c39y8wmgrNQPnHN3.exe	vbc.exe
PID 4404 wrote to memory of 4996	4404	c39y8wmgrNQPnHN3.exe	vbc.exe
PID 4404 wrote to memory of 4996	4404	c39y8wmgrNQPnHN3.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Order_2190034_January.exe
"C:\Users\Admin\AppData\Local\Temp\Order_2190034_January.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Local\Temp\Order_2190034_January.exe
"C:\Users\Admin\AppData\Local\Temp\Order_2190034_January.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\c39y8wmgrNQPnHN3.exe
"C:\Users\Admin\AppData\Local\Temp\c39y8wmgrNQPnHN3.exe"
3⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\GLOSSERSECC\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\GLOSSERSECC\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c39y8wmgrNQPnHN3.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
4⤵
PID:4932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
4⤵
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
517b8cd4a0d104ab2b123efc69b61f67

SHA1
42568547c88f9e3ffc709dba342052f7c12f1a0a

SHA256
b03a03151bcbbdc544eae3b109417d0f1cbd1db8b0d6a28bbbe210b9e88dded1

SHA512
cd28742a25557e2fdf81f8b15e57054d65039dee45af02081844cac4b8ee842ceb94fa0838990f9255759b701b4b0df2160248b4f8b6280bcc51395dbd225355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
517b8cd4a0d104ab2b123efc69b61f67

SHA1
42568547c88f9e3ffc709dba342052f7c12f1a0a

SHA256
b03a03151bcbbdc544eae3b109417d0f1cbd1db8b0d6a28bbbe210b9e88dded1

SHA512
cd28742a25557e2fdf81f8b15e57054d65039dee45af02081844cac4b8ee842ceb94fa0838990f9255759b701b4b0df2160248b4f8b6280bcc51395dbd225355

Download Submit
C:\Users\Admin\AppData\Local\Temp\c39y8wmgrNQPnHN3.exe
MD5
0a7dba172f5485536a67007bbb67f209

SHA1
7352fbbee9419e6afe958bfd34d55ffafeda0d58

SHA256
f10d43cfd07a986f1f3c75eb7c90af7e1d841530709f8dcac64bfbfcb53ec736

SHA512
6f2c94a396ed78e925c0d3dd6926498a7ba78bb5a111287b5c0b1122681e196fc526496a433e5b3b431988a5d6eb75218d0b5c814971163dbc489193454d14ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c39y8wmgrNQPnHN3.exe
MD5
0a7dba172f5485536a67007bbb67f209

SHA1
7352fbbee9419e6afe958bfd34d55ffafeda0d58

SHA256
f10d43cfd07a986f1f3c75eb7c90af7e1d841530709f8dcac64bfbfcb53ec736

SHA512
6f2c94a396ed78e925c0d3dd6926498a7ba78bb5a111287b5c0b1122681e196fc526496a433e5b3b431988a5d6eb75218d0b5c814971163dbc489193454d14ba

Download Submit
memory/1036-179-0x0000000008C10000-0x0000000008C5B000-memory.dmp

Filesize
300KB

Download
memory/1036-168-0x00000000082E0000-0x0000000008630000-memory.dmp

Filesize
3.3MB

Download
memory/1036-215-0x0000000009AC0000-0x0000000009AF3000-memory.dmp

Filesize
204KB

Download
memory/1036-191-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/1036-183-0x00000000089F0000-0x0000000008A66000-memory.dmp

Filesize
472KB

Download
memory/1036-141-0x0000000000000000-mapping.dmp

Download
memory/1036-176-0x0000000008280000-0x000000000829C000-memory.dmp

Filesize
112KB

Download
memory/1036-219-0x0000000009AC0000-0x0000000009AF3000-memory.dmp

Filesize
204KB

Download
memory/1036-213-0x0000000007970000-0x0000000007F98000-memory.dmp

Filesize
6.2MB

Download
memory/1036-221-0x0000000007940000-0x0000000007962000-memory.dmp

Filesize
136KB

Download
memory/1036-170-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/1036-173-0x0000000007332000-0x0000000007333000-memory.dmp

Filesize
4KB

Download
memory/1036-164-0x0000000008080000-0x00000000080E6000-memory.dmp

Filesize
408KB

Download
memory/1036-161-0x0000000008010000-0x0000000008076000-memory.dmp

Filesize
408KB

Download
memory/1036-160-0x0000000007940000-0x0000000007962000-memory.dmp

Filesize
136KB

Download
memory/1036-155-0x0000000007970000-0x0000000007F98000-memory.dmp

Filesize
6.2MB

Download
memory/1036-144-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/1036-151-0x0000000007220000-0x0000000007256000-memory.dmp

Filesize
216KB

Download
memory/1036-148-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/1268-180-0x00000000077E0000-0x00000000077FC000-memory.dmp

Filesize
112KB

Download
memory/1268-159-0x0000000006E40000-0x0000000006E62000-memory.dmp

Filesize
136KB

Download
memory/1268-190-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/1268-145-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/1268-188-0x0000000007FB0000-0x0000000008026000-memory.dmp

Filesize
472KB

Download
memory/1268-181-0x0000000008200000-0x000000000824B000-memory.dmp

Filesize
300KB

Download
memory/1268-142-0x0000000000000000-mapping.dmp

Download
memory/1268-172-0x0000000006B22000-0x0000000006B23000-memory.dmp

Filesize
4KB

Download
memory/1268-149-0x00000000044F0000-0x0000000004526000-memory.dmp

Filesize
216KB

Download
memory/1268-171-0x0000000007900000-0x0000000007C50000-memory.dmp

Filesize
3.3MB

Download
memory/1268-166-0x0000000006FE0000-0x0000000007046000-memory.dmp

Filesize
408KB

Download
memory/1268-146-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/1268-167-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/1268-162-0x0000000007800000-0x0000000007866000-memory.dmp

Filesize
408KB

Download
memory/1268-156-0x0000000007160000-0x0000000007788000-memory.dmp

Filesize
6.2MB

Download
memory/1476-175-0x0000000006AA2000-0x0000000006AA3000-memory.dmp

Filesize
4KB

Download
memory/1476-220-0x0000000009150000-0x0000000009183000-memory.dmp

Filesize
204KB

Download
memory/1476-157-0x00000000070E0000-0x0000000007708000-memory.dmp

Filesize
6.2MB

Download
memory/1476-158-0x0000000006ED0000-0x0000000006EF2000-memory.dmp

Filesize
136KB

Download
memory/1476-193-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1476-143-0x0000000000000000-mapping.dmp

Download
memory/1476-154-0x0000000006900000-0x0000000006936000-memory.dmp

Filesize
216KB

Download
memory/1476-165-0x0000000007780000-0x00000000077E6000-memory.dmp

Filesize
408KB

Download
memory/1476-178-0x0000000007DB0000-0x0000000007DFB000-memory.dmp

Filesize
300KB

Download
memory/1476-163-0x0000000007070000-0x00000000070D6000-memory.dmp

Filesize
408KB

Download
memory/1476-214-0x00000000070E0000-0x0000000007708000-memory.dmp

Filesize
6.2MB

Download
memory/1476-153-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1476-152-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1476-177-0x0000000007C70000-0x0000000007C8C000-memory.dmp

Filesize
112KB

Download
memory/1476-217-0x0000000009150000-0x0000000009183000-memory.dmp

Filesize
204KB

Download
memory/1476-184-0x00000000080A0000-0x0000000008116000-memory.dmp

Filesize
472KB

Download
memory/1476-174-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/1476-169-0x0000000007820000-0x0000000007B70000-memory.dmp

Filesize
3.3MB

Download
memory/3584-123-0x0000000008760000-0x00000000087AB000-memory.dmp

Filesize
300KB

Download
memory/3584-122-0x0000000008800000-0x000000000889C000-memory.dmp

Filesize
624KB

Download
memory/3584-121-0x00000000084C0000-0x00000000084CC000-memory.dmp

Filesize
48KB

Download
memory/3584-120-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/3584-124-0x0000000008A10000-0x0000000008A86000-memory.dmp

Filesize
472KB

Download
memory/3584-119-0x0000000004F80000-0x0000000004F8A000-memory.dmp

Filesize
40KB

Download
memory/3584-115-0x00000000005D0000-0x000000000069A000-memory.dmp

Filesize
808KB

Download
memory/3584-118-0x0000000004EE0000-0x0000000004F72000-memory.dmp

Filesize
584KB

Download
memory/3584-117-0x0000000005500000-0x00000000059FE000-memory.dmp

Filesize
5.0MB

Download
memory/3584-116-0x00000000005D0000-0x000000000069A000-memory.dmp

Filesize
808KB

Download
memory/4404-139-0x0000000007B60000-0x000000000805E000-memory.dmp

Filesize
5.0MB

Download
memory/4404-131-0x0000000000380000-0x00000000005D8000-memory.dmp

Filesize
2.3MB

Download
memory/4404-136-0x0000000004D50000-0x0000000004D58000-memory.dmp

Filesize
32KB

Download
memory/4404-135-0x0000000004D40000-0x0000000004D48000-memory.dmp

Filesize
32KB

Download
memory/4404-140-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/4404-134-0x0000000004D20000-0x0000000004D28000-memory.dmp

Filesize
32KB

Download
memory/4404-138-0x00000000062D0000-0x000000000639A000-memory.dmp

Filesize
808KB

Download
memory/4404-137-0x00000000060C0000-0x00000000062CE000-memory.dmp

Filesize
2.1MB

Download
memory/4404-133-0x0000000004D10000-0x0000000004D18000-memory.dmp

Filesize
32KB

Download
memory/4404-132-0x0000000004DB0000-0x0000000004E4C000-memory.dmp

Filesize
624KB

Download
memory/4404-147-0x0000000007910000-0x00000000079A2000-memory.dmp

Filesize
584KB

Download
memory/4404-150-0x00000000078D0000-0x00000000078DA000-memory.dmp

Filesize
40KB

Download
memory/4404-128-0x0000000000000000-mapping.dmp

Download
memory/4512-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-126-0x000000000040AE9E-mapping.dmp

Download
memory/4996-202-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/4996-185-0x00000000007E2730-mapping.dmp

Download
memory/4996-186-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4996-189-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/4996-182-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/4996-187-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download