bitrat | 03fecf2c72e71174940f6b7b31887155ce0f92e3af5f95ed323af83b1ca9814f

Analysis

max time kernel
1814s
max time network
1818s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03-11-2022 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8645_30_321_PDF.exe
Size

300.0MB
MD5

b77a44c24d6afbeec6bf3fc7a89eef38
SHA1

9c956f05e4d77353c9da0fa34ce83b9603458b68
SHA256

03fecf2c72e71174940f6b7b31887155ce0f92e3af5f95ed323af83b1ca9814f
SHA512

b9d70c2dd353f6ffcb5e1442d4c93c4afb0c3d762c718b97d87a4b2726e93992f7ad3c046d778b3823bfd289ad1d26e56228838fd8f86425298e96acdfc079c9
SSDEEP

49152:65yqSeXRXNTeuzSMGSQvGMQGWcR4XkKodV9SMAOeZWjUvJ2GR6bcRhOPD5U6:65yqlXRXteg54GEdCPLOt4B2K6br5

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

bit9090.duckdns.org:9090

bitone9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 3 IoCs

Processes:

nbitt9090.execvdafs.execvdafs.exe

pid process

4072 nbitt9090.exe
2108 cvdafs.exe
4368 cvdafs.exe

pid	process
4072	nbitt9090.exe
2108	cvdafs.exe
4368	cvdafs.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe	upx
C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe	upx
behavioral2/memory/4072-266-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3616-261-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3616-423-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4072-424-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/940-608-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/940-663-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2172-840-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2172-900-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

vbc.exenbitt9090.exevbc.exevbc.exe

pid process

3616 vbc.exe
4072 nbitt9090.exe
4072 nbitt9090.exe
4072 nbitt9090.exe
4072 nbitt9090.exe
3616 vbc.exe
3616 vbc.exe
3616 vbc.exe
940 vbc.exe
2172 vbc.exe

pid	process
3616	vbc.exe
4072	nbitt9090.exe
4072	nbitt9090.exe
4072	nbitt9090.exe
4072	nbitt9090.exe
3616	vbc.exe
3616	vbc.exe
3616	vbc.exe
940	vbc.exe
2172	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

8645_30_321_PDF.execvdafs.execvdafs.exe

description	pid	process	target process
PID 3468 set thread context of 3616	3468	8645_30_321_PDF.exe	vbc.exe
PID 2108 set thread context of 940	2108	cvdafs.exe	vbc.exe
PID 4368 set thread context of 2172	4368	cvdafs.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3316 schtasks.exe
2356 schtasks.exe
588 schtasks.exe

pid	process
3316	schtasks.exe
2356	schtasks.exe
588	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exenbitt9090.exevbc.exevbc.exe

description	pid	process
Token: SeShutdownPrivilege	3616	vbc.exe
Token: SeShutdownPrivilege	4072	nbitt9090.exe
Token: SeShutdownPrivilege	940	vbc.exe
Token: SeShutdownPrivilege	2172	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

nbitt9090.exevbc.exe

pid process

4072 nbitt9090.exe
4072 nbitt9090.exe
3616 vbc.exe
3616 vbc.exe

pid	process
4072	nbitt9090.exe
4072	nbitt9090.exe
3616	vbc.exe
3616	vbc.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

8645_30_321_PDF.execmd.execvdafs.execmd.execvdafs.execmd.exe

description	pid	process	target process
PID 3468 wrote to memory of 4760	3468	8645_30_321_PDF.exe	cmd.exe
PID 3468 wrote to memory of 4760	3468	8645_30_321_PDF.exe	cmd.exe
PID 3468 wrote to memory of 4760	3468	8645_30_321_PDF.exe	cmd.exe
PID 3468 wrote to memory of 4828	3468	8645_30_321_PDF.exe	cmd.exe
PID 3468 wrote to memory of 4828	3468	8645_30_321_PDF.exe	cmd.exe
PID 3468 wrote to memory of 4828	3468	8645_30_321_PDF.exe	cmd.exe
PID 4760 wrote to memory of 3316	4760	cmd.exe	schtasks.exe
PID 4760 wrote to memory of 3316	4760	cmd.exe	schtasks.exe
PID 4760 wrote to memory of 3316	4760	cmd.exe	schtasks.exe
PID 3468 wrote to memory of 3616	3468	8645_30_321_PDF.exe	vbc.exe
PID 3468 wrote to memory of 3616	3468	8645_30_321_PDF.exe	vbc.exe
PID 3468 wrote to memory of 3616	3468	8645_30_321_PDF.exe	vbc.exe
PID 3468 wrote to memory of 3616	3468	8645_30_321_PDF.exe	vbc.exe
PID 3468 wrote to memory of 3616	3468	8645_30_321_PDF.exe	vbc.exe
PID 3468 wrote to memory of 3616	3468	8645_30_321_PDF.exe	vbc.exe
PID 3468 wrote to memory of 3616	3468	8645_30_321_PDF.exe	vbc.exe
PID 3468 wrote to memory of 4072	3468	8645_30_321_PDF.exe	nbitt9090.exe
PID 3468 wrote to memory of 4072	3468	8645_30_321_PDF.exe	nbitt9090.exe
PID 3468 wrote to memory of 4072	3468	8645_30_321_PDF.exe	nbitt9090.exe
PID 2108 wrote to memory of 4840	2108	cvdafs.exe	cmd.exe
PID 2108 wrote to memory of 4840	2108	cvdafs.exe	cmd.exe
PID 2108 wrote to memory of 4840	2108	cvdafs.exe	cmd.exe
PID 2108 wrote to memory of 2568	2108	cvdafs.exe	cmd.exe
PID 2108 wrote to memory of 2568	2108	cvdafs.exe	cmd.exe
PID 2108 wrote to memory of 2568	2108	cvdafs.exe	cmd.exe
PID 4840 wrote to memory of 2356	4840	cmd.exe	schtasks.exe
PID 4840 wrote to memory of 2356	4840	cmd.exe	schtasks.exe
PID 4840 wrote to memory of 2356	4840	cmd.exe	schtasks.exe
PID 2108 wrote to memory of 940	2108	cvdafs.exe	vbc.exe
PID 2108 wrote to memory of 940	2108	cvdafs.exe	vbc.exe
PID 2108 wrote to memory of 940	2108	cvdafs.exe	vbc.exe
PID 2108 wrote to memory of 940	2108	cvdafs.exe	vbc.exe
PID 2108 wrote to memory of 940	2108	cvdafs.exe	vbc.exe
PID 2108 wrote to memory of 940	2108	cvdafs.exe	vbc.exe
PID 2108 wrote to memory of 940	2108	cvdafs.exe	vbc.exe
PID 4368 wrote to memory of 396	4368	cvdafs.exe	cmd.exe
PID 4368 wrote to memory of 396	4368	cvdafs.exe	cmd.exe
PID 4368 wrote to memory of 396	4368	cvdafs.exe	cmd.exe
PID 396 wrote to memory of 588	396	cmd.exe	schtasks.exe
PID 396 wrote to memory of 588	396	cmd.exe	schtasks.exe
PID 396 wrote to memory of 588	396	cmd.exe	schtasks.exe
PID 4368 wrote to memory of 196	4368	cvdafs.exe	cmd.exe
PID 4368 wrote to memory of 196	4368	cvdafs.exe	cmd.exe
PID 4368 wrote to memory of 196	4368	cvdafs.exe	cmd.exe
PID 4368 wrote to memory of 2172	4368	cvdafs.exe	vbc.exe
PID 4368 wrote to memory of 2172	4368	cvdafs.exe	vbc.exe
PID 4368 wrote to memory of 2172	4368	cvdafs.exe	vbc.exe
PID 4368 wrote to memory of 2172	4368	cvdafs.exe	vbc.exe
PID 4368 wrote to memory of 2172	4368	cvdafs.exe	vbc.exe
PID 4368 wrote to memory of 2172	4368	cvdafs.exe	vbc.exe
PID 4368 wrote to memory of 2172	4368	cvdafs.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8645_30_321_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\8645_30_321_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3316

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\8645_30_321_PDF.exe" "C:\Users\Admin\AppData\Roaming\cvdafs.exe"
2⤵
PID:4828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3616

C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe
"C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Users\Admin\AppData\Roaming\cvdafs.exe
C:\Users\Admin\AppData\Roaming\cvdafs.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2356

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\cvdafs.exe" "C:\Users\Admin\AppData\Roaming\cvdafs.exe"
2⤵
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Users\Admin\AppData\Roaming\cvdafs.exe
C:\Users\Admin\AppData\Roaming\cvdafs.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:588

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\cvdafs.exe" "C:\Users\Admin\AppData\Roaming\cvdafs.exe"
2⤵
PID:196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cvdafs.exe.log
Filesize
612B

MD5
e515039a8d5a085ff2e6b44d1a17a958

SHA1
f8a766108bde32e852915233bc043d6d7f8b74ec

SHA256
ee7d04f722b7f7c9750d2aad4919cc80b249593558a0b18ca818e0f64279d5f2

SHA512
bfe36952331f835f1b7c545ed39d57b910a0d4a922a05de4f813b5121dbd6dee5418bd43cb3b5e383d22d8860436c13c39d2e2133894dd1f31091d5cd1437f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe
Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe
Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
C:\Users\Admin\AppData\Roaming\cvdafs.exe
Filesize
300.0MB

MD5
b77a44c24d6afbeec6bf3fc7a89eef38

SHA1
9c956f05e4d77353c9da0fa34ce83b9603458b68

SHA256
03fecf2c72e71174940f6b7b31887155ce0f92e3af5f95ed323af83b1ca9814f

SHA512
b9d70c2dd353f6ffcb5e1442d4c93c4afb0c3d762c718b97d87a4b2726e93992f7ad3c046d778b3823bfd289ad1d26e56228838fd8f86425298e96acdfc079c9

Download Submit
C:\Users\Admin\AppData\Roaming\cvdafs.exe
Filesize
300.0MB

MD5
b77a44c24d6afbeec6bf3fc7a89eef38

SHA1
9c956f05e4d77353c9da0fa34ce83b9603458b68

SHA256
03fecf2c72e71174940f6b7b31887155ce0f92e3af5f95ed323af83b1ca9814f

SHA512
b9d70c2dd353f6ffcb5e1442d4c93c4afb0c3d762c718b97d87a4b2726e93992f7ad3c046d778b3823bfd289ad1d26e56228838fd8f86425298e96acdfc079c9

Download Submit
C:\Users\Admin\AppData\Roaming\cvdafs.exe
Filesize
300.0MB

MD5
b77a44c24d6afbeec6bf3fc7a89eef38

SHA1
9c956f05e4d77353c9da0fa34ce83b9603458b68

SHA256
03fecf2c72e71174940f6b7b31887155ce0f92e3af5f95ed323af83b1ca9814f

SHA512
b9d70c2dd353f6ffcb5e1442d4c93c4afb0c3d762c718b97d87a4b2726e93992f7ad3c046d778b3823bfd289ad1d26e56228838fd8f86425298e96acdfc079c9

Download Submit
memory/196-776-0x0000000000000000-mapping.dmp

Download
memory/396-767-0x0000000000000000-mapping.dmp

Download
memory/588-773-0x0000000000000000-mapping.dmp

Download
memory/940-663-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/940-608-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/940-575-0x00000000007E2730-mapping.dmp

Download
memory/2172-840-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2172-900-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2172-874-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/2172-816-0x00000000007E2730-mapping.dmp

Download
memory/2356-555-0x0000000000000000-mapping.dmp

Download
memory/2568-548-0x0000000000000000-mapping.dmp

Download
memory/3316-181-0x0000000000000000-mapping.dmp

Download
memory/3316-188-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3316-186-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3316-183-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-156-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-134-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-143-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-144-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-145-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-146-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-147-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-148-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-149-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-150-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-151-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-152-0x0000000000520000-0x0000000000816000-memory.dmp

Filesize
3.0MB

Download
memory/3468-153-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-154-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-155-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-124-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-157-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-158-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-159-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-160-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-161-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-162-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-163-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-164-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-165-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-166-0x0000000005000000-0x0000000005066000-memory.dmp

Filesize
408KB

Download
memory/3468-122-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-125-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-129-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-126-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-172-0x0000000005860000-0x0000000005D5E000-memory.dmp

Filesize
5.0MB

Download
memory/3468-121-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-136-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-142-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-137-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-120-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-135-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-119-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-123-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-132-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-141-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-140-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-127-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-139-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-133-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-128-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-138-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-130-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-131-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3616-351-0x0000000073CC0000-0x0000000073CFA000-memory.dmp

Filesize
232KB

Download
memory/3616-666-0x0000000073E10000-0x0000000073E4A000-memory.dmp

Filesize
232KB

Download
memory/3616-938-0x0000000073E10000-0x0000000073E4A000-memory.dmp

Filesize
232KB

Download
memory/3616-902-0x0000000070AF0000-0x0000000070B2A000-memory.dmp

Filesize
232KB

Download
memory/3616-261-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3616-1245-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-971-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-1270-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-973-0x0000000070AF0000-0x0000000070B2A000-memory.dmp

Filesize
232KB

Download
memory/3616-1179-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-1313-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-423-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3616-422-0x0000000073E10000-0x0000000073E4A000-memory.dmp

Filesize
232KB

Download
memory/3616-207-0x00000000007E2730-mapping.dmp

Download
memory/3616-1008-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-814-0x0000000070AF0000-0x0000000070B2A000-memory.dmp

Filesize
232KB

Download
memory/3616-542-0x0000000070AF0000-0x0000000070B2A000-memory.dmp

Filesize
232KB

Download
memory/3616-1347-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-936-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-1372-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-1043-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-1076-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-1078-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-664-0x0000000073CC0000-0x0000000073CFA000-memory.dmp

Filesize
232KB

Download
memory/3616-1106-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-1006-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/3616-749-0x0000000073E10000-0x0000000073E4A000-memory.dmp

Filesize
232KB

Download
memory/3616-458-0x0000000073E10000-0x0000000073E4A000-memory.dmp

Filesize
232KB

Download
memory/4072-1432-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-748-0x0000000073E10000-0x0000000073E4A000-memory.dmp

Filesize
232KB

Download
memory/4072-683-0x0000000073E10000-0x0000000073E4A000-memory.dmp

Filesize
232KB

Download
memory/4072-766-0x0000000070AF0000-0x0000000070B2A000-memory.dmp

Filesize
232KB

Download
memory/4072-665-0x0000000073E10000-0x0000000073E4A000-memory.dmp

Filesize
232KB

Download
memory/4072-400-0x0000000073E10000-0x0000000073E4A000-memory.dmp

Filesize
232KB

Download
memory/4072-1112-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-1122-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-1162-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-441-0x0000000073E10000-0x0000000073E4A000-memory.dmp

Filesize
232KB

Download
memory/4072-424-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4072-353-0x0000000073AC0000-0x0000000073AFA000-memory.dmp

Filesize
232KB

Download
memory/4072-901-0x0000000070AF0000-0x0000000070B2A000-memory.dmp

Filesize
232KB

Download
memory/4072-266-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4072-919-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-239-0x0000000000000000-mapping.dmp

Download
memory/4072-937-0x0000000073E10000-0x0000000073E4A000-memory.dmp

Filesize
232KB

Download
memory/4072-1212-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-1246-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-972-0x0000000070AF0000-0x0000000070B2A000-memory.dmp

Filesize
232KB

Download
memory/4072-1296-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-1330-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-1007-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-1364-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-1025-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-1042-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-525-0x0000000070AF0000-0x0000000070B2A000-memory.dmp

Filesize
232KB

Download
memory/4072-1382-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-1077-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4072-1390-0x0000000070A50000-0x0000000070A8A000-memory.dmp

Filesize
232KB

Download
memory/4760-171-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-170-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-167-0x0000000000000000-mapping.dmp

Download
memory/4760-169-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-178-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-168-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-180-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-187-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-184-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-179-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-175-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-177-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-176-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-174-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-185-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-182-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-173-0x0000000000000000-mapping.dmp

Download
memory/4840-543-0x0000000000000000-mapping.dmp

Download