bitrat | 5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-09-2023 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAIN-Forms.exe
Size

112KB
MD5

a9db678b7bad6d2bae54505759452dd9
SHA1

b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA256

5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512

641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
SSDEEP

1536:I7saA2chvktTeipnA5+PYpaqjxqYbKZCrXgMeYA5+PeOQT:I620vkt5pnAwlexvbKZwtAwET

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

smgqnt3eixxksasu.xyz:1234

Attributes

communication_password
30afda4853ef5b1bc36463ba95d84247
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

ywktElPgPaVJ1F2q.exeE3X0e0Kvg9TMm3k9.exe

pid process

1532 ywktElPgPaVJ1F2q.exe
1724 E3X0e0Kvg9TMm3k9.exe

pid	process
1532	ywktElPgPaVJ1F2q.exe
1724	E3X0e0Kvg9TMm3k9.exe

Loads dropped DLL 8 IoCs

Processes:

PAIN-Forms.exeaspnet_compiler.exe

pid	process
2704	PAIN-Forms.exe
2704	PAIN-Forms.exe
2704	PAIN-Forms.exe
2704	PAIN-Forms.exe
1400	aspnet_compiler.exe
1400	aspnet_compiler.exe
1400	aspnet_compiler.exe
1400	aspnet_compiler.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exeywktElPgPaVJ1F2q.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAIN-Forms = "C:\\Users\\Admin\\Documents\\PAIN-Forms.pif"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\checkupdater = "C:\\Users\\Admin\\AppData\\Local\\checkupdater.exe"	ywktElPgPaVJ1F2q.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

PAIN-Forms.exeaspnet_compiler.exe

pid	process
2704	PAIN-Forms.exe
2704	PAIN-Forms.exe
2704	PAIN-Forms.exe
2704	PAIN-Forms.exe
2704	PAIN-Forms.exe
1400	aspnet_compiler.exe
1400	aspnet_compiler.exe
1400	aspnet_compiler.exe
1400	aspnet_compiler.exe
1400	aspnet_compiler.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

PAIN-Forms.exeywktElPgPaVJ1F2q.exe

description	pid	process	target process
PID 2952 set thread context of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 1532 set thread context of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

PAIN-Forms.exeywktElPgPaVJ1F2q.exe

pid	process
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
2952	PAIN-Forms.exe
1532	ywktElPgPaVJ1F2q.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

PAIN-Forms.exePAIN-Forms.exeywktElPgPaVJ1F2q.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	2952	PAIN-Forms.exe
Token: SeDebugPrivilege	2704	PAIN-Forms.exe
Token: SeShutdownPrivilege	2704	PAIN-Forms.exe
Token: SeDebugPrivilege	1532	ywktElPgPaVJ1F2q.exe
Token: SeDebugPrivilege	1400	aspnet_compiler.exe
Token: SeShutdownPrivilege	1400	aspnet_compiler.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

PAIN-Forms.exeaspnet_compiler.exe

pid process

2704 PAIN-Forms.exe
2704 PAIN-Forms.exe
1400 aspnet_compiler.exe
1400 aspnet_compiler.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

PAIN-Forms.execmd.exePAIN-Forms.exeywktElPgPaVJ1F2q.exeaspnet_compiler.exe

description	pid	process	target process
PID 2952 wrote to memory of 1664	2952	PAIN-Forms.exe	cmd.exe
PID 2952 wrote to memory of 1664	2952	PAIN-Forms.exe	cmd.exe
PID 2952 wrote to memory of 1664	2952	PAIN-Forms.exe	cmd.exe
PID 2952 wrote to memory of 1664	2952	PAIN-Forms.exe	cmd.exe
PID 1664 wrote to memory of 2680	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 2680	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 2680	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 2680	1664	cmd.exe	reg.exe
PID 2952 wrote to memory of 1992	2952	PAIN-Forms.exe	cmd.exe
PID 2952 wrote to memory of 1992	2952	PAIN-Forms.exe	cmd.exe
PID 2952 wrote to memory of 1992	2952	PAIN-Forms.exe	cmd.exe
PID 2952 wrote to memory of 1992	2952	PAIN-Forms.exe	cmd.exe
PID 2952 wrote to memory of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 2952 wrote to memory of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 2952 wrote to memory of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 2952 wrote to memory of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 2952 wrote to memory of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 2952 wrote to memory of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 2952 wrote to memory of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 2952 wrote to memory of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 2952 wrote to memory of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 2952 wrote to memory of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 2952 wrote to memory of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 2952 wrote to memory of 2704	2952	PAIN-Forms.exe	PAIN-Forms.exe
PID 2704 wrote to memory of 1532	2704	PAIN-Forms.exe	ywktElPgPaVJ1F2q.exe
PID 2704 wrote to memory of 1532	2704	PAIN-Forms.exe	ywktElPgPaVJ1F2q.exe
PID 2704 wrote to memory of 1532	2704	PAIN-Forms.exe	ywktElPgPaVJ1F2q.exe
PID 2704 wrote to memory of 1532	2704	PAIN-Forms.exe	ywktElPgPaVJ1F2q.exe
PID 1532 wrote to memory of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe
PID 1532 wrote to memory of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe
PID 1532 wrote to memory of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe
PID 1532 wrote to memory of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe
PID 1532 wrote to memory of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe
PID 1532 wrote to memory of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe
PID 1532 wrote to memory of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe
PID 1532 wrote to memory of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe
PID 1532 wrote to memory of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe
PID 1532 wrote to memory of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe
PID 1532 wrote to memory of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe
PID 1532 wrote to memory of 1400	1532	ywktElPgPaVJ1F2q.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 1724	1400	aspnet_compiler.exe	E3X0e0Kvg9TMm3k9.exe
PID 1400 wrote to memory of 1724	1400	aspnet_compiler.exe	E3X0e0Kvg9TMm3k9.exe
PID 1400 wrote to memory of 1724	1400	aspnet_compiler.exe	E3X0e0Kvg9TMm3k9.exe
PID 1400 wrote to memory of 1724	1400	aspnet_compiler.exe	E3X0e0Kvg9TMm3k9.exe

C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe
"C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PAIN-Forms" /t REG_SZ /F /D "C:\Users\Admin\Documents\PAIN-Forms.pif"
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PAIN-Forms" /t REG_SZ /F /D "C:\Users\Admin\Documents\PAIN-Forms.pif"
3⤵
- Adds Run key to start application
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe" "C:\Users\Admin\Documents\PAIN-Forms.pif"
2⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe
"C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\ywktElPgPaVJ1F2q.exe
"C:\Users\Admin\AppData\Local\Temp\ywktElPgPaVJ1F2q.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
4⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\E3X0e0Kvg9TMm3k9.exe
"C:\Users\Admin\AppData\Local\Temp\E3X0e0Kvg9TMm3k9.exe"
5⤵
- Executes dropped EXE
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E3X0e0Kvg9TMm3k9.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3X0e0Kvg9TMm3k9.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywktElPgPaVJ1F2q.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywktElPgPaVJ1F2q.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywktElPgPaVJ1F2q.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
\Users\Admin\AppData\Local\Temp\E3X0e0Kvg9TMm3k9.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
\Users\Admin\AppData\Local\Temp\E3X0e0Kvg9TMm3k9.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
\Users\Admin\AppData\Local\Temp\E3X0e0Kvg9TMm3k9.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
\Users\Admin\AppData\Local\Temp\E3X0e0Kvg9TMm3k9.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
\Users\Admin\AppData\Local\Temp\ywktElPgPaVJ1F2q.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
\Users\Admin\AppData\Local\Temp\ywktElPgPaVJ1F2q.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
\Users\Admin\AppData\Local\Temp\ywktElPgPaVJ1F2q.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
\Users\Admin\AppData\Local\Temp\ywktElPgPaVJ1F2q.exe
Filesize
6.1MB

MD5
fab73af287c1c2d2c9f7eb56ae418c2a

SHA1
b9afbf362fd3a04290b37a2abafece67fba21b1b

SHA256
33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

SHA512
c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

Download Submit
memory/1400-129-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/1400-131-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/1400-117-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1400-141-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/1400-140-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/1400-136-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1532-64-0x0000000004CF0000-0x0000000004EF6000-memory.dmp

Filesize
2.0MB

Download
memory/1532-66-0x00000000056F0000-0x00000000058E4000-memory.dmp

Filesize
2.0MB

Download
memory/1532-65-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/1532-67-0x0000000000730000-0x000000000077C000-memory.dmp

Filesize
304KB

Download
memory/1532-72-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/1532-73-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/1532-62-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/1532-63-0x0000000000850000-0x0000000000E74000-memory.dmp

Filesize
6.1MB

Download
memory/1532-115-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/1724-172-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/1724-173-0x0000000001220000-0x0000000001844000-memory.dmp

Filesize
6.1MB

Download
memory/1724-174-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/2704-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-80-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-40-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download
memory/2704-41-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-35-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-34-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-33-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-32-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download
memory/2704-31-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download
memory/2704-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-59-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-8-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-70-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-22-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-76-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-38-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-84-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-88-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-92-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-94-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-98-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-10-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-15-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-14-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-13-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-12-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2704-11-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2952-21-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-0-0x0000000000D80000-0x0000000000DA2000-memory.dmp

Filesize
136KB

Download
memory/2952-5-0x0000000000580000-0x00000000005C0000-memory.dmp

Filesize
256KB

Download
memory/2952-4-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-3-0x0000000005C50000-0x0000000005E48000-memory.dmp

Filesize
2.0MB

Download
memory/2952-2-0x0000000000580000-0x00000000005C0000-memory.dmp

Filesize
256KB

Download
memory/2952-1-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download