bitrat | d015cc62807ddeaff046994dedffe190daa109c55915fd0197af207d43b885d4

Analysis

max time kernel
300s
max time network
295s
platform
windows10_x64
resource
win10-20220414-en
submitted
21-06-2022 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ormnSmihfe.exe
Size

1.6MB
MD5

1814db17602cfe2befd39d200aa0faa8
SHA1

eb6db4fc476222dc8f5ec1c75a4ffd6aa79f0f4f
SHA256

d015cc62807ddeaff046994dedffe190daa109c55915fd0197af207d43b885d4
SHA512

3443163a49d457197bec63ef535b6b1572a985ba103b1dfafb09240d43fb8a5fab45f50c2c87cbe6c41a2c78a28de90105ea09912dc01a26ab8a34dcab45a0d5

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

bitrat9400.duckdns.org:9400

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 4 IoCs

Processes:

casr.execasr.execasr.execasr.exe

pid process

2264 casr.exe
1608 casr.exe
2356 casr.exe
1920 casr.exe

pid	process
2264	casr.exe
1608	casr.exe
2356	casr.exe
1920	casr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3788-256-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3788-319-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/716-466-0x0000000000A00000-0x0000000000DE4000-memory.dmp	upx
behavioral2/memory/2020-599-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2020-639-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/848-784-0x0000000000810000-0x0000000000BF4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

3788 RegAsm.exe
3788 RegAsm.exe
3788 RegAsm.exe
3788 RegAsm.exe
3788 RegAsm.exe
3788 RegAsm.exe
2020 RegAsm.exe
3788 RegAsm.exe
3788 RegAsm.exe

pid	process
3788	RegAsm.exe
3788	RegAsm.exe
3788	RegAsm.exe
3788	RegAsm.exe
3788	RegAsm.exe
3788	RegAsm.exe
2020	RegAsm.exe
3788	RegAsm.exe
3788	RegAsm.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ormnSmihfe.execasr.execasr.execasr.exe

description	pid	process	target process
PID 3100 set thread context of 3788	3100	ormnSmihfe.exe	RegAsm.exe
PID 2264 set thread context of 716	2264	casr.exe	RegAsm.exe
PID 1608 set thread context of 2020	1608	casr.exe	RegAsm.exe
PID 2356 set thread context of 848	2356	casr.exe	RegAsm.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

392 716 WerFault.exe RegAsm.exe
3324 848 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3700 schtasks.exe
204 schtasks.exe
1456 schtasks.exe
3956 schtasks.exe
3200 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exeRegAsm.exe

description pid process

Token: SeShutdownPrivilege 3788 RegAsm.exe
Token: SeShutdownPrivilege 2020 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

3788 RegAsm.exe
3788 RegAsm.exe

pid	pid_target	process	target process
392	716	WerFault.exe	RegAsm.exe
3324	848	WerFault.exe	RegAsm.exe

pid	process
3700	schtasks.exe
204	schtasks.exe
1456	schtasks.exe
3956	schtasks.exe
3200	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	3788	RegAsm.exe
Token: SeShutdownPrivilege	2020	RegAsm.exe

pid	process
3788	RegAsm.exe
3788	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ormnSmihfe.execmd.execasr.execmd.execasr.execmd.execasr.execmd.exe

description	pid	process	target process
PID 3100 wrote to memory of 3344	3100	ormnSmihfe.exe	cmd.exe
PID 3100 wrote to memory of 3344	3100	ormnSmihfe.exe	cmd.exe
PID 3100 wrote to memory of 3344	3100	ormnSmihfe.exe	cmd.exe
PID 3344 wrote to memory of 3700	3344	cmd.exe	schtasks.exe
PID 3344 wrote to memory of 3700	3344	cmd.exe	schtasks.exe
PID 3344 wrote to memory of 3700	3344	cmd.exe	schtasks.exe
PID 3100 wrote to memory of 3772	3100	ormnSmihfe.exe	cmd.exe
PID 3100 wrote to memory of 3772	3100	ormnSmihfe.exe	cmd.exe
PID 3100 wrote to memory of 3772	3100	ormnSmihfe.exe	cmd.exe
PID 3100 wrote to memory of 3788	3100	ormnSmihfe.exe	RegAsm.exe
PID 3100 wrote to memory of 3788	3100	ormnSmihfe.exe	RegAsm.exe
PID 3100 wrote to memory of 3788	3100	ormnSmihfe.exe	RegAsm.exe
PID 3100 wrote to memory of 3788	3100	ormnSmihfe.exe	RegAsm.exe
PID 3100 wrote to memory of 3788	3100	ormnSmihfe.exe	RegAsm.exe
PID 3100 wrote to memory of 3788	3100	ormnSmihfe.exe	RegAsm.exe
PID 3100 wrote to memory of 3788	3100	ormnSmihfe.exe	RegAsm.exe
PID 2264 wrote to memory of 4016	2264	casr.exe	cmd.exe
PID 2264 wrote to memory of 4016	2264	casr.exe	cmd.exe
PID 2264 wrote to memory of 4016	2264	casr.exe	cmd.exe
PID 4016 wrote to memory of 204	4016	cmd.exe	schtasks.exe
PID 4016 wrote to memory of 204	4016	cmd.exe	schtasks.exe
PID 4016 wrote to memory of 204	4016	cmd.exe	schtasks.exe
PID 2264 wrote to memory of 1548	2264	casr.exe	cmd.exe
PID 2264 wrote to memory of 1548	2264	casr.exe	cmd.exe
PID 2264 wrote to memory of 1548	2264	casr.exe	cmd.exe
PID 2264 wrote to memory of 716	2264	casr.exe	RegAsm.exe
PID 2264 wrote to memory of 716	2264	casr.exe	RegAsm.exe
PID 2264 wrote to memory of 716	2264	casr.exe	RegAsm.exe
PID 2264 wrote to memory of 716	2264	casr.exe	RegAsm.exe
PID 2264 wrote to memory of 716	2264	casr.exe	RegAsm.exe
PID 2264 wrote to memory of 716	2264	casr.exe	RegAsm.exe
PID 2264 wrote to memory of 716	2264	casr.exe	RegAsm.exe
PID 1608 wrote to memory of 3504	1608	casr.exe	cmd.exe
PID 1608 wrote to memory of 3504	1608	casr.exe	cmd.exe
PID 1608 wrote to memory of 3504	1608	casr.exe	cmd.exe
PID 3504 wrote to memory of 1456	3504	cmd.exe	schtasks.exe
PID 3504 wrote to memory of 1456	3504	cmd.exe	schtasks.exe
PID 3504 wrote to memory of 1456	3504	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 3676	1608	casr.exe	cmd.exe
PID 1608 wrote to memory of 3676	1608	casr.exe	cmd.exe
PID 1608 wrote to memory of 3676	1608	casr.exe	cmd.exe
PID 1608 wrote to memory of 2020	1608	casr.exe	RegAsm.exe
PID 1608 wrote to memory of 2020	1608	casr.exe	RegAsm.exe
PID 1608 wrote to memory of 2020	1608	casr.exe	RegAsm.exe
PID 1608 wrote to memory of 2020	1608	casr.exe	RegAsm.exe
PID 1608 wrote to memory of 2020	1608	casr.exe	RegAsm.exe
PID 1608 wrote to memory of 2020	1608	casr.exe	RegAsm.exe
PID 1608 wrote to memory of 2020	1608	casr.exe	RegAsm.exe
PID 2356 wrote to memory of 2520	2356	casr.exe	cmd.exe
PID 2356 wrote to memory of 2520	2356	casr.exe	cmd.exe
PID 2356 wrote to memory of 2520	2356	casr.exe	cmd.exe
PID 2520 wrote to memory of 3956	2520	cmd.exe	schtasks.exe
PID 2520 wrote to memory of 3956	2520	cmd.exe	schtasks.exe
PID 2520 wrote to memory of 3956	2520	cmd.exe	schtasks.exe
PID 2356 wrote to memory of 1468	2356	casr.exe	cmd.exe
PID 2356 wrote to memory of 1468	2356	casr.exe	cmd.exe
PID 2356 wrote to memory of 1468	2356	casr.exe	cmd.exe
PID 2356 wrote to memory of 848	2356	casr.exe	RegAsm.exe
PID 2356 wrote to memory of 848	2356	casr.exe	RegAsm.exe
PID 2356 wrote to memory of 848	2356	casr.exe	RegAsm.exe
PID 2356 wrote to memory of 848	2356	casr.exe	RegAsm.exe
PID 2356 wrote to memory of 848	2356	casr.exe	RegAsm.exe
PID 2356 wrote to memory of 848	2356	casr.exe	RegAsm.exe
PID 2356 wrote to memory of 848	2356	casr.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\ormnSmihfe.exe
"C:\Users\Admin\AppData\Local\Temp\ormnSmihfe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3700

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\ormnSmihfe.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:3772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3788

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:204

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 552
3⤵
- Program crash
PID:392

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1456

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:3676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3956

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 552
3⤵
- Program crash
PID:3324

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
PID:3648

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3200

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:3232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\casr.exe.log

Filesize
520B

MD5
f5a4ac8b07bce81c5d29a6701317315b

SHA1
b2a2b7735c475f5d30a2d94251b4d7c4f511a57e

SHA256
e6a1b02dd813c1f29bfd8361a4fc7ca6f24d2e41d5c3a66258cb66f3cb902f5a

SHA512
83a82932a9395f13e346a5e3e7fd27ed6d5fb6d32b6838107c24318add4c74f199d974d6f33acb0f6aa670a19a544c672f420249c792e336452ad37f304e7dc0

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe

Filesize
1.6MB

MD5
1814db17602cfe2befd39d200aa0faa8

SHA1
eb6db4fc476222dc8f5ec1c75a4ffd6aa79f0f4f

SHA256
d015cc62807ddeaff046994dedffe190daa109c55915fd0197af207d43b885d4

SHA512
3443163a49d457197bec63ef535b6b1572a985ba103b1dfafb09240d43fb8a5fab45f50c2c87cbe6c41a2c78a28de90105ea09912dc01a26ab8a34dcab45a0d5

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe

Filesize
1.6MB

MD5
1814db17602cfe2befd39d200aa0faa8

SHA1
eb6db4fc476222dc8f5ec1c75a4ffd6aa79f0f4f

SHA256
d015cc62807ddeaff046994dedffe190daa109c55915fd0197af207d43b885d4

SHA512
3443163a49d457197bec63ef535b6b1572a985ba103b1dfafb09240d43fb8a5fab45f50c2c87cbe6c41a2c78a28de90105ea09912dc01a26ab8a34dcab45a0d5

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe

Filesize
1.6MB

MD5
1814db17602cfe2befd39d200aa0faa8

SHA1
eb6db4fc476222dc8f5ec1c75a4ffd6aa79f0f4f

SHA256
d015cc62807ddeaff046994dedffe190daa109c55915fd0197af207d43b885d4

SHA512
3443163a49d457197bec63ef535b6b1572a985ba103b1dfafb09240d43fb8a5fab45f50c2c87cbe6c41a2c78a28de90105ea09912dc01a26ab8a34dcab45a0d5

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe

Filesize
1.6MB

MD5
1814db17602cfe2befd39d200aa0faa8

SHA1
eb6db4fc476222dc8f5ec1c75a4ffd6aa79f0f4f

SHA256
d015cc62807ddeaff046994dedffe190daa109c55915fd0197af207d43b885d4

SHA512
3443163a49d457197bec63ef535b6b1572a985ba103b1dfafb09240d43fb8a5fab45f50c2c87cbe6c41a2c78a28de90105ea09912dc01a26ab8a34dcab45a0d5

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe

Filesize
1.6MB

MD5
1814db17602cfe2befd39d200aa0faa8

SHA1
eb6db4fc476222dc8f5ec1c75a4ffd6aa79f0f4f

SHA256
d015cc62807ddeaff046994dedffe190daa109c55915fd0197af207d43b885d4

SHA512
3443163a49d457197bec63ef535b6b1572a985ba103b1dfafb09240d43fb8a5fab45f50c2c87cbe6c41a2c78a28de90105ea09912dc01a26ab8a34dcab45a0d5

Download Submit
memory/204-397-0x0000000000000000-mapping.dmp

Download
memory/716-423-0x00000000007E2740-mapping.dmp

Download
memory/716-466-0x0000000000A00000-0x0000000000DE4000-memory.dmp

Filesize
3.9MB

Download
memory/848-784-0x0000000000810000-0x0000000000BF4000-memory.dmp

Filesize
3.9MB

Download
memory/848-741-0x00000000007E2740-mapping.dmp

Download
memory/1456-527-0x0000000000000000-mapping.dmp

Download
memory/1468-733-0x0000000000000000-mapping.dmp

Download
memory/1548-416-0x0000000000000000-mapping.dmp

Download
memory/2020-639-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2020-633-0x0000000072760000-0x000000007279A000-memory.dmp

Filesize
232KB

Download
memory/2020-599-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2020-554-0x00000000007E2740-mapping.dmp

Download
memory/2520-708-0x0000000000000000-mapping.dmp

Download
memory/3100-154-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-164-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-139-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-140-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-141-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-142-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-143-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-144-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-145-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-146-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-147-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-148-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-149-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-150-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-151-0x0000000000530000-0x00000000006C4000-memory.dmp

Filesize
1.6MB

Download
memory/3100-152-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-153-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-138-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-155-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-156-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-157-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-158-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-159-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-160-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-161-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-162-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-163-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-137-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-165-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-166-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-167-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-168-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-169-0x00000000052B0000-0x0000000005426000-memory.dmp

Filesize
1.5MB

Download
memory/3100-118-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-119-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-120-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-136-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-135-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-134-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-133-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-132-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-131-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-130-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-129-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-128-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-127-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-126-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-125-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-123-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-195-0x0000000005930000-0x0000000005E2E000-memory.dmp

Filesize
5.0MB

Download
memory/3100-124-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-122-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3100-121-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3200-860-0x0000000000000000-mapping.dmp

Download
memory/3232-879-0x0000000000000000-mapping.dmp

Download
memory/3344-170-0x0000000000000000-mapping.dmp

Download
memory/3344-171-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3344-172-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3344-173-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3344-174-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3344-175-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-521-0x0000000000000000-mapping.dmp

Download
memory/3648-854-0x0000000000000000-mapping.dmp

Download
memory/3676-546-0x0000000000000000-mapping.dmp

Download
memory/3700-181-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3700-178-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3700-185-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3700-184-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3700-176-0x0000000000000000-mapping.dmp

Download
memory/3700-183-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3700-182-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3700-177-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3700-180-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3700-179-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3772-196-0x0000000000000000-mapping.dmp

Download
memory/3788-649-0x0000000072760000-0x000000007279A000-memory.dmp

Filesize
232KB

Download
memory/3788-468-0x0000000073810000-0x000000007384A000-memory.dmp

Filesize
232KB

Download
memory/3788-319-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3788-467-0x0000000073840000-0x000000007387A000-memory.dmp

Filesize
232KB

Download
memory/3788-211-0x00000000007E2740-mapping.dmp

Download
memory/3788-256-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3788-273-0x0000000073840000-0x000000007387A000-memory.dmp

Filesize
232KB

Download
memory/3788-838-0x0000000071FC0000-0x0000000071FFA000-memory.dmp

Filesize
232KB

Download
memory/3788-849-0x0000000072760000-0x000000007279A000-memory.dmp

Filesize
232KB

Download
memory/3788-375-0x0000000071F80000-0x0000000071FBA000-memory.dmp

Filesize
232KB

Download
memory/3788-318-0x0000000073810000-0x000000007384A000-memory.dmp

Filesize
232KB

Download
memory/3956-714-0x0000000000000000-mapping.dmp

Download
memory/4016-391-0x0000000000000000-mapping.dmp

Download