bitrat | 7f5baba61bce87f124d7c559767fb067e00743141554fcc76b87d1e39ee4e074

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10-en-20211208
submitted
07-01-2022 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SKM-21022100.js
Size

213KB
MD5

0618efa95ebe9c933466fdf795961c43
SHA1

6e93f7b03f1149f821b57176a4b838c7365572ac
SHA256

7f5baba61bce87f124d7c559767fb067e00743141554fcc76b87d1e39ee4e074
SHA512

e59cf7c7323ebbbb0542ff8a62fb988dfac9f590987dce3b4efce79e0609a654a92622b7dc605f6894801db105183540dfae6f3e876026398d938505fb262d42

Score

10^/10

bitrat revengerat nyancatrevenge evasion persistence trojan upx

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

macjoe597.duia.ro:3175

Mutex

1e858dc786914c61

Extracted

Family

bitrat

Version

1.38

severdops.ddns.net:3071

Attributes

communication_password
29ef52e7563626a96cea7f4b4085c124
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

9 2336 wscript.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

macjoe597.exedt.exe

pid process

3288 macjoe597.exe
3932 dt.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

flow	pid	process
9	2336	wscript.exe

pid	process
3288	macjoe597.exe
3932	dt.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1920-171-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral2/memory/1920-178-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral2/memory/1920-184-0x0000000000400000-0x00000000007E5000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dt.exe

Deletes itself 1 IoCs

Processes:

wscript.exe

pid process

2336 wscript.exe

pid	process
2336	wscript.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

dt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	dt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	dt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe = "0"	dt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dt.exe = "0"	dt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAISTERSFDC = "C:\\Users\\Public\\Documents\\TATTOOISTSEAB\\svchost.exe"	dt.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	dt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	dt.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

aspnet_wp.exe

pid process

1920 aspnet_wp.exe
1920 aspnet_wp.exe
1920 aspnet_wp.exe
1920 aspnet_wp.exe
1920 aspnet_wp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dt.exe

description pid process target process

PID 3932 set thread context of 1920 3932 dt.exe aspnet_wp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1920	aspnet_wp.exe
1920	aspnet_wp.exe
1920	aspnet_wp.exe
1920	aspnet_wp.exe
1920	aspnet_wp.exe

description	pid	process	target process
PID 3932 set thread context of 1920	3932	dt.exe	aspnet_wp.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

dt.exepowershell.exepowershell.exepowershell.exe

pid	process
3932	dt.exe
3932	dt.exe
3932	dt.exe
3932	dt.exe
1332	powershell.exe
2832	powershell.exe
3972	powershell.exe
3972	powershell.exe
1332	powershell.exe
3932	dt.exe
3932	dt.exe
3932	dt.exe
3932	dt.exe
2832	powershell.exe
3932	dt.exe
3932	dt.exe
3932	dt.exe
3932	dt.exe
3972	powershell.exe
1332	powershell.exe
2832	powershell.exe
3932	dt.exe
3932	dt.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

dt.exepowershell.exepowershell.exepowershell.exeaspnet_wp.exe

description	pid	process
Token: SeDebugPrivilege	3932	dt.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeShutdownPrivilege	1920	aspnet_wp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

aspnet_wp.exe

pid process

1920 aspnet_wp.exe
1920 aspnet_wp.exe

pid	process
1920	aspnet_wp.exe
1920	aspnet_wp.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

wscript.exewscript.exedt.exe

description	pid	process	target process
PID 2336 wrote to memory of 2740	2336	wscript.exe	wscript.exe
PID 2336 wrote to memory of 2740	2336	wscript.exe	wscript.exe
PID 2740 wrote to memory of 3288	2740	wscript.exe	macjoe597.exe
PID 2740 wrote to memory of 3288	2740	wscript.exe	macjoe597.exe
PID 2740 wrote to memory of 3288	2740	wscript.exe	macjoe597.exe
PID 2336 wrote to memory of 3932	2336	wscript.exe	dt.exe
PID 2336 wrote to memory of 3932	2336	wscript.exe	dt.exe
PID 2336 wrote to memory of 3932	2336	wscript.exe	dt.exe
PID 3932 wrote to memory of 2832	3932	dt.exe	powershell.exe
PID 3932 wrote to memory of 2832	3932	dt.exe	powershell.exe
PID 3932 wrote to memory of 2832	3932	dt.exe	powershell.exe
PID 3932 wrote to memory of 3972	3932	dt.exe	powershell.exe
PID 3932 wrote to memory of 3972	3932	dt.exe	powershell.exe
PID 3932 wrote to memory of 3972	3932	dt.exe	powershell.exe
PID 3932 wrote to memory of 1332	3932	dt.exe	powershell.exe
PID 3932 wrote to memory of 1332	3932	dt.exe	powershell.exe
PID 3932 wrote to memory of 1332	3932	dt.exe	powershell.exe
PID 3932 wrote to memory of 504	3932	dt.exe	mscorsvw.exe
PID 3932 wrote to memory of 504	3932	dt.exe	mscorsvw.exe
PID 3932 wrote to memory of 504	3932	dt.exe	mscorsvw.exe
PID 3932 wrote to memory of 1904	3932	dt.exe	AppLaunch.exe
PID 3932 wrote to memory of 1904	3932	dt.exe	AppLaunch.exe
PID 3932 wrote to memory of 1904	3932	dt.exe	AppLaunch.exe
PID 3932 wrote to memory of 1920	3932	dt.exe	aspnet_wp.exe
PID 3932 wrote to memory of 1920	3932	dt.exe	aspnet_wp.exe
PID 3932 wrote to memory of 1920	3932	dt.exe	aspnet_wp.exe
PID 3932 wrote to memory of 1920	3932	dt.exe	aspnet_wp.exe
PID 3932 wrote to memory of 1920	3932	dt.exe	aspnet_wp.exe
PID 3932 wrote to memory of 1920	3932	dt.exe	aspnet_wp.exe
PID 3932 wrote to memory of 1920	3932	dt.exe	aspnet_wp.exe
PID 3932 wrote to memory of 1920	3932	dt.exe	aspnet_wp.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\SKM-21022100.js
1⤵
- Blocklisted process makes network request
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AGAzSHOPvp.js"
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Roaming\macjoe597.exe
"C:\Users\Admin\AppData\Roaming\macjoe597.exe"
3⤵
- Executes dropped EXE
PID:3288

C:\Users\Admin\AppData\Local\Temp\dt.exe
"C:\Users\Admin\AppData\Local\Temp\dt.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dt.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
3⤵
PID:504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d0e2e04dbb47150282ba5038d791e076

SHA1
d732a54816b848eedb64435110c8622b531fb0f3

SHA256
16d45b89bb7797228febc8eb89cacda66c95aa57ded02226d53ad99af7d9f128

SHA512
4feae4f0cdfe2aef8b0060f47958146860119ad1aec45e5f781dc7a800a92b566b4691b2416ef00331c6efa524ebb4a9c5fb72173b87022a4178a133b6ae4184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4b35c7a0f0cb864870cb18f4b219b50e

SHA1
57f062bc2b49b4e5b91bf299540c5b5d9d40d649

SHA256
6cd9587e8c0fe5383dbd53cec7b9b186ac6cd8be579d681af79db0acad0dd19f

SHA512
fadc24e9783c02f234fb6f4148381221c53e57057c60851a97d9d72411d304f1f01cdd8ea8b740b7d25df92b9e7630ba0ddc88275d1d5053158c4424a7997acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dt.exe
MD5
9401cf9f73dfb187bf4cef05d8cfe72b

SHA1
4af6544d8c94bb673f826a0ba4d24698150b1089

SHA256
bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45

SHA512
8438c79aa1ac9779bdab11a3f46f174aad97a7bc2fd1f571d42ef8817dc8477b68468be7445c789d125c1b8749338e047e20301d0a11b9e52dacf947abb65dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dt.exe
MD5
9401cf9f73dfb187bf4cef05d8cfe72b

SHA1
4af6544d8c94bb673f826a0ba4d24698150b1089

SHA256
bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45

SHA512
8438c79aa1ac9779bdab11a3f46f174aad97a7bc2fd1f571d42ef8817dc8477b68468be7445c789d125c1b8749338e047e20301d0a11b9e52dacf947abb65dd4

Download Submit
C:\Users\Admin\AppData\Roaming\AGAzSHOPvp.js
MD5
a4488cacb74d99f2405ca976cd453f93

SHA1
05ccc361149ff5d3d1cf21c77aa43e9d10bc78bf

SHA256
58ed5a2f5df34e6652863ea2a44a4bf2e1f05cd1e771b74893fddeaa51d6fe19

SHA512
df9728cc9aa5a129b416936e94d3e599df8d64e34375677c8f2100bdac772c1728b886b22c83b5f453dd993880db104ecabe9d2ae0c4b426f8ddfe6a05c1c8de

Download Submit
C:\Users\Admin\AppData\Roaming\macjoe597.exe
MD5
6f2422ca1b1665f0c181784b3738e100

SHA1
0ec0385993acd6fd49a13e670bc62904e7067e02

SHA256
977a9dfd479194994fd11df6274412bcb10f511a510890e9d267893886833b85

SHA512
e9068bda0707179afd39a0419578da8ec2414cd5175b1e41a6595c08b0379f9c6cf88ae7a1b82f3df91f247f877c94f71d34a5740f2b48b3290ce56794674d34

Download Submit
C:\Users\Admin\AppData\Roaming\macjoe597.exe
MD5
6f2422ca1b1665f0c181784b3738e100

SHA1
0ec0385993acd6fd49a13e670bc62904e7067e02

SHA256
977a9dfd479194994fd11df6274412bcb10f511a510890e9d267893886833b85

SHA512
e9068bda0707179afd39a0419578da8ec2414cd5175b1e41a6595c08b0379f9c6cf88ae7a1b82f3df91f247f877c94f71d34a5740f2b48b3290ce56794674d34

Download Submit
memory/1332-182-0x0000000007F60000-0x0000000007FD6000-memory.dmp

Filesize
472KB

Download
memory/1332-153-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/1332-223-0x0000000006F50000-0x0000000006FB6000-memory.dmp

Filesize
408KB

Download
memory/1332-220-0x0000000007040000-0x0000000007062000-memory.dmp

Filesize
136KB

Download
memory/1332-217-0x0000000008E30000-0x0000000008E63000-memory.dmp

Filesize
204KB

Download
memory/1332-214-0x0000000008E30000-0x0000000008E63000-memory.dmp

Filesize
204KB

Download
memory/1332-187-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1332-210-0x0000000007150000-0x0000000007778000-memory.dmp

Filesize
6.2MB

Download
memory/1332-151-0x0000000007150000-0x0000000007778000-memory.dmp

Filesize
6.2MB

Download
memory/1332-143-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1332-173-0x0000000007840000-0x000000000785C000-memory.dmp

Filesize
112KB

Download
memory/1332-175-0x0000000008190000-0x00000000081DB000-memory.dmp

Filesize
300KB

Download
memory/1332-155-0x00000000045B2000-0x00000000045B3000-memory.dmp

Filesize
4KB

Download
memory/1332-147-0x0000000004480000-0x00000000044B6000-memory.dmp

Filesize
216KB

Download
memory/1332-137-0x0000000000000000-mapping.dmp

Download
memory/1332-160-0x0000000007040000-0x0000000007062000-memory.dmp

Filesize
136KB

Download
memory/1332-162-0x0000000006F50000-0x0000000006FB6000-memory.dmp

Filesize
408KB

Download
memory/1332-169-0x0000000007960000-0x0000000007CB0000-memory.dmp

Filesize
3.3MB

Download
memory/1332-165-0x0000000007070000-0x00000000070D6000-memory.dmp

Filesize
408KB

Download
memory/1332-142-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1920-184-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/1920-171-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/1920-174-0x00000000007E2730-mapping.dmp

Download
memory/1920-176-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1920-177-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1920-178-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/2740-115-0x0000000000000000-mapping.dmp

Download
memory/2832-159-0x00000000074C0000-0x00000000074E2000-memory.dmp

Filesize
136KB

Download
memory/2832-180-0x0000000008760000-0x00000000087AB000-memory.dmp

Filesize
300KB

Download
memory/2832-211-0x0000000007680000-0x0000000007CA8000-memory.dmp

Filesize
6.2MB

Download
memory/2832-154-0x0000000007040000-0x0000000007041000-memory.dmp

Filesize
4KB

Download
memory/2832-216-0x00000000093F0000-0x0000000009423000-memory.dmp

Filesize
204KB

Download
memory/2832-218-0x00000000074C0000-0x00000000074E2000-memory.dmp

Filesize
136KB

Download
memory/2832-221-0x00000000075D0000-0x0000000007636000-memory.dmp

Filesize
408KB

Download
memory/2832-157-0x0000000007042000-0x0000000007043000-memory.dmp

Filesize
4KB

Download
memory/2832-224-0x0000000007CB0000-0x0000000007D16000-memory.dmp

Filesize
408KB

Download
memory/2832-148-0x0000000004A40000-0x0000000004A76000-memory.dmp

Filesize
216KB

Download
memory/2832-213-0x00000000093F0000-0x0000000009423000-memory.dmp

Filesize
204KB

Download
memory/2832-189-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/2832-183-0x0000000008510000-0x0000000008586000-memory.dmp

Filesize
472KB

Download
memory/2832-149-0x0000000007680000-0x0000000007CA8000-memory.dmp

Filesize
6.2MB

Download
memory/2832-166-0x0000000007CB0000-0x0000000007D16000-memory.dmp

Filesize
408KB

Download
memory/2832-179-0x0000000007540000-0x000000000755C000-memory.dmp

Filesize
112KB

Download
memory/2832-163-0x00000000075D0000-0x0000000007636000-memory.dmp

Filesize
408KB

Download
memory/2832-167-0x0000000007F00000-0x0000000008250000-memory.dmp

Filesize
3.3MB

Download
memory/2832-135-0x0000000000000000-mapping.dmp

Download
memory/2832-138-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/2832-139-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/3288-125-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3288-117-0x0000000000000000-mapping.dmp

Download
memory/3932-134-0x0000000007BB0000-0x0000000007C16000-memory.dmp

Filesize
408KB

Download
memory/3932-126-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/3932-144-0x0000000008D30000-0x0000000008DC2000-memory.dmp

Filesize
584KB

Download
memory/3932-133-0x0000000007F40000-0x000000000843E000-memory.dmp

Filesize
5.0MB

Download
memory/3932-124-0x0000000005200000-0x000000000529C000-memory.dmp

Filesize
624KB

Download
memory/3932-132-0x00000000066F0000-0x0000000006784000-memory.dmp

Filesize
592KB

Download
memory/3932-120-0x0000000000000000-mapping.dmp

Download
memory/3932-123-0x0000000000790000-0x00000000009CC000-memory.dmp

Filesize
2.2MB

Download
memory/3932-127-0x0000000002B10000-0x0000000002B18000-memory.dmp

Filesize
32KB

Download
memory/3932-131-0x00000000064E0000-0x00000000066EC000-memory.dmp

Filesize
2.0MB

Download
memory/3932-145-0x0000000007F00000-0x0000000007F0A000-memory.dmp

Filesize
40KB

Download
memory/3932-130-0x0000000002B50000-0x0000000002B58000-memory.dmp

Filesize
32KB

Download
memory/3932-128-0x0000000002B20000-0x0000000002B28000-memory.dmp

Filesize
32KB

Download
memory/3932-129-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/3972-141-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/3972-156-0x0000000004D82000-0x0000000004D83000-memory.dmp

Filesize
4KB

Download
memory/3972-185-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/3972-161-0x0000000007DF0000-0x0000000007E56000-memory.dmp

Filesize
408KB

Download
memory/3972-181-0x00000000087A0000-0x0000000008816000-memory.dmp

Filesize
472KB

Download
memory/3972-170-0x0000000007FE0000-0x0000000007FFC000-memory.dmp

Filesize
112KB

Download
memory/3972-222-0x0000000007DF0000-0x0000000007E56000-memory.dmp

Filesize
408KB

Download
memory/3972-164-0x0000000007EB0000-0x0000000007F16000-memory.dmp

Filesize
408KB

Download
memory/3972-158-0x00000000076E0000-0x0000000007702000-memory.dmp

Filesize
136KB

Download
memory/3972-209-0x0000000007710000-0x0000000007D38000-memory.dmp

Filesize
6.2MB

Download
memory/3972-219-0x00000000076E0000-0x0000000007702000-memory.dmp

Filesize
136KB

Download
memory/3972-146-0x0000000004CB0000-0x0000000004CE6000-memory.dmp

Filesize
216KB

Download
memory/3972-150-0x0000000007710000-0x0000000007D38000-memory.dmp

Filesize
6.2MB

Download
memory/3972-215-0x0000000009850000-0x0000000009883000-memory.dmp

Filesize
204KB

Download
memory/3972-212-0x0000000009850000-0x0000000009883000-memory.dmp

Filesize
204KB

Download
memory/3972-152-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3972-172-0x00000000089C0000-0x0000000008A0B000-memory.dmp

Filesize
300KB

Download
memory/3972-140-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/3972-136-0x0000000000000000-mapping.dmp

Download
memory/3972-168-0x0000000008100000-0x0000000008450000-memory.dmp

Filesize
3.3MB

Download