bitrat | da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8

Analysis

max time kernel
152s
max time network
156s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
24-11-2022 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
Size

64KB
MD5

3f6cd0ff8f90ba35fe22b94e55655c96
SHA1

eabdde0d8d5ff3dee1690e322184d7ec2f3f5d10
SHA256

da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8
SHA512

8d51772b8ffce6b9aef3f1068f067811ae65ce00aca058bbef1e1a847efdb90552fc9c9bd31de0b23da03982e4eb13689caee5fb08ecdff02e3b306ca539322a
SSDEEP

1536:gwdyfgYBUngABZvxZ/DOG8s8MkeNSzXzKN:gwdyRapBZP/Dl8DMDSzX+N

Score

10^/10

bitrat xenarmor collection password persistence recovery spyware stealer trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

37.139.128.233:3569

Attributes

communication_password
ce952068942604a6d6df06ed5002fad6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000001abdd-488.dat	acprotect
behavioral1/files/0x000700000001abdd-489.dat	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-428-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral1/memory/2408-524-0x0000000000400000-0x00000000008DC000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
4708	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bgroyh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oklsztakdy\\Bgroyh.exe\""	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 644 set thread context of 2780	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	69
PID 2780 set thread context of 2408	2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	70
PID 2408 set thread context of 4708	2408	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	71

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1168	powershell.exe
1168	powershell.exe
1168	powershell.exe
644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
4708	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
4708	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeShutdownPrivilege	2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
Token: SeDebugPrivilege	4708	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 1168	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	66
PID 644 wrote to memory of 1168	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	66
PID 644 wrote to memory of 1168	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	66
PID 644 wrote to memory of 3548	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	68
PID 644 wrote to memory of 3548	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	68
PID 644 wrote to memory of 3548	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	68
PID 644 wrote to memory of 2780	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	69
PID 644 wrote to memory of 2780	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	69
PID 644 wrote to memory of 2780	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	69
PID 644 wrote to memory of 2780	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	69
PID 644 wrote to memory of 2780	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	69
PID 644 wrote to memory of 2780	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	69
PID 644 wrote to memory of 2780	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	69
PID 644 wrote to memory of 2780	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	69
PID 644 wrote to memory of 2780	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	69
PID 644 wrote to memory of 2780	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	69
PID 644 wrote to memory of 2780	644	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	69
PID 2780 wrote to memory of 2408	2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	70
PID 2780 wrote to memory of 2408	2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	70
PID 2780 wrote to memory of 2408	2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	70
PID 2780 wrote to memory of 2408	2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	70
PID 2780 wrote to memory of 2408	2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	70
PID 2780 wrote to memory of 2408	2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	70
PID 2780 wrote to memory of 2408	2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	70
PID 2780 wrote to memory of 2408	2780	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	70
PID 2408 wrote to memory of 4708	2408	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	71
PID 2408 wrote to memory of 4708	2408	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	71
PID 2408 wrote to memory of 4708	2408	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	71
PID 2408 wrote to memory of 4708	2408	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	71
PID 2408 wrote to memory of 4708	2408	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	71
PID 2408 wrote to memory of 4708	2408	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	71
PID 2408 wrote to memory of 4708	2408	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	71
PID 2408 wrote to memory of 4708	2408	da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe	71

C:\Users\Admin\AppData\Local\Temp\da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
"C:\Users\Admin\AppData\Local\Temp\da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA5AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
  C:\Users\Admin\AppData\Local\Temp\da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
  2⤵
  PID:3548
- C:\Users\Admin\AppData\Local\Temp\da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
  C:\Users\Admin\AppData\Local\Temp\da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
    -a "C:\Users\Admin\AppData\Local\707c9a17\plg\BXq0RPj8.json"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\da8f7c39a3136c6546c6f2e36872be49ddd7a8dd53002e12d04739680e4821b8.exe
      -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
      4⤵
      Loads dropped DLL
      Accesses Microsoft Outlook accounts
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\707c9a17\plg\BXq0RPj8.json

Filesize
1KB

MD5
77e6621fd939338d3f19f3dd948ecf43

SHA1
53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

SHA256
9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

SHA512
6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.XenArmor

Filesize
104B

MD5
4f3bde9212e17ef18226866d6ac739b6

SHA1
732733bec8314beb81437e60876ffa75e72ae6cd

SHA256
212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

SHA512
10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.XenArmor

Filesize
104B

MD5
bf5da170f7c9a8eae88d1cb1a191ff80

SHA1
dd1b991a1b03587a5d1edc94e919a2070e325610

SHA256
e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

SHA512
9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\Temp\unk.xml

Filesize
1KB

MD5
77e6621fd939338d3f19f3dd948ecf43

SHA1
53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

SHA256
9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

SHA512
6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

Download Submit
\Users\Admin\AppData\Local\Temp\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
memory/644-167-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-141-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-125-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-126-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-127-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-128-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-129-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-130-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-131-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-132-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-133-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-134-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-135-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-136-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-137-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-138-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-139-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-140-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-142-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-170-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-143-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-144-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-145-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-146-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-147-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-148-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-149-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-171-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-151-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-152-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/644-153-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-154-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-155-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-156-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-157-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-158-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-159-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-160-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-164-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-163-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-162-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-161-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-165-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-166-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-123-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-169-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-122-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-124-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-150-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-172-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-173-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-174-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-175-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-177-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-176-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-180-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-181-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-182-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-179-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-178-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-184-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-183-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-197-0x00000000064D0000-0x00000000068B4000-memory.dmp

Filesize
3.9MB

Download
memory/644-198-0x0000000006950000-0x00000000069E2000-memory.dmp

Filesize
584KB

Download
memory/644-199-0x0000000006EF0000-0x00000000073EE000-memory.dmp

Filesize
5.0MB

Download
memory/644-200-0x00000000069F0000-0x0000000006A12000-memory.dmp

Filesize
136KB

Download
memory/644-202-0x0000000006B50000-0x0000000006EA0000-memory.dmp

Filesize
3.3MB

Download
memory/644-120-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-121-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/644-168-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1168-250-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1168-278-0x0000000007480000-0x000000000749C000-memory.dmp

Filesize
112KB

Download
memory/1168-283-0x0000000007C70000-0x0000000007CE6000-memory.dmp

Filesize
472KB

Download
memory/1168-294-0x00000000092C0000-0x0000000009938000-memory.dmp

Filesize
6.5MB

Download
memory/1168-273-0x0000000007200000-0x0000000007266000-memory.dmp

Filesize
408KB

Download
memory/1168-295-0x0000000008A20000-0x0000000008A3A000-memory.dmp

Filesize
104KB

Download
memory/1168-255-0x0000000006BD0000-0x00000000071F8000-memory.dmp

Filesize
6.2MB

Download
memory/1168-275-0x00000000073F0000-0x0000000007456000-memory.dmp

Filesize
408KB

Download
memory/1168-279-0x0000000007D00000-0x0000000007D4B000-memory.dmp

Filesize
300KB

Download
memory/2408-524-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2408-428-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2780-402-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2780-317-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2780-401-0x0000000074390000-0x00000000743CA000-memory.dmp

Filesize
232KB

Download
memory/2780-364-0x0000000074390000-0x00000000743CA000-memory.dmp

Filesize
232KB

Download
memory/2780-526-0x0000000074390000-0x00000000743CA000-memory.dmp

Filesize
232KB

Download
memory/4708-506-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4708-507-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/4708-520-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4708-521-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download